[tech] Mixed web/non-web services, Cloudflare CAPTCHAs

Nick Bannon nick at ucc.gu.uwa.edu.au
Tue Apr 7 00:08:24 AWST 2020 

On Sat, Apr 04, 2020 at 02:27:01PM +0800, John Hodge wrote:
> Here's the start of a list of machines that would break with CF 
> proxying, off the top of my head. These machines run web servers (so UWA 
> will want us to point them at CF), which will prevent non-http services 
> from getting through.
> 
> mooneye (hosts wiki): Runs mail & DNS?? (DNS and the website will be 
> handled by CF, mail isn't). DNS secondaries will stop getting updates
[...]

It's tempting to say "let's split the web hosts (easy to proxy) from
the non-web host".

We should try it where we can, but it doesn't always make sense.

mooneye's mailman and list archives are a good example of an "integrated"
service that provides an external-facing website for non-web services.
It might actually be OK with Cloudflare-CDN proxying, though. Proxying
will "take over" that main, externally visible name.

We certainly want users to be able to browse, login, manage their
subscription, without a VPN, from home:
https://lists.ucc.gu.uwa.edu.au/mailman/listinfo/ucc
(or the pages above it)

A service like:
  * meetings/BBB; or
  * heathred/gameservers
may combine that sort of easy-to-proxy externally-facing web service
with a hard-to-proxy externally-facing non-web service.

A lot of VM appliances come set up that way, or VPN's in a box...
OpenWRT with LuCi?

I've wanted us to try a matrix.org server sometime (Synapse, or Dendrite
in due course) - the basic functionality _will_ work behind Cloudflare,
but I think we're missing some details on the _how_, especially with
voice and video conferencing in the mix:
https://github.com/matrix-org/matrix.org/issues/342

Here's some reasons why we don't want to turn on Cloudflare blindly,
at least without full control over our part of it:

https://medium.com/@bestvpn11/how-cloudflare-and-recaptcha-are-ruining-the-net-and-what-to-do-848c0e881d2c
https://stackoverflow.com/questions/34618181/what-do-the-cloudflare-captcha-and-challenge-pages-look-like-for-users

Cloudflare's selling point is that they observe a huge chunk of the
Internet and can protect you from "bad" traffic. You can decide to
put some sites behind extra "protection" e.g. a mandatory CAPTCHA,
but sometimes they'll go ahead and do it for you.

  * Great, if it blunts a denial-of-service ("the lowest form of attack"
    and completely unrelated to the ANU spearphishing of 2018/2019 and
    UWA data loss of 2019)

  * Sucks, if it blocks a UCC member because of their non-UCC VPN.

Nick.

-- 
   Nick Bannon   | "I made this letter longer than usual because
nick-sig at rcpt.to | I lack the time to make it shorter." - Pascal

More information about the tech mailing list