New to CloudFlare, looking to secure a tiny API (free plan)
Hi!
This is for a small community project (non-profit), so ideally I'd like to spend nothing or next to nothing as I have extremely limited resources. Most hosting services have hidden costs, overcharges, etc. I'm not expecting a lot of traffic, but I'm trying to minimize the risk of getting a huge bill due to a bad actor abusing my API.
* In these circumstances, do you think using the free tier of GCP to host, and the free tier of CloudFlare to prevent abuse is a solid idea? If so, how do I secure my API with CloudFlare with a free plan? Is it even possible for cloudflare to secure the API considering on don't have custom domain (just the one GCP made for me)?
* Should I use something like free CloudFlare workers instead?
* Any other recommendations?
I appreciate your help, thank you in advance.
8 Replies
What is this API?
How many requests a month does it get?
Well, it isn't deployed yet, so that's hard to tell.
As I said in the OP, I don't expect any massive amount of traffic. My best guess would be a few thousand hits per day.
My main concern is not with normal use, but with bad actors abusing the API.
What is this API?It's extremely simple, mostly one route that takes in a bunch of filters and returns a random item based on the filters. There are also a couple of other admin-only routes. Those I'm less concerned with since they are authenticated and the people who have access are hand-picked. Thanks for taking the time to help @walshydev , I appreciate it 🙂
Yeah I'd say a Worker is best bet here then. 100,000 requests a day for free, if you put your domain on Cloudflare that's DDoS and other malicious activity covered. We don't like hidden fees or sneaky costs, our costs are very simple and laid out. You probably don't need to pay at all though.
That sounds great to me 🙂
I did have two concerns though
Up to 10ms CPU time per requestI'm not sure how I'm supposed to evaluate this since this depends on the exact workload and how fast your CPUs are, what kind of load they are under, etc. Would you say that 10ms is plenty enough for a typical webserver (written in Rust in my case). Sorry if this question is too specific. Also, in the event that the request does take more than 10ms for whatever reason, what happens then? Is the request simply cancelled, am I billed?
100,000 requests a day for freeIf for some reason there are more than 100,000 requests in a given day, what happens then? To be clear, I'm not trying to be a cheapskate, your pricing model is extremely attractive and reasonable, I'm just trying to avoid hidden costs. Would definitely consider subscribing to the paid plan once I have more resources.
I'm not sure how I'm supposed to evaluate this since this depends on the exact workload and how fast your CPUs are, what kind of load they are under, etc. Would you say that 10ms is plenty enough for a typical webserver (written in Rust in my case). Sorry if this question is too specific.For what you described here, it's more than enough. I'd be surprised if you even used like 2ms
Also, in the event that the request does take more than 10ms for whatever reason, what happens then? Is the request simply cancelled, am I billed?We just cancel the request yes, we'd never bill without you explicitly opting into billing (and then you see exactly what we bill on)
If for some reason there are more than 100,000 requests in a given day, what happens then?You can choose to either hard fail (an error will be shown) or you can simply pass down to an origin
Fantastic 🙂 I'm definitely going to give it a shot then, it sounds like a perfect match for my usecase.
Thanks for the help and insight @walshydev
Ohhh I just saw that Workers are WASM-only though :/
that complicates things
You can write in JS/TS without WASM and use Rust easily with workers-rs (https://github.com/cloudflare/workers-rs)
I have very little interest in writing JS/TS in general.
Thanks for pointing out workers-rs! I naively thought I could just use a regular containerized webserver. I guess I'm a bit reluctant to lock-in with host-specific tech. But that might just be how serverless works idk. It's my first time trying it out.