I work in application/product security and have managed WAFs for multi-billion dollar companies for many many years.
Move DNS to Cloudflare and put a few WAF rules on your site (managed challenge if bot score less than 2 / attack score == x). I doubt you'll even pay anything, and it will resolve a lot of your problems. Just test it before moving it to production please (maybe setup a test domain). Remember, a WAF is not an end-all be all, it's more of a band-aid. If you app isn't hardened to handle attacks, no amount of advanced WAF/bot protection will save it.
Selfhoster here. I use mutual TLS rules with CloudFlare's WAF to filter out everyone but my known-good callers. Works great. Since the only folks with access are my family, it was pretty easy to setup as well (everyone gets a unique cert that I can revoke if need be).
Usually I only manage internal facing applications these days, which makes the attack surface greatly reduced compare to public ones.
But since you seem to have a lot of knowledge in this area. Have you manage solutions which also includes infrastructure in Azure combined with Cloudflare?
And if so, any suggestions on things people usually miss? except for the usual stuff of OWASP and what not
Yes, that's just what the internet needs is even more websites centralized behind Cloudflare. Why do we even bother with TLS anymore if we're going to give them unencrypted access to practically all of our internet traffic.
Hacker news is so funny, they complain about the amount of power we've allowed Google, Amazon, and Microsoft to have, and then go right around and recommend putting everything behind Cloudflare.
Once Cloudflare starts using attestation to block anyone not on Chrome/iOS Safari it'll be too late to do anything about it.
Can you please not post in the flamewar style? It's not what this site is for, and destroys what it is for.
You're welcome to make your substantive points thoughtfully but it needs to be within the rules. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
We should be suggesting self hosted and decentralized solutions to website hosting and file hosting.
On that note, does anyone have any secure methods of providing serving a file from your computer to anyone with a phone/computer that doesn't require them downloading/installing something new? Just a password or something? Magic-wormhole almost seems great, but it requires the client to install wormhole (on a computer, not phone), and then type specific commands along with the password.
> Once Cloudflare starts using attestation to block anyone not on Chrome/iOS Safari it'll be too late to do anything about it.
That's just plain bs...
Eg
1) they have customers and their customers want protection, with minimal downsides.
2) Cloudflare is the only one with support for Tor. I'm 100% sure you didn't knew that.
What "examples" do you have to blame them for something they aren't doing? Based on what?
I'm getting tired of people blaming Cloudflare for providing a service that no one else can provide for free to small website owners => DDOS protection.
Could you please stop breaking the site guidelines? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
You're of course welcome to make your substantive points thoughtfully while staying within the rules.
Which circumvents the bad reputation of certain exit nodes:
> Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their Cloudflare threat score.
> Hacker news is so funny, they complain about the amount of power we've allowed Google, Amazon, and Microsoft to have, and then go right around and recommend putting everything behind Cloudflare.
It’s almost as if those saying contradictory things are actually different people despite being on the same website. But it can’t be that, surely? Truly a perplexing phenomenon that I hope someone can one day explain.
Fair, although I know quite a few people that hold both of these opinions simultaneously because I've met them in person. It's only after I point out their hypocrisy do they even realize what a danger Cloudflare poses to the free and open internet.
I suspect it's because hating on Google is in vogue, and so is recommending Cloudflare.
I'm going to try to provide / justify my potentially hypocritical viewpoint:
I use Cloudflare (free tier) in front of the very few and almost entirely unused websites that I run. I believe that the service they provide is useful for protecting the IP addresses of the servers on which the content is hosted, whilst also providing some amount of protection from malicious traffic.
I also agree that centralisation of services is a big problem for the future of the internet.
My position is that, whilst there seem to be increasing voices / examples of Cloudflare's (potential in) acting against the nebulous notion of "spirit of the internet", for me they certainly haven't reached the "evil" stage. I'm also of the understanding that it's Cloudflare customers that choose to block access from Tor or VPS IP address ranges and / or add Captcha's or other bothersome verification. True Cloudflare enable it and make it possible, but the administrators of the website that you're trying to visit have made the choice to make it more difficult for you to access their content; not Cloudflare themselves.
I would prefer there to be similar-scale alternatives to Cloudflare as a kind of a middle-ground decentralisation of centralisation. I'm sure there are alternatives, but I'm not yet motivated enough to even consider starting the research process.
If Cloudflare start selling visitor analytics to data brokers, however, very fast goodbye.
Move DNS to Cloudflare and put a few WAF rules on your site (managed challenge if bot score less than 2 / attack score == x). I doubt you'll even pay anything, and it will resolve a lot of your problems. Just test it before moving it to production please (maybe setup a test domain). Remember, a WAF is not an end-all be all, it's more of a band-aid. If you app isn't hardened to handle attacks, no amount of advanced WAF/bot protection will save it.
Message/email me if you need help.