This document discusses using Cloudflare to improve the performance, security, and reliability of Drupal websites. It outlines the problems Drupal sites often face like spam, traffic peaks, and complex infrastructure needs. Cloudflare is presented as a solution by providing a content delivery network, web application firewall, code optimizations and other features. The document reviews Cloudflare's specific capabilities and provides guidance on preparing a Drupal site for deployment with Cloudflare, including cache invalidation strategies and modules to integrate the two platforms. Areas for future work by the Drupal community are also identified.
14. LOOKS COMPLEX?
And that’s just the beginning
• No development/staging servers
• No shared storage between servers
• No backups
• No monitoring
• No Internet connection redundancy
• Issues with bandwidth consumption
• …
14
23. CLOUDFLARE AS A CDN
• Works like „reverse proxy”
• Caching of static files
• Caching of dynamic (generated) pages for
anonymous users
• No bandwidth limits / fees
23
25. RULES
• Ability to customize performance & security
settings based on URLs
• Up to 3 rules in Free plan, 20 in Pro plan
• IMO the most important tool in Cloudflare
25
26. CODE OPTIMIZATIONS
Auto Minify - remove unnecessary characters
• JS
• CSS
• HTML
Rocket Loader
• Loads JS asynchronously (after window.onload)
• Can have some side-effects
Website Preloader
• Detects most often used static resources
• Fetches these resources to browser’s cache
26
28. IMAGES
Mirage 2
• Asynchronous image loading
• All images in a single request
Polish - image otimization
• Lossless
• Remove metadata
• Average reduction of size: about 21%
• Lossy
• Additional lossy compression
• Average reduction of size: 48%
28
31. SECURITY OPTIONS
E-mail address obfuscation
Server side exclude (SSE)
Browser integrity check – HTTP headers inspection (incl.
User-agent)
Visitor reputation
Hotlink protection
• HTTP Referers that are not in-zone and not blank will be
denied access
• Hotlink-ok mechanism (eg. http://softinn.eu/hotlink-
ok/img.gif
SSL support
31
34. WEB APPLICATION FIREWALL
Set of security rules to address most common
threats
• OWASP TOP 10
• Cloudflare-designed:
PHP, WHCMS, Joomla, Wordpress, …
• No Drupal-specific rules
34
35. ALWAYS ONLINE
• Limited version of your site is always online
• Only the most popular pages
• No POST and SSL support
• Crawler-based - crawling every 7, 3 or 1 day
• Triggers:
• HTTP status 502 or 504
• Connection timeout, SSL errors etc.
35
38. NOT A SILVER BULLET
• Logged-in users
• Cache invalidation
• Performance of non-cached pages
38
39. CACHE INVALIDATION
There are only two hard things in Computer Science:
cache invalidation and naming things.
-- Phil Karlton (after
http://martinfowler.com/bliki/TwoHardThings.html)
1. Cloudflare stores copy of a page in the cache
2. User changes this page
3. How can Cloudflare know that the page has
changed?
39
40. • 99.9% uptime
• Defend against bots
& spam
• Handle traffic peaks
• Decrease server load
• Minimize bandwidth
usage
• Minify CSS and JS
DOES IT SOLVE OUR NEEDS?
40
46. TO DO – TASKS FOR COMMUNITY
• 502 / 504 on errors (compatibility with
Cloudflare Always Online)
https://drupal.org/node/2268487
• Views expiration
• Expire all views that use CT https://drupal.org/node/2146797 (won’t
fix )
• Integrate Expire with Views Content Cache
https://drupal.org/node/1786436 (won’t fix )
• Integrate blacklists with antispam modules
(Mollom etc.)
46