Growing pains: good riddance to Cloudflare
March 18, 2021 by ZippyImage Staff
The above image is what the ZippyImage home page looked like on February 10, 2021.
For a service that is not yet even one year old, we've already had to deal with quite our share of bullshit. We already experienced our first DDoS attack some months ago, which is why we began using the popular Cloudflare service to protect our site. Cloudflare is a firewall, DDoS protection, and Content Delivery Network (CDN). It allowed us to stay online despite attacks, and even allowed us to serve images a little faster.
Many developers are familiar with Cloudflare. The developers of ZippyImage have actually used Cloudflare for many other projects over the years. They had never had any problems... until now.
On February 8, 2021, we received -- out of the blue -- an email from Cloudflare with the subject line "Message regarding TOS violation". It was an automated message referencing some obscure section of their terms of service which we were allegedly violating. We read the TOS section in question and it didn't make sense to us, so we contacted Cloudflare asking for clarification.
The next day, they did this to us:
That's right, Cloudflare replaced EVERY SINGLE IMAGE on our site -- even our logo -- with a black & white error message which said:
This video has been restricted. Streaming video from Cloudflare's basic service is a violation of the Terms of Service. If you are the webmaster, please file a support ticket to learn more.
We were in total disbelief.
First of all, there are no videos on ZippyImage. None whatsoever. So we thought to ourselves, obviously this is some sort of mistake. Some technical glitch on Cloudflare's end must have triggered this, right? If we can just get Cloudflare to realize that we are not streaming videos, they will apologize and make it right. Wishful thinking.
Since we already had a support ticket open with Cloudflare since their original email, we went back to that to try and get some information. We'll spare you the details, but it took literally DAYS to get a straight answer out of them. We had to go round and round several times with them. They were trying to get us to buy some "video streaming" package that Cloudflare offers -- which would do nothing for us since we have no videos!
Finally, we got an answer that was even more astounding -- Cloudflare cannot tell the difference between video traffic and "non-HTML" traffic (like images). Whenever they see a big spike in traffic, they automatically assume it's due to video streaming. At that time we had a few images on the site which were going viral, which is why there was a spike in traffic. So they admitted their mistake, but still refused to do anything about it. Their advice to us was:
If all the traffic is normal and desired, one solution we sometimes see is creating a subdomain, say "media.zippyimage.com" and then gray cloud (disable our CDN) for that domain.
...In other words, move all our images somewhere else that is not protected by Cloudflare. That defeats the whole purpose of having Cloudflare in the first place. What's the point of protecting only part of our site?
When this happened, we very soon had a lot of users complaining (understandably so) about their inability to use ZippyImage. As long as Cloudflare was defacing every image with those ominous black & white warnings, our site was effectively unusable. At the beginning we didn't know how long it would take to get Cloudflare to stop doing this to us, or if it would even be possible. So within the first 24 hours we had already made the decision to bypass Cloudflare until we could figure out a permanent solution.
Bypassing Cloudflare got ZippyImage back online, but it was in fact still a scary situation on our end. Without Cloudflare, ZippyImage was without any protection at all from DDoS attacks. We just had to hope and pray that nobody would notice and start an attack while we were vulnerable. (Thankfully, nobody did.)
While we were still discussing the situation with Cloudflare we also started looking around for alternatives. The whole situation had already left a bad taste in our mouths -- even if we found a way to continue with Cloudflare, what would stop them from doing this to us again any time they wanted? How does Cloudflare justify defacing and effectively taking down an entire website? In what universe is that acceptable behavior?
There are several alternatives to Cloudflare, but unfortunately for us almost every single one was more expensive -- some by a lot. Since ZippyImage is a free service that makes exactly $0 revenue, spending a lot of money was not an option. Evenutally, thanks to someone's recommendation, we heard about VanwaTech. They offer a CDN and DDoS protection plan for a very affordable price. They were pretty much the only service within our budget, so we gave it a try.
So we switched to VanwaTech and, for the last few weeks now, ZippyImage has been running great. Meanwhile our developers are rethinking their relationships with Cloudflare for other sites they are involved with. As far as they are concerned, Cloudflare cannot be trusted.
Such is life in the tech world.
What do you think?