What's a good open-source alternative to Cloudflare?

The value of CloudFlare comes from its network, not the software they run. You can hack together a caching reverse proxy (intentionally oversimplified) pretty easily, but it won't be "CloudFlare".

It's not neccessarily about code being open source or not: you can pretty much run a wide and large proxy network for any of the services using run of the mill free software.

This means that to prevent all of the issues, you need a huge overprovisioned network. So to make economics work, you'd have to become one of the largest networks in the world, and thus serve lots of clients, making you again a "centralized" service.

CDNs are mostly about having large numbers of servers in convinent locations not software. The software is the easy part.

That said, wikipedia documents its CDN setup which is all open source at https://wikitech.wikimedia.org/wiki/Caching_overview which might be of interest to you.

What would it even mean to be an open source Cloudflare? The entire point of Cloudflare is that they run the tricky stuff for you. As another user said here, you can use nginx and lots of other OSS to achieve the same end goals. You will work much harder for it though.

If you just want to run a cache locally, varnish or nginx w/ cache module. But Cloudflare’s value add isn’t their cache by itself, it’s their network of caches in 200+ locations around the world to keep content closest to users. That’s the part where you have to have huge scale before it makes sense to try and run your own CDN - it’s a full time job. Giving Cloudflare $20 a month or $200 a month is worth it. If you want A cache but not necessarily Cloudflare’s cache, AWS Cloudfront has a free tier w/ 1 TB of egress a month last I checked - that’s very aggressive pricing. Cloudflare doesn’t have any egress cost at all until you get to enterprise but they heavily restrict features at the lower tiers - might be an issue if you need cache TTLs lower then 24 hours. I’m a big proponent of micro-caching so that part of Cloudflare runs against my designs sometimes. Cloudfront has no such limitations.

Building your own DDOS protection and CDN will involve a lot of devops bandwidth in ensuring both low latency and high availability. You may need to negotiate good rates with your ISP/VPS/Cloud for network bandwidth. It will also involve keeping in sync with security fixes and the state of the art in terms of bot protection, etc. If this use case is not a core part of your business, it will be better to bite the bullet and go ahead with a 3rd party solution like Cloudflare / AWS Cloudfront + WAF + Route 53 / Google Cloud Armor / Fastly

Openresty with a few Nginx modules and Lua scripts can go a long way for many use-cases mentioned:

- ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity

- L7 Rate limiting: https://github.com/openresty/lua-resty-limit-traffic

- Cache: https://github.com/ledgetech/ledge . Or use varnish which gives you VCL for high configurability

- Load balancing: https://github.com/openresty/lua-resty-balancer

- CDN: https://github.com/taythebot/lightpath . This project seems to be a WIP which you can use as a starting point for your needs. You will also need to find good enough "edge" locations for your CDN.

Similarly, HAProxy does a lot of stuff with the correct config and is also extensible using Lua:

- Some basic DOS protection: https://www.sysbee.net/blog/haproxy-sysadmins-swiss-army-kni...

- L7 DDoS protection: https://github.com/mora9715/haproxy_ddos_protector

You can run your own authoritative DNS server using either djbdns or nsd. Or use AWS Route 53.

Ultimately, it will involve (a lot of) glue code/config depending on what solution you go ahead with.

Couldn't agree more.

I've been loving cloudflare since the very, very, beginning, but a few little red flags the past couple years have me wanting to find an alternative as well.

Thank you for asking this.

Things like CDN and DoS protection: you'll need to operate massive networks and machines distributed around the globe.

Until someone creates a well-thought decentralized CF alternative from the ground up, which solves bad actor, slow and unstable node problems, with clever incentives, et cetera et cetera, we'll be stuck with centralized solutions.

For many of the features that Cloudflare provides you need an autonomous system (AS) in order to be able to run border gateway protocol (BGP). That gives control over the routing, so that traffic is met by regional servers and infrastructure. If that sounds costly it's because it is.

