So HN uses Cloudflare? That surprises me because typically I notice sites using Cloudflare because my mobile running GNU Linux cannot pass their dreaded Turnstyle. Luckily that does not happen for HN.
They used to run it but stopped (I want to say) around 2016 or 2017. Another poster here linked[0] to how dang confirmed it is to protect against a DDOS attack.
The main YCombinator site might have been using Cloudflare seen years, and now HN might have been added to the same account to protect from a DOS attack.
The aggressiveness of the "dreaded Turnstyle" is 100% configurable.
It's very easy to disable it completely via Cloudflare settings. Using cloudflare doesn't require you to use all of its features, and almost every feature can be turned off.
There are many options to configure it, the main reason to make it always visible and blocking is that the callbacks for managing the hidden/on-demand version are wonky and can break in unexpected ways leaving your site entirely unusable, with the only indication being some errors logged to console.
WAF in general is security theatre. If your operation genuinely benefits from one, I dread for what's sleeping underneath. Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.
It’s just doing hash math (think like bitcoin mining) to make your CPU burn enough processing time to make a layer seven DDoS not worthwhile. It works. Because now the server uses way less processing time than the client did.
That is not true.
It does a whole bunch of checks, like fingerprinting your GPU, environment, etc.
The checks are even run in a custom VM, and are heavily protected.
The gathered data is then sent back to cloudflare, and you either get an access cookie (cf_clearance) back, or not.
While this is true and worth reminding the ops about, it still sucks because many people don't understand the issues they cause by turning WAF on. CloudFlare should have a big "I understand I'll block many legit clients when I enable this" checkbox. Or you know... fix it in general. Or at least have a "report this block as invalid" link on the page.
Cloudflare WAF doesn't block clients in general, it blocks based on the data the client sends to the server.
Unless your client sends a string which matches one of the WAF patterns the site will work fine. It only blocks individual requests.
Now the problem here is that you probably shouldn't enable the WAF without having it in log only mode for a while if you are operating a site which let's users submit arbitrary text input. Of course it's going to match... You'll have to adjust the configuration.
Agreed, I believe the default Firewall security level is "Medium" and I think that's far too strict. First thing I do when adding a new zone is to set it to "Essentially off"
how many people do you piss off with the opinions you post on your blog? enough to warrant being DDoS'd by an emotionally stunted highschooler with their parents/stolen credit card and the ability to Google for a botnet?
Almost nobody who uses big brother as an individual ever does. What would anyone care about a nextcloud login panel? Or a reasonably civil personal blog? And yet they enable cloudflare for yet another small corner of the internet :(
Oh, how did you find that? Some inside knowledge about HN or is that a well-known path published by Cloudflare sites?
Edit: Seems to work also for at least some other Cloudflare sites. Interestingly HN is served from Stockholm (behind a sea cable) while others are served from Helsinki (should be closer). Not enough hackers here in Finland?
Edit 2: Works also on sites where Turnstyle keeps me out.
news.ycombinator.com. 3710 IN CNAME news.ycombinator.com.cdn.cloudflare.net.
news.ycombinator.com.cdn.cloudflare.net. 3710 IN A 104.22.6.236
news.ycombinator.com.cdn.cloudflare.net. 3710 IN A 172.67.5.232
news.ycombinator.com.cdn.cloudflare.net. 3710 IN A 104.22.7.236
bummer. i used to like the legend that it was all on one commodity linux pc implemented in some nice concise lisp running on sbcl.
edit: my memory is crap. it was a single machine, but the codebase was written in a custom experimental language that i think was a lisp derivative. (which would make sense!). the source was online at some time, can't find it now.
I understand the backend is still somewhat limited. After Altman was fired (IIRC) when HN got 1000s of comments within no time, dang asked everyone to logout and login again, to make life for the poor machine a bit easier. So besides limited HW resources, also some non-optimal implementation details ;)
It still is a single single-core server, dang references it frequently when there's unusually high traffic [0]. And the language you're referring to is Arc [1]. They do have caching for not-logged-in users, historically done through nginx [2]. From other comments in this thread, it sounds like they just temporarily put Cloudflare in front of that single server to block a DDoS.