this post was submitted on 08 Mar 2025
23 points (100.0% liked)

Lemmy.ca's Main Community

3171 readers
23 users here now

Welcome to the lemmy.ca/c/main community!

All new users on lemmy.ca are automatically subscribed to this community, so this is the place to read announcements, make suggestions, and chat about the goings-on of lemmy.ca.

For support requests specific to lemmy.ca, you can use [email protected].

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
23
CloudFlare usage on Lemmy.ca.. (lemmy.ca)
submitted 2 weeks ago by [email protected] to c/[email protected]
18 comments fedilink hide all child comments
 

I was wondering if there was really a good reason for CloudFlare to be used? I understand Lemmy.ca has dedicated hardware in a datacenter. Seems odd to pipe all our data through a US company as we are in a trade war.

top 18 comments
sorted by: hot top controversial new old
[–] [email protected] 28 points 1 week ago (4 children)

Lemmy.ca does about 2tb a week in traffic, 1tb of which is absorbed by Cloudflare caching images / static resources. We do have the server / network capacity to serve directly, but at the cost of reduced performance and higher latency for users. Our server is in Vancouver, if you're in Montreal you could expect images to load slower for you since they'd no longer be cached locally once one user viewed it. Another advantage is that if we ever do get DDOS'ed, it becomes possible to manage and deal with in a reasonable amount of time + energy.

I'm open to discussing dropping them, but we don't pay them anything as we're just on a free plan. We're just costing them a little money, we don't even register our domains through them.

[–] [email protected] 10 points 1 week ago (2 children)
[–] [email protected] 11 points 1 week ago (2 children)

Oh that's interesting. Thanks.

[–] [email protected] 10 points 1 week ago

Also check out https://deflect.ca/non-profits/ you might get it for free.

[–] [email protected] 4 points 1 week ago (1 children)

Would CIRAS's anycast DNS be useful here?

Link: https://www.cira.ca/en/cybersecurity/anycast-dns/

[–] [email protected] 4 points 1 week ago

Not really

[–] [email protected] 7 points 1 week ago

I'm sold on the sales pitch for it, but deflect.ca resolves to a Hetzner box in their Washington DC datacenter. I have a 112 ms ping to it from Toronto.

How do you sell a CDN when your own website is hosted out of the country at a PoP that's that far away?

[–] [email protected] 8 points 1 week ago (1 children)

If you ever decide to explore the market, although American, Fastly has been a big proponent of indie and open web.

[–] [email protected] 12 points 1 week ago* (last edited 1 week ago) (1 children)

I've actually used them at an old day job and quite liked them. I don't know if they still let you provide your own vcl, but it was a great feature.

If we were paying for something, then yeah they'd be on my short list.

Edit: huh. Interesting.... https://www.fastly.com/fast-forward

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago) (1 children)

Edit: Thanks for the well thought out answer. I can appreciate that sentiment.

With regards to the link you had appended, this is also interesting https://www.fastly.com/lp/fediverse/

[–] [email protected] 4 points 1 week ago

Oh that is cool, I didn't see that page.

[–] [email protected] 5 points 1 week ago (1 children)

One suggestion to consider for Lemmy.ca is to move your images and other easily-cacheable content to a different domain or subdomain, to give you more flexibility.

eg. If you serve your static assets off of lemmyimages.ca, then you can have only that behind a CDN, Cloudflare, or some other hosting with DDoS scrubbing. It gives you more flexibility to cope with various situations.

2tb a week isn't much (6 mbps on average?). It's pretty easy to set up nginx as a caching reverse proxy and spin that up on a couple of VPSes, but the annoying bit is you need to anycast your own IP address space in order for it to be functional as a CDN.

I'm not aware of any Canadian-owned CDNs either... OVH has one but they're pretty crappy as a company. Beware of whitelabelled CDNs too, even some of the CDNs provided by big cloud hosting companies are actually whitelabelled from another company.

[–] [email protected] 8 points 1 week ago (1 children)

Yeah we're at about 10mbit on a 50mbit commit off a 1 gig feed.

Im starting to dislike nginx these days, varnish is nicer as a caching frontend. We were on ovh before, fuck that.

If there was a good Canadian cdn I'd be all over it, but there isn't.

[–] [email protected] 5 points 1 week ago (1 children)

If I can ramble a bit more - forget the Anycast bit. If you run your own DNS server(s), you can just configure them to respond based on the geographic location of the requester. PowerDNS is pretty easy to set up for this. You could run your own DNS just for the image domain. You basically run PowerDNS authoritative server, set up your zones and the geoip stuff, then slap dnsdist in front of it to be publicly exposed. dnsdist has anti-DDoS features and loadbalancing in it, in case you need it down the road.

Since it's just for static images, you can have a higher TTL so you don't need to worry about distributing the DNS servers. (ie. the DNS lookup might not be super fast since it could go across the country, but it doesn't matter since that lookup is only going to happen every TTL period on each client, which can be high.)

[–] [email protected] 7 points 1 week ago (1 children)

With an sre team sure, but there's a difference between the amount of infra I'm willing to setup vs what I want to maintain and be responsible for on my own. I could set this up, spend money on VPS and have something that's difficult for anyone else to maintain.

Or I could just turn on cloudflare.

I'm am expert with all the tech you mentioned, but I'm trying to avoid a complex setup where if I got hit by a bus my fellow admins would struggle to maintain things.

[–] [email protected] 5 points 1 week ago

I totally understand. It sucks that there's not really any options in between these two extremes.

[–] [email protected] 3 points 1 week ago* (last edited 1 week ago)

Thank you for the great work you do! Here is a link with additional options to consider.

https://www.eucloud.tech/eu-alternatives-to/cloudflare

If you are only willing to consider a no-money option, it will be more difficult. Maybe consider approaching an alternative and asking if they will support a non-profit for a discount.

Another option is simply to drop Cloudflare without a replacement. You have raised some of the tradeoffs. Maybe people can live with those tradeoffs.

There is the consideration of Cloudflare tracking users from one domain to another. Pornhub is one site notorious for using Cloudflare.

https://www.ghostery.com/whotracksme/tracking-reach

There is also the consideration of Cloudflare possibly decrypting traffic and compromising passwords. At the start of a possible physical war, disrupting communication by overtaking user accounts could be a possible threat.

[–] [email protected] 3 points 1 week ago

lemmy.ca is not in a trade war.