My experiences with CloudFlare

July 19th, 2011

cloudflare-logo1

Update: Since I wrote this post, I’ve read many stories similar to mine of troubles with CloudFlare. They seem to be going for the bottom end of the market, and their offering leaves a lot to be desired if you need a serious CDN that doesn’t cause weird latency, annoying landing pages and other issues. I wouldn’t bother with this company again.

From the comments left on this post below I get the impression that nothing much has changed since I wrote this.

A commenter on Hacker News had this to say about my post:

I’m not sure why you’re surprised.
CloudFlare is amateur at best, compared to existing DSA/CDN offerings from Akamai, Cotendo, EdgeCast etc.
But those cost a lot of money (at least 50-100x the cost of CloudFlare) if you’re small/medium sized. You get what you pay for with $20/month.

I can only agree with his point. You get what you pay for and for $20 a month you’re not going to get a lot.

CloudFlare is a website performance and security product that launched publicly at TechCrunch Disrupt in September 2010. It’s a reverse proxy, firewall, and global content delivery network that requires very minimal setup. Their main product is free, but they also offer a pro version that provides a few extra optimisations and features available for $20 a month.

To use CloudFlare, you simply change the DNS name servers for your domain to point to CloudFlare and then they configure your A record to point at their servers. All traffic to your website is then routed through CloudFlare. They act as a content delivery network for your images, Javascript and CSS files which means they serve these assets from a server closer to you and reduce the load on your server. It’s worth noting that they do not cache the actual html of your website – these requests are still forwarded onto your web server.

As well as acting as a CDN, CloudFlare offers a number of other features as well. They will minify your JS/HTML/CSS for you, automatically obfuscate email addresses and can also preload static resources using Javascript in the background. CloudFlare will also in theory improve the security of your site by preventing attacks such as SQL injection, XSS Javascript injections and stop known bad IP addresses from accessing your site.

Other than email address obfuscation, I was not interested in the security features CloudFlare offered, one of the reasons being that if CloudFlare detects what it thinks is a suspicious user it will prevent them from accessing your site, display a CloudFlare branded page and make them enter a captcha to continue. I hate the idea of this – a false positive that triggers this will make your site look horribly broken and I also don’t want the user to ever see CloudFlare branding or anything on my site that I didn’t design myself.

I think this is one of the things CloudFlare gets very wrong about their whole offering, they should be aiming to be completely transparent no matter what happens. I don’t ever want to see their logo on my site or hear about how many ‘threats’ they prevented. That stuff needs to happen right out of my customers sight.

If your web server goes down and they are able to serve up a static version, at the top of the page they inject a ‘This page is offline, but here’s our cached version’ thing, along with the CloudFlare logo. I might be less annoyed about this if I hadn’t already shelled out $20/mo for the pro version of CloudFlare but they are essentially using the fact that my server is down as an opportunity to do some free marketing for themselves, despite the fact that I already pay them money. I don’t like this either.

Anyway, I switched off all of the security features with the goal of using CloudFlare purely to improve the performance of my site. Some of the features CloudFlare offer are still in beta. To begin with I left all beta features disabled except for JS/HTML/CSS minification.

The site I was trying to improve the performance of – http://frenzyapp.com is pretty simple and made up of just a few images and static html pages.
Things seemed to work quite well for a while, but sometimes I noticed my site was taking longer than usual (>3seconds) to load now that CloudFlare was in the picture.

I started doing some tests using the site performance testing tool at http://www.webpagetest.org which allowed me to test the page load times from multiple locations around the globe. WebPagetest showed that a single file – jquery.fancybox-1.3.4.css was taking over 3 seconds to load from certain locations and also showed some other issues with requests being cancelled. This was causing the whole site not to be fully loaded for over 6 seconds. Not good at all.

3-seconds

I ran a lot more tests and found I couldn’t get the problem to occur consistently from all locations but it would always happen when loaded from New York. I opened a support ticket with CloudFlare describing the problem and attached screenshots of a number of tests. They responded quickly and told me to try disabling the JS/HTML/CSS minification feature (which was after all, in beta) and see if that improved things. I did this and re-ran the tests 10 times from New York, again using WebPagetest to see if the problem persisted, unfortunately it did. Loading this file was taking over 3 seconds to load bringing the overall page load time to around 6 seconds. Still no good.

