Teknikal_Domain's Personal Blog

#<ENT:NTA:NnT:SSrgS:H66-198:W200:CBWg>

Upgrading to a Cloudflare Pro Plan

2020-05-03 6 min read Behind the scenes Teknikal_Domain Unable to load comment count

So as of yesterday, the Cloudflare plan on this site has changed from free to pro, the second of four, and the cheapest paid plain that they have. Really, there’s not that much that you will see, but there’s plenty of backend changes that I’m going to be using with this. And I’m going to break down what the actual changes are.

Now this is not a 100% exhaustive list of all the changes that come with a pro plan, but this is the changes that I’ve been interested in.1

Pricing Plans

A little foreword though: Cloudflare offers four tiers of service: free, pro(fessional), business, and enterprise. The free plan is… free, and the most basic, but still plenty capable. From there, the pro plan starts at $20 per month, and has a few more features that you might find beneficial… I do, that’s why I’m going to pay for it.

After this is the business plan, $200/mo, and comes with a lot more features: 100% uptime SLA, PCI compliance, bring-your-own SSL certificates, the works. After this for serious stuff, is enterprise. Cost? “Ask for Quote”. lovely. Obviously I’m not a business, and yes, most business and enterprise features are, well, business oriented, things that I don’t need.. so the $20/mo that I spend is likely all that I’ll need, going forward.


The Changes

Backend Stuff

TCP Turbo

One that I kinda can’t disable, and one that I don’t have much details for, so I’ll just read you the explanation: “Reduce latency and throughput with custom-tuned TCP optimizations.” Uh… ok? As the kind of person that I am, I would prefer a few more datils about what’s going on though…

Image Optimization

Technically, this is a service called Polish, that can optimize images on-the-fly before delivery. In my case, auto WebP if possible, lossless compression. This is done before the cache, meaning that the optimized image will be cached and reused if possible.

Now, this does bring up the issue of my precious CDN script , and for that it likely won’t do that much. For the situations there where I said it was going to be hard to optimize with that, then polish can take over optimizing as it likes. Even so, smaller images I don’t offload anyways, and those can be optimized too even though I did not manually slot them into be with my system, now Cloudflare will see what it can do with the ones that I chose to ignore for the time being. Pretty cool!

Page Rules

Cloudflare page rules allow you to tweak settings per URL on your site. For example, I can toggle minifying per URL, set certain pages to skip a browser integrity check, enforce HTTPS, the works. You can also set up redirects here too, though naturally it does use a page rule to redirect, though if you want to redirect something before it hits your backend, there you go.

On the free plan, you can have up to 3 page rules active at one point. Even if you flip the off switch, unless you delete it, it still takes up one rule. On the pro plan, this is upped to 20.

Analytics

Resolution

My previous minimum analytics resolution was one hour. This means that the most detailed view I can see shows me an hour-by-hour breakdown. With the pro plan, it’s now 15 minutes, meaning I now can get breakdowns down to 15 minutes, which isn’t that important, but cool nonetheless.

DNS Analytics

First: Free plan limits you to viewing DNS history for the last 6 hours. Pro plan, last 24. Additionally, I’m given a geographical map, showing which regions are generating the most DNS requests.

Firewall Analytics

With the pro plan, instead of the (relatively limited) list of firewall hits, I do now have a graph of rules tripped over time and actions taken, and a lot of metrics on the exact details, though that list does still exist if I want to explore individual events.

Firewall and Security

Rules

Custom firewall rules, of which you’re given 5 of, has been increased to 20. Quite frankly, I think this should be self explanatory.

User Agent Blocking

Every HTTP client sends a User-Agent header, a little string that is supposed to uniquely identify WHAT is being used to access a website. Well, Cloudflare allows you 10 strings to outright deny on a free plan, and ups that to 50 on a pro plan.

Zone Lockdown Rules

A zone lockdown rule allows you to restrict access to a set of URLs (a “zone”) to a certain set of IP addresses. On a pro plan, you can have up to 3 of these active at one time.

Rate Limiting Rules

Rate limiting, well, limits the rate at which someone can make requests to a URL. You can create one rule on a free plan, and up to 10 on pro.

Rate limiting can be useful to, for example, restrict brute-force attempts on a login page, or limit how many times someone can invoke a load-heavy page.

Cloudflare Managed Rules & OWASP Rulesets

Part of the Cloudflare Web Application Filter (WAF) that’s included in the pro plan, CF themselves have a few (okay, a ton) of pre-built firewall rules for protection of things like WordPress, Drupal, Flash, and other things.

This is also bundled with the OWASP (Open Web Application Security Project) Core Ruleset, a bundle of common attack protection rules.

Put simply, the firewall gains some serious security benefit with this.

Cloudflare Firewall JS Challenge and Captcha Challenge

Finally, besides the block, allow, and bypass rule actions, with a pro plan or above, you can instead respond to rule violations with a JavaScript challenge or a Captcha. Use this for challenging what Cloudflare has determined are risky clients, for example, or require that certain pages are locked behind a captcha to prove that an actual human is at the end of it.

The JS challenge doesn’t require user input, and just shows a “please wait to be redirected” screen. The captcha challenge is, well, a captcha. A human has to manually solve it to proceed.

I Just Want A Table!

I can do that.

Feature Free Pro
TCP Turbo ✔️
Page rules 3 20
Polish ✔️
Firewall rules 5 20
UA Blocking 10 50
Zone lockdown rules 3
Cloudflare WAF ✔️
Cloudflare managed rules ✔️
OWASP core rules ✔️
Rate limting rules 1 10
Captcha challenge ✔️
JS challenge ✔️
Site analytics resolution 1 hour 15 minutes
DNS historical analytics 6 hours 24 hours
Firewall historical analytics 24 hours

Conclusion

Just a quick look tells you that the majority of improvements with a paid plan are focused on the firewall section, and security. Further plans can also expand on this, though they doo start branching out into other features as well.


  1. Here’s the official comparison page. Click “Compare all plans and features” at the bottom, don’t scroll down. ↩︎

comments powered by Disqus