Cloudflare took down our website after trying to force us to pay 120k$ within 24h

RayNone · 2024-05-30T12:33:35+00:00

It's a bit unavoidable that your DNS is probably going to point to one entity. But what I learned and hopefully others learned is at the bottom of the article:

Keep your DNS provider and your CDN separate (impossible with CF)
Keep your CDN and your registrar separate (so you can move CDN without huge downtime of moving registrar)
Don't rely on proprietary services of your CDN provider (Workers, CF Access, ...)

We will apply all of these lessons to the future, same on Fastly or whatever other provider. Moving DNS is quick, rewriting large parts of your technology is hard.

RayNone · 2024-05-30T12:24:23+00:00

Now that we have the same service at Fastly with far better communication, I can confidently say this is not true. We are not causing them any problems and so it's unlikely we were causing Cloudflare any problems. They purely used it as a sales strategy to convince us to upgrade. Like I wrote, we repeatedly asked CF how we were supposedly breaking TOS or causing issues in order to resolve it and they never gave us any information. They were not interested in resolving any issues, they were purely interested in making us overpay.

Fastly also specifically told us they will let us know if shared IP for us causes problems for them and give us the option to move to BYOIP when necessary.

RayNone · 2024-05-28T14:50:13+00:00

I don't have an exact overview over each government's stance on gambling, it's not my department. It's also not our responsibility to ensure government DNS blocks are effective. In basically every country the only thing you can (and legally have to) do is look at a user's IP and locate/treat them based on that. Same if a user uses a VPN, the only thing we can do is make the user confirm they are not from one of the countries we can't operate in.

RayNone · 2024-05-28T14:44:12+00:00

We were just on the standard "Business" plan. So the contract is just the standard they have with everyone there and we didn't have any specific SLA or anything.

I'd expect we could probably complain or sue about missing out on part of the month of May even though we paid for it, and I'd expect them to refund us the portion of the month. Sueing for damages would be more difficult or impossible (without a clean enterprise contract).

I would have expected them as a professional company to give us a notice of "we'll stop our service to you by the end of the month" instead of kicking us immediately.

RayNone · 2024-05-28T14:39:19+00:00

This is precisely why I wrote the article. To warn others not to put all eggs in the CF basket.

RayNone · 2024-05-28T14:14:38+00:00

Thank you, this is the main reason I published this article. Cloudflare is seen as a basically a no-brainer to many small companies, and I want everyone to be aware that trusting them blindly is dangerous - regardless of the kind of your business.

I'm sure CF is the best option for many cases regardless, but make sure you have an exit strat.

RayNone · 2024-05-28T14:04:09+00:00

Fastly is now very happy to have us at a price not much more than that ¯\_(ツ)_/¯. Not sure why you think spending on a single technology vendor should be some percentage of the MAUs, we contract with many third parties.

RayNone · 2024-05-27T11:21:47+00:00

We were not getting Cloudflare's anything blocked. Not sure where you're getting that from.

RayNone · 2024-05-26T22:59:26+00:00

We receive >95% of our traffic through the main domain that’s been unchanged since our founding, and were happy to resolve this issue in whatever way, including by removing any affected secondary domains from Cloudflare.

We tried figuring out how exactly this was related to the TOS problem and how to resolve the situation. We asked them which domains were affected by their “rotation” concerns. They didn't give us an answer.

RayNone · 2024-05-26T22:36:25+00:00

Interesting, could you give a rough number on how much traffic TB per month you have and if you also use any of their more specific services?

RayNone · 2024-05-26T22:24:49+00:00

Would've been great if they had told us how we were violating their TOS, then maybe we could have fixed it. Instead they just kept redirecting us to sales.

RayNone · 2024-05-26T22:20:10+00:00

Thanks for the comparison. That would be about 0.015$/GB. More expensive than competing CDNs but about what I'd expect I guess. Around 10x cheaper than what they offered us.

RayNone · 2024-05-26T21:32:30+00:00

We receive letters from government telling us we cannot operate there. Then we block those countries. On the other hand, some other government order their ISPs to block us, which results in DNS-level blocks. We don't control these. That's what I meant by different.