I tried disabling some of the other CloudFlare features such as the website preloader and ran more tests. Still the problem continued. I updated the support ticket with my findings and then waited patiently for 3 days. This time CloudFlare did not respond. I posted to their support system again to ask if a resolution was coming and tweeted them:

cloudflare-support

Almost immediately, I got a tweet back from Matthew Prince, the CEO and co-founder of CloudFlare. He suggested that I try completely deactivating CloudFlare and re-testing. We had a rather lengthy, friendly exchange which ended with this tweet from him:

matthew-tweet-response

This is encouraging. I am hopeful that the problem will now be resolved or that I’ll at least get an update soon now that I have a promise from the CEO.

I also took his advice and tried fully deactivating CloudFlare from the control panel, this makes the DNS A record to point directly at my server, taking CloudFlare out of the loop. I then re-ran WebPagetest 10 times from New York and found the problem had disappeared. The page is now fully loading in an average of 3 seconds or less compared with the 6 seconds taken with CloudFlare enabled. This provides further evidence that CloudFlare is causing the issue and not my server configuration. I update the support ticket with my findings and wait patiently for another 4 days.

I don’t hear a thing from CloudFlare, no more tweets, no update to the support ticket, nothing. I guess they must have changed their mind about resolving my issue ‘in a few hours’

I decide to re-test everything anyway, and also run tests from other locations to get an overall indication of the performance of my site with CloudFlare enabled versus CloudFlare disabled.

My findings are displayed below:

cloudflare-data

The times given are seconds to fully loaded. In New York – the problem location where the CSS file is taking greater than 3 seconds the total load time is, on average, 2.7 seconds greater with CloudFlare activated.

The site actually loads faster when direct from my server in every tested location except for two.

On average, across all tested locations, the site is loading 0.8 seconds faster with CloudFlare deactivated. This certainly isn’t what I would have expected from a product that is supposed to ‘supercharge’ your website.

One factor to consider is that these tests were done while my site was under almost zero load. If my server became overwhelmed then it would slow right down in which case CloudFlare may actually be faster. It also remains to be seen whether other sites using CloudFlare exhibit similar load times or if my site is particularly troublesome for some reason. Much more data would have to be collected to conclusively prove anything. I have uploaded a zip archive that contains screenshots of all the WebPagetest results with more information on each test in case you are interested or want to see the original source for those numbers.

Personally, I’ve decided to move on from CloudFlare. Despite what seems to be a promising service, right now they are not providing me with a faster website. They also don’t seem to be fixing my problems or keeping me informed. It’s a shame because I really think they are onto something, there’s so much that goes into keeping a website speedy and available these days. If I can change two name servers and have everything taken care of for me, it leaves me more time to put into building great products.

I do think CloudFlare will iron out these issues eventually. At the moment the company still seems to be in early/beta stages. They may be worth another look at some point in the future. They also need to do some work on improving their customer service and make sure they follow up with customers who have problems.

10 Responses to “My experiences with CloudFlare”

  1. Damon Billian Says:

    “I do think CloudFlare will iron out these issues eventually. At the moment the company still seems to be in early/beta stages. They may be worth another look at some point in the future. They also need to do some work on improving their customer service and make sure they follow up with customers who have problems.”

    We actually just hired additional staff in both engineering and customer service so we can do more research on some of the issues. June and July both have had a lot of press coverage, which created a created a fair amount of a backlog for our team.

    “If your web server goes down and they are able to serve up a static version, at the top of the page they inject a ‘This page is offline, but here’s our cached version’ thing, along with the CloudFlare logo. ”
    This will be changing for paid accounts in the future.

    “I hate the idea of this – a false positive that triggers this will make your site look horribly broken and I also don’t want the user to ever see CloudFlare branding or anything on my site that I didn’t design myself.”
    This page can currently be modified to match the look & feel of your site & we will be allowing additional modifications to this page as well very soon.

    “To begin with I left all beta features disabled except for JS/HTML/CSS minification”
    This is a beta feature that can potentially cause performance issues. My hunch is that this is what created some of the performance issues you were seeing.

    Sorry about any delay in getting back to you. I can assure you we’re adding additional staff so we can spend more time on individual cases where there appears to be some sort of anomaly.

  2. John Says:

    Thanks for following up Damon. I’m glad you’re looking to address some of my concerns.

    Regarding the JS/HTML/CSS minification, all the results above were collected with this feature turned off so it can’t have affected those results.

