Starting Your Own Blog

Imagine you want to start your own blog and host it on your own server. Here are the general steps:

  • Buy a domain (megisgreat.com) from a registrar like Name.com or NameCheap
    • When you do this, the registrar will setup your domain to use their Name Servers and use their Domain Name Service (DNS).
    • This means that when someone enters your domain in their browser, their computer will do an "DNS lookup" to ask
      1. What is the domain server for this domain?
      2. What is the IP address this request should be routed to?

Megisgreat-Name-Servers

  • Pay for a server instance from some company like DigitalOcean, Linode, or AWS
  • Configure the server to host your blog with an HTTP server like Apache or Nginx
    • Ghost is a great way to do this. They even have a "droplet" on DigitalOcean that will automatically configure your blog for you. This is how I setup my blog.
  • Go back to your registrar and use their DNS to point your website address to your server's IP address.

Megisgreat-DNS

Now, when someone goes to your domain, they'll send the request to view your blog to this fake IP address (192.168.1.1) and be able to see all your great posts! You've effectively told the world, "Hi everyone! Here I am!"

Now, here comes the bad part. Hackers are always trying to get into servers by hitting common vulnerabilities. If they get access to your server, they might

  • Turn it into a bot to attack other servers,
  • Simply deface your blog
  • Steal user information
  • ...

Let's say you get particularly famous and your blog is very popular. For whatever reason, you are maybe a bit controversial as well. So, you might have made an enemy in the hacking world. A group of hackers might decide to "shutdown" your server by using a Distributed Denial of Service (DDoS) attack.

Essentially, they'll organize thousands of infected servers and desktop computers to stage a coordinated attack against your server. They will send requests to your blog millions of times over short periods. Your poor little server that just costs $5/month has zero chance of standing up to that barrage; so, it crashes and your blog is down and you start losing advertising 💵.

Eventually, the attack subsides and you decide to get a more powerful server to:

  1. Better withstand DDoS attacks
  2. Handle all the additional traffic you received after becoming internet famous for calling out the hackers.

Sadly, you're now spending more money 💸 to keep your blog up and running and still aren't really safe from DDoS attacks.

Cloudflare to the Rescue

Cloudflare is primarily an internet security company. By switching to using their Name Servers and DNS, they become a shield (a proxy) between your domain name (not your server) and the rest of the world.

Now, when hackers target you, they don't actually see your server's IP address. Instead they see a Cloudflare IP address. When they starting targeting that IP address with a DDoS, Cloudflare automatically kicks in with mitigation efforts to shutdown the attack. Your attackers have very little chance of overcoming the protection that Cloudflare provides. You no longer have to worry about spending your time fighting these types of problems.

Cloudflare-DDoS-Protections

Other Cloudflare Features

Cloudflare has many other features that might be of interest to anyone with a domain name from a small time blog to massive enterprises. I'll mainly just cover the basic features that a small company or individual would be interested in. Most of these are 100% free or have some limits that can be removed by:

  • Buying additional functionality per use
  • Upgrading to a paid plan

Free SSL

If you're not an expert at managing servers or have great install services like Ghost, your website address might be http://www.megisgreat.com. In the last few years, browsers have started displaying notices in the URL bar when a domain does not use HTTPS. Some browsers even make it very difficult for a typical person to even get past these warnings.

By using Cloudflare's "Flexible" SSL/TLS encryption mode, you'll be able to use https://www.megisgreat.com and browsers will no longer give users that scary warning about the site not being secure. Effectively, the request to Cloudflare will be encrypted, then Cloudflare will send the request down to your server unencrypted.

CAUTION: This is not advisable for the long term. When the traffic is going between your server and Cloudflare, it can be viewed by anyone that is able to view traffic across the public internet backbone. For a blogger, this probably isn't too big a deal. However, if you have an ecommerce site or a server with all your clients private details, you really should get an SSL certificate on your server. Let's Encrypt lets you do this for free.

Easier DNS Management

Many domain registrars have clunky DNS management consoles. Cloudflare's is much cleaner and easier to use.

Megisgreat-DNS-On-Cloudflare

Basic Analytics

Since all the traffic to your website will come through Cloudflare first, they can give you some decent generic analytics.

Cloudflare-Analytics

Speed Optimizations

Cloudflare automatically caches much of your content. For example, an image on your blog is unlikely to change frequently; so, Cloudflare will cache it for a pre-configured amount of time. This makes your site seem faster because ... it is. Cloudflare is able to send that image directly back to the requestor's browser without having to ask your server for it. This can reduce the costs your server provider charges for bandwidth.

It also means your server doesn't need to be as powerful because Cloudflare offsets some of the load it would normally receive.

Cloudflare-Speed-Optimizations

Domain Registration

If you're not happy with your Domain Registrar, you can transfer the registration to Cloudflare. This way, you can manage everything about your domain in one place.

Cloudflare does not charge any extra for the domain registration. They only charge you the wholesale rate they are charged by the TLD.

Additionally, they provide anonymous registration for free! Most registrars charge about $5 for this.

Sadly, you currently can't directly buy domains via Cloudflare nor transfer some TLDs like .dev.

Hotlink Protection

If you have a popular image on your site, other websites might display it on their website as well. If they do this by making the image tag point to your server, they are effectively stealing bandwidth from you for their benefit. If you have a particularly popular site, you might exceed your provider's bandwidth limits and they will charge you for any overages.

Cloudflare can prevent this from happening.

Firewall Settings

Cloudflare's free account allows you to configure some firewall rules to block specific types of attacks against your server.

Cloudflare-Firewall-Rules-2

This can be quite effective against blocking common vulnerabilites that hackers exploit.

Cloudflare-Firewall-Tweet

Advanced Cloudflare Features

The features above are great for the average blogger or site owner. Cloudflare has much more extensive functionality for more advanced use cases.

  • Workers : Serverless endpoints
  • Workers KV : Simple, key/value storage
  • Pages : JAMStack platform for deploying websites without needing a server
  • Stream : Video streaming

Feel free to explore their website for more information.

Cloudflare Doesn't Secure Your Server!

It's very important to understand that using Cloudflare as your Domain Name Service does not actually keep your server itself safe against all attackers.

Hackers routinely use automated tools to scan millions of IP addresses looking for servers they can exploit. Since they are targeting IP addresses instead of domain names, they completely bypass the protections that Cloudflare provides.

To keep your site secure, you must implement common security procedures, patch your server and blog software routinely.

Also, do not tell anyone your server's actual IP address or accidentally expose it online. This will allow anyone to target your server directly and bypass Cloudflare's DDoS protections.