> Don't use Cloudflare or similar services. See my article here for an explanation on why. If you use a service like this, you're basically already MitMing yourself.
I wish more people would realize that when arguing on the internet about CAA, DNSSEC, NSA, etc. that none of it really matters. We willingly allow a government aligned entity to unwrap 20% of all TLS connections on the internet and peak inside.
Edit: not even going in to the sovereignty issue of having an American private company effectively decide your internet regulations.
I agree with this, there don't seem to be that much self-hosted software that someone could (easily) setup for the use cases that Cloudflare serves.
> The alternatives to shield from large scale DDoS are all US American too.
Not only that, but the WAF functionality is also pretty useful. To be honest, the same applies to something like wanting to have CAPTCHAs on your own site - not that many options out there.
As far as I can tell as a hobbyist, if you wanted to host everything yourself:
- dealing with load: at best you can probably just run multiple nodes with round robin DNS and something like HAProxy, or even just live with Nginx/Apache/Caddy, though all of those would crumble under attack; probably with some resource limits in place so the software getting overloaded just crashes it (with automatic restarts) and doesn't grind the entire server down to a halt
- WAF: you could get a basic WAF running with something like Apache2 and mod_security, or if you can compile it for Nginx and get it working (a bit annoying to do, also apparently slower than Apache2 version), or something like Coraza (still new), but even then you need sets of rules, OWASP has some, but they're not updated as often as whatever Cloudflare uses, so the effectiveness of it all is debatable; there's also something like fail2ban, but some people really don't like it for some reason
- there's also additional stuff you can use, like LibreCaptcha for CAPTCHAs, something like Keycloak or Authentik for SSO and managing your users on prem (especially with mod_auth_openidc), stuff like Matomo Analytics instead of GA, Uptime Kuma for uptime monitoring, even your own self-hosted mail servers if you feel brave; but all of those take effort and need maintenance
WAFs are heuristics at best. If what you're running on your server is actually secure, you don't need a WAF. If it's not secure, the WAF is guaranteed to let through at least one attack.
CAPTCHAs are difficult. Try to avoid depending on them, but it's fair to use a third-party service if you need one. hCaptcha is pretty easy to integrate right now.