    When you mentioned that this feature could be causing trouble initially I conducted many tests and found that the problem file took greater than 3 seconds both with minification on and minification off.

    I think you should have an option to disable the whole captcha thing altogether. In my case I was looking to improve the performance of my site and did not need or want security features such as this.

  3. Antonin Hildebrand Says:

    I’m using CloudFlare on my site and I’m also only interested in the performance improvement.

    There is similar startup TorBit currently in beta which does just performance. I’ve tried them, but we hit technical issue in my code, so I switched to CloudFlare.
    http://torbit.com

  4. Damon Billian Says:

    “I think you should have an option to disable the whole captcha thing altogether. In my case I was looking to improve the performance of my site and did not need or want security features such as this.”

    The closest thing we have right now is ‘Essentially Off’. The tricky thing is that security actually is quite connected to performance as well, since we’re filtering potentially malicious traffic before it actually hits your site (can save on requests, for example).

    Would having more control over the challenge page be better for you? We’re making a ton of changes in the next few weeks or so that should address many of the concerns.

    Just had to check on the performance issues re: beta features (could be a contributing factor). Again, I do apologize that we haven’t had the resources (just yet) to take a deeper look at that particular case. It requires some engineering digging & it might take more than just a few days to figure out what is going on.

  5. John Says:

    Damon – No, more control over the challenge page would not make a difference for me.

    I realize that improving web site security is a large part of your offering and that’s an interesting point about reducing load by filtering malicious traffic to my site. I would still filter out known malicious traffic, but refuse to serve the site at all if a known bad IP tries to connect. You could obviously only do this for IPs you were certain were bad. From my perspective, if a user has to enter a captcha to see my site then 90% of the time they aren’t going to bother.

    Imagine you do a Google search and find my site – you click on it in the search results and a page comes up showing some kind of security roadblock page that wants you to enter a captcha. Do you play silly games with the site or do you immediately hit your browsers back button and click another result? I know what I would do. Unless they’re really desperate, there’s noway a user is going to bother entering a captcha and I’ve lost a potential customer.

    It just feels like you’re breaking my website for questionable gain. Your security measures shouldn’t also punish legitimate users.

    I would like to hear if you do manage to debug and resolve the issues I was having.

  6. Jan Husdal Says:

    Hi John and thanks for sharing your story. My experience with CloudFlare are somewhat similar: When measuring after running my site through CloudFlare some resources seem to hang, while others load superfast, meaning that gauging by site metrics, CloudFlare actually slows my site down. That said, visually it did appear faster. Also and like you not so happy with the challenge page I decided to try a competing service, Incapsula, and was pleasantly surprised, as you can read here:

    http://www.husdal.com/2011/07/01/incapsula-versus-cloudflare/

    CloudFlare is a good product, but like many startups, perhaps they’re growing too fast and making to many tweaks to satisfy the desires of all sorts of new customers (in order to grow even more)…while talking the talk (yes, there has been plenty of CloudFlare press and Internet coverage lately), but lagging a bit behind on walking the walk.

    I liked CloudFlare when I first tried it, I have to admit that, but in the end, and seeing what others have to offer, I decided not to stay on that bandwagon.

  7. James Says:

    I was also interested in CF before reading this – my goal is to improve speed of the site, i dont care about them improving my security if it means users , even single potential visitor, is going to be turned off by captcha.

    there is no way we would use such service if it means these “security” features cant be turned off… i understand that for enterprise users this might be important, but for vast majority, it is not.

  8. Nicolas Says:

    6 months later, I’m experiencing the same problems on my websites.
    For unknown reasons, some content are making 3 seconds to load.

    It’s kind incredible Cloudflare can’t fix that issue.

  9. Zar Says:

    So…did they ever fix it? Or get back to you?

  10. dave smith Says:

    I’ve been having similar customer support issues.

    I had one situation where a site which i’d deactivated in Cloudflare got re-activated without any intervention on my part, causing the whole site to go down, and I’ve another issue where the site has ‘been deactivated for technical issues’ http://screencast.com/t/niiupw8COhWr... i notified them of this on feb 11th, and i’m still waiting for a response despite them still taking my $20 per month. on the first issue, they never bothered finding out what went wrong.

    I’d agree that they’re clearly dedicating too little resource to customer service when at the same time the product feels buggy from a user perspective. looking into some alternatives now.

Leave a Reply