Last modified 2022-06-19.
Time to read: 3 minutes.
postscollection, categorized under AWS, Cloudflare, Internet.
After deciding to close my AWS account, I started looking for alternatives to host my static websites. Without getting into my selection criteria, my short list of possible hosting companies was Microsoft Azure, Cloudflare, Digital Ocean, Linode, and Netlify. Many other options exist.
Cloudflare has a free tier that has no time limit. It includes an S3 work-alike called R2, SSL and a built-in world-wide CDN that works automatically. 250 GB of storage and 1 TB/month of transfer are provided at no charge, forever. There are also no ingress or egress charges. Cloudflare’s edge network now spans 275 cities around the world, with nearly all Internet users within 50 milliseconds of a Cloudflare server.
This blog post documents my experience with Cloudflare. If you don't care about details, and want to know my verdict on Cloudflare R2, skip to the end.
For PaaS vendors such as AWS, Azure, Digital Ocean, Cloudflare, ScaleWay, etc.: “pay-as-you-go” is shorthand for “there is nothing you can do to limit your financial liability”.
This is what I did
After creating an account, I followed the directions at R2 get started guide.
The directions told me to set up Wrangler v2, a command-line interface for transferring files to R2.
$ npm install -g wrangler npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead. npm WARN deprecated firstname.lastname@example.org: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
added 56 packages, and audited 57 packages in 8s
10 high severity vulnerabilities
To address issues that do not require attention, run: npm audit fix
To address all issues, run: npm audit fix --force
Run `npm audit` for details.
The above messages do not inspire confidence. Wrangler is written using Node. I believe that Node has more security issues than any other computer language, particularly in package management. The OWasp recommendations do not address the fundamental security vulnerabilities in the Node package management infrastructure.
I looked for alternatives to Wrangler and found RClone. RClone is a command-line program to manage files on cloud storage. It has many subcommands, including two types of sync. Although the RClone documentation does not mention Cloudflare, the Cloudflare docs described how to set up RClone.
Platform limits are important. Not only are the technical limits important for defining inputs and outputs, users should be particularly interested in spend limits, so they are not subject to unlimited financial liability.
Only requests that hit a Worker will count against your limits and your bill.
Cloudflare Pages supports Jekyll sites. However, it looks like Cloudflare Pages builds the site in the cloud. While this might be a useful mechanism for many, my Jekyll builds need to access my local machine, and use my Jekyll plugins.
Cloudflare Workers Sites suits my use case. The Start From Existing documentation looks appropriate, except it is written for using Wrangler, which I view as a security threat.
The Verdict: No to Cloudflare
CloudFlare does not offer a spend limit for accounts on paid plans. This is unacceptable. I tried to remove my credit card, but found I could not. I then deleted my user account, and saw:
It could take up to 12 months to delete your information completely.
There is no way to frame this as an example of how Cloudflare is looking out for the best interests of their customers.