Cloudflare

As stated on the previous post, this domain balealabs.com was purchased from Cloudflare’s registrar. Even though it is not mandatory, it is very convenient to use Cloudflare’s Domain Name Server (DNS for the intimate) as authorative for this domain. Besides that, Cloudflare free plan has a lot of very nice features.

One of these features is that Cloudflare acts as a reverse proxy for our origin server (the nginx instance running on EC2). This means that every request made from anyone on the internet first goes through Cloudflare and only Cloudflare talks directly to our server. This has a nice side effect that Cloudflare can cache the website’s content. So, sometimes when someone visits this website, the content is served from Cloudflare’s cache, sparing our webserver. Another side effect is that the Cloudflare handles the internet facing certificate renewal. The certificate used between the origin server and Cloudflare does not need to be renewed very often (in fact, its validity is 15 years).

Also, Cloudflare dashboard provide analytics for both the HTTP requests as well as DNS queries. I was a little afraid when I say 200+ requests from Russia on the first day the server was exposed to the internet. Now, most requests come from Germany, Sweden, US. Oh, they are not readers. These are request sent by bots trying to fish for vulnerabilities (for example, some requests are aimed at wordpress admin php scripts).

Since the nginx instance is exposed to the internet, some requests come directly to it. Cloudflare only can act as reverse proxy for requests originating in DNS queries. Maybe I could limit the exposure of the nginx server to the IPs of Cloudflare servers, if I can get a hold of them. I’ll try it and report back here.

Until then, take care of yourself.