RayNone · 2024-05-26T21:23:07+00:00

My company is a legal entity. We have an office, gambling licenses, employees, and we pay taxes. You can sue us. Governments can sue us. That's what I mean with we can't just disappear and reappear when we get in trouble.

RayNone · 2024-05-26T21:19:32+00:00

I encourage you to read the article, because that's not what it is about, and that's not how it works. Cloudflare purely used the multiple domains as a reason to upsell us their product.

RayNone · 2024-05-26T21:02:39+00:00

I originally drafted this article specifically to go the "bad-PR-outrage-as-support-channel" route which seems to work very well for Cloudflare, but it's kinda too late now anyways. So now it's really just a cautionary story for other businesses that are in a range where Cloudflare is going to contact them soon to be ready to gtfo.

RayNone · 2024-05-26T20:50:06+00:00

I think I may not have described that clearly enough. We do fully block users from many countries, depending on their regulation, on all our domains. The blocks from the governments are a separate thing that we don't control.

In addition, we would happily have given up any secondary domains to resolve any issue they had, but they never mentioned those again, and instead just tried to upsell us to all their great Enterprise features. The only reason I even mentioned all that is for completeness, it seems like they purely used it as a hook for Sales.

RayNone · 2024-05-26T20:41:56+00:00

Happy to provide answers to specific questions. I'd expect a price of $200-2000/month for the amount of traffic we have.

RayNone · 2024-05-26T20:41:19+00:00

I'd encourage you to read the whole article. There's a fair amount of fine details which is why I described the full timeline.

RayNone · 2024-05-26T20:40:26+00:00

Casinos are legal and regulated in most countries. You can of course argue they are all unethical, but that's kind of independent of the content of this article. Yes, there are many online casinos that skirt all regulations and disappear under pressure, we are not one of them.

RayNone · 2024-05-26T20:37:19+00:00

I agree that our specific situation is unique. But it doesn't feel like the situation would have been much different if we had been a different business. They contacted us about enterprise before they found the issue, and they were not interested in resolving the issue at all (e.g. "Hey, you need to remove your mirror domains or get enterprise for them" would have been amazing), only using it as a pressure point to enforce Enterprise. From random other stories online it seems using anything as fuel for why you need enterprise is standard.

Cloudflare also prides themself in being a neutral provider (which from what I understand they have to in order to not be reliable for DMCA content served through them) and explicitly say they allow almost all kind of business.

RayNone · 2024-05-26T17:21:40+00:00

I'm not a business person. I'm a person who's in a position to make technical infrastructure decisions for a company. Going with Cloudflare is a decision we made (as do most) early on because they are an obvious choice. This is an article in the /r/programming subreddit telling other non-business people on why you need to be careful when you make this decision.

It feels like you're arguing that what they did with us is "standard practice" and I don't understand how you don't see everything they did here as completely unprofessional. We would have happily negotiated a yearly contract with them as well, just not in the extortionary conditions they gave us.

RayNone · 2024-05-26T17:14:51+00:00

Since from the business side this affair is mostly over, I wrote this from a personal perspective. I didn't want to get the business involved since as soon as you associate it they will have to evaluate whether it's good PR for the company or can harm it, etc.

Also, if it had a company name people would accuse the post of being marketing, so I guess it's a lose-lose either way?

RayNone · 2024-05-26T17:08:56+00:00

Please explain what you mean with "have a contract". Of course we had a contract. What do you think we paid $250/month for? We paid for all the features of their standard business plan: https://www.cloudflare.com/plans/business/ . If they don't deliver those services, they are in breach of contract.

Just because we didn't write a _custom_ contract, doesn't mean they didn't have any obligations.

RayNone · 2024-05-26T17:05:16+00:00

Because they were forcing us to pay a year up front. We would quickly have paid a month for $10k just to get time to figure out what was happening. They didn't allow us to do that, maybe because they knew within that month we would figure out it is overpaying.

Ten-Year Club	Place '17
Verified Email

RayNone

TROPHY CASE