You can block and throttle my country with any ol' server like CloudFlare. The tricky part is making sure folks using privacy-oriented setups get dozens of hCAPTCHAs. /s

As others have mentioned your question doesn’t cleanly map to what a “cdn” really is these days. The minimal requirements for even the most basic content distribution cache or NS setup is pretty significant in time and capex. In my experience as much effort goes in to operations and “control plane” management as the “dataplane” software that serves requests.

What I haven’t seen others mention, and is a literal open source CDN, Is Coral CDN. I’m not sure if it’s a going concern anymore, but it was a plausibly useful academic project circa 2005-15. I believe to ubiquity and accessibility of very cheap commercial offerings, and the ratcheting improvements in commercial CDN tech, really put Coral “out of business” by 2013 or so. http://dsrg.pdos.csail.mit.edu/2013/07/18/coralcdn/

Disclosure: principal at AWS, used to work on CloudFront and Route 53. Opinions are my own and do not reflect my employer or any proprietary information.

there are a million of cdn providers(bunny and beluga are among the cheapest). that is not an issue. even though it's not going to be free, at least you will no longer be the product. they are not reverse proxies like CF but changing links on your web is not that complicated.

and every data center has a hardware ddos protection, you don't need a service for that if you use good web or server hosting provider.

cloudflare is not really that special. the reason normal people even know the name CF is because it was free. not because of what it provided.

and after they started censoring, there is no reason to keep using their services. they screwed themselves over by doing that. sooner or later they will stop being normies favourite and become purely corporate service.

Cloudflare is more a combination of software and distributed networking resources.

you need a lot of tools to replace cloudflare, there is authelia, bind, ngix, traefik.

I dont think you can have any sort of DoS protection if your ISP cuts off your internet if you're beign attacked...

I would focus on the CDN part first and foremost. Maybe read up on CloudFront, Fastly and BunnyCDN. They can all be replacement’s for Cloudflare’s CDN.

The closest thing i can think of is ngnix - if i remember correctly, cloudflare built their business on top of ngnix in early days

“Just” run ngnix on your own servers from different geo locations. ngnix is very versatile, eg, load balancing, rate limiting, rule based firewall, caching…

but one important reason why saas/api/cloud businesses exist is that people don’t want to run their own servers for every project.

Alternatively a company offering similar service as cloudflare but located in a more privacy friendly jurisdiction would also be interesting.

Probably something like IPFS ( https://en.wikipedia.org/wiki/InterPlanetary_File_System ) or BitTorrent. However i do not know if there is a system that would support direct http(s) access.

(D)DoS protection is not a single software, in my mind it's a group of tech and network configuration...It's just that Cloudflare makes it in one click so you look it's easy.

Not ready yet, but the IPVM (inter-planetary virtual machine) similar to IPFS might be a good fit for such use cases in the future

NGINX? You want to self-host DDOS protection?

Cloudflare has a outflow pipe to US gov. Just like the rest of US based services. So if you are doing anything unsocietal as the currents define it then best not to use US based services. You can alternatively use China based cloud offerings as they wont share data with the US gov for obvious reasons.

You can achieve the same protection by knowing your endpoints and infrastructure and then banning anything with an unacceptable delta of traffic difference.(asp vs php, wordpress vulnerability bots, etc) If you have multiple servers you share the ufw firewall lists among them in real time unless you want to ban higher up the stack.

The DOS protection might be harder to emulate. But at that point something is out to specifically get you anyways.

Just wait it out or move to another domain or ip.

This question is so nonsensical it almost makes me angry...

Cloudflare has become somewhat of a necessary evil. At this point, due to the sheer amount of resources and level of effort required to set up an equivalent infrastructure, they’re effectively a monopoly. Personally, I hate that and I wish the alternative was feasible, but realistically, if you need Cloudflare-level protection, you’re basically stuck with them.