Evaluate other CDNs

[paulmelnikow]

The badge server used Cloudflare as an SSL gateway from May 2015 (#459) to August 2018, at which time Cloudflare was configured to provide downstream caching as well (#1880). The cache carries about 40% of the production traffic.

Previously Cloudflare had also sat in front of shields.io (the website), but that is no longer the case (https://github.com/badges/shields/issues/608#issuecomment-451519761).

To support the anti-DOS behavior it provides, Cloudflare sets a cfduid cookie on every badge request. They provide no way of turning this off. (See #2986)

It would be helpful to know about other CDN providers, and whether or not they have tracking cookies which can be turned off.

[techknowlogick]

KeyCDN offers opensource sponsoring https://www.keycdn.com/open-source-cdn

[ghost]

Perhaps tangentially related... Food for thought from FOSDEM https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/

[paulmelnikow]

@techknowlogick Have you used KeyCDN?

[techknowlogick]

I haven't used them, but I some open source project I use are sponsored by them. Fastly (another CDN I don't have direct experience with, although some open source projects I use are also sponsored by them) does sponsor projects as well https://www.fastly.com/open-source

[calebcartwright]

This probably goes without saying, but I assume we'd want a CDN provider that maintains the DOS features we want/need just minus tracking cookies 😉

[ghost]

Market share trends for reverse proxy services for websites TTM /cc @jesusvazquez

[calebcartwright]

Just want to reiterate that the Shields application can be self-hosted really easily, guide on self hosting can be found here

I do this myself at my day job (via Docker) so we can connect to private projects/services, but if anyone has any pressing needs/concerns around the CloudFlare cookie that comes with the Shields.io service at the moment, then running a self-hosted instance of the Shields application is definitely an option we'd recommend.

You'd have access to all the same capabilities/badges, but there'd be no CDN/CloudFlare cookie

It should run just fine, even on a small server (you could probably even run it on an f1-micro VM in GCP which Google offers for free in perpetuity😄 )

[ghost]

@calebcartwright could you open your CI and docker images? if not, that's okay too.

[calebcartwright]

@jhabdas - Sorry unfortunately I can't make that visible (it all resides on a private corporate network).

I think one day we'll try to get around to publishing the Shields image out on Dockerhub, but for now folks will have to first build the docker image themselves.

If you (or anyone else) run into any errors/issues, have any questions, etc. while trying to build the image and/or run the container let us know! Just open a new issue with the relevant info and we'll be happy to help.

[ghost]

Another reason not to use CloudFlare:

https://github.com/bitpay/copay/issues/9070

Depending on which country you are, CloudFlare, our Content Delivery Network provider might be blocking your request.

They're centralized enough they could be blocking requests to use Bitcoin SPV clients such as the one linked. Cookies are just icing on the cake. Please leave this provider.

[SukkaW]

Cloudflare could disable cookie, for example, jsDelivr has Cloudflare disabled cookie for their domain cdn.jsdelivr.net.

[paulmelnikow]

It looks like Enterprise customers can do that. I think we could get a free enterprise plan as an OSS project (though currently we're on the free plan).

Also worth considering, from https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies:

Enterprise customers may request to disable the _cfduid cookie by contacting Cloudflare Support, but Cloudflare’s ability to detect and mitigate the impact of malicious visitors to a Customer’s website will be significantly impacted. While some speed recommendations suggest eliminating cookies for static resources, the performance implications are minimal.

[ghost]

I think until cloudflare cookie is removed the "no tracking" promise should be removed from the homepage.

[chris48s]

I am going to close this issue because the main reason we opened it was because of the __cfduid cookie. CloudFlare stopped setting this a couple of years back - see https://blog.cloudflare.com/deprecating-cfduid-cookie/ (late to the party on this one!)