April 20, 2018

A note on CDNs and protecting your website against censorship

TLDR

- goo.gl/47UqyZ

- Using a free / cheap CDN service can enable you to protect your domain hosted resource from censorship

- Unless CDN servers will be blocked (but I guess the CDN has more servers, than you, right?)

So, I host spark-in.me on Digital Ocean. And I do not want to move or start a CDN by myself. I read news, that Google abandoned some of its proxying tools because of such censorship events...interesting.

I knew that services like Cloudflare (**CDN**) forward your traffic somehow, but I was not sure what IP is actually seen by the user and whether all of the traffic is forwarded. Then I read their FAQ

- goo.gl/uHPLjW

It says

After a visitor's browser has done the initial DNS lookup, it begins making requests to retrieve the actual content of a website. These requests are directed to the IP address that was returned from the DNS lookup. Before Cloudflare, that address would have been 198.51.100.1. With Cloudflare as the authoritative nameserver, the new address is 203.0.113.1. Cloudflare’s data center at 203.0.113.1 will serve as much of your website as it can from its local storage, and ask your web server at 198.51.100.1 for any part of your website it doesn’t already have stored locally. The Cloudflare data center at 203.0.113.1 will then provide your complete website to the visitor, so the visitor never talks directly to your web server at 198.51.100.1.

So I tried their free-tier service (paid service starts from US$20-200, which is too steep) and it just works, though SSL certificates were issued ~90 mins after I changed my nameservers. It is as easy as:

- Backup your DNS settings somewhere

- Import to CloudFlare

- Change name servers in your domain registrar cabinet

- 90 mins and ... profit

Now I cannot see my direct DO server IP when I resolve my DNS:

$ dig +short spark-in.me
104.27.142.65
104.27.143.65

#internet

#security