Does cloudflare protect backend routes? Say when using astro? I'm guessing not and they have a spend cap?

​@@nickwoodward819 It'll always protect, unless you disabled prot for that record or ddos ips

@@nickwoodward819it sits in front of ALL your stuff; you point your DNS to cloudflare and it proxies to your API or UI.

@@WebDevCody yeah that's what I'm learning now. here's a thought: am I safer with the safer platform that seems to have less of a problem with DDoS but seems less willing to refund, or the f'ups that are vercel/netlify that are scared of the negative publicity and seemingly will... +1 for vps rn

do a video on how to add cloudflare

@@nobody124... huh?

Wtf 😢

Relax. @@nobody124...

they way he said it, just so nonchalant, actually funny

​@@nobody124... you dropped this 🤴🏿

you dont have any user, you wont get one of those

​@@twitchizle if we just delete the iam user that is using the services, will it not charge? Or will it still charge because we have a cluster or bucket assigned?

@@daphenomenalz4100 yes they will charge if any instances are active and users are hitting your website.

It's the $5000 bill that will end your start up but not get enough traction on social media that should scare you

Set budget alarms.

Wouldn’t you have this same issue on prem anyways? If you don’t have any sort of rate limiting or DDOS protection then it doesn’t matter whether you’re on-prem or on cloud. Your machines will end up using more resources like electricity, your cooling systems will need to work harder, and your application will become unavailable to other users, irrespective of whether it’s cloud or not. Using the cloud might even have been beneficial in this case because cloud can easily scale

This. The main reasons I'd go for a cloud solution is if low latency is a must, or if you need a lot of scalability, or if you lack the hardware expertise to manage a server.

@@rico454 nah, they aren't likely to be auto scaling, so the service will just go down rather than produce a massive bill

@@rico454 i agree, the cloud will for sure scale your wallet no matter what ^^ unless you make money with something that needs to be online no matter what happens it will only cost you money if it is online no matter what happens, scaling will come with a very big cost at the end if you are not careful enough and uncontrolled scaling can hurt a lot more than a server running a little bit warmer for some seconds.

@@rico454 In what world electricity bill could be hundreds of thousands of dollars? Beside, there is a upper bound to how much on-premise can scale, if you get DDoS-ed and you run out of resource, your server simply goes down. The danger of cloud is that you have access to seemingly unlimited resource and as a result, you don't have an option to just let the server die.

I feel you, and somewhat agree, but I don't think it's the right solution for everyone. Most people are on free tiers forever that won't incur in payments or have built-in killswitches, by the time they have a "scare" like his and go 250 overbudget(if that happens), you would be even with them after all those years of VPS's not to mention the hours you spent both learning and maintaining.

Is using Cloudflare as a reverse proxy ok for API? It's at least more latency for all requests, right?

​​@@alexanderhuliakov6012its good for rate limiting thepublic api, but yeah its adding more latency

@@alexanderhuliakov6012 Used it a lot for my projects, and you don't notice it much at all. The physical location of your server vs. the client would have a much bigger impact than this

Yeah I obviously need to make my side project more precessional before I bankrupt myself

Just love all the content you produce and so appreciative of it.

I think this is the solution. Isn't nextjs middleware capable of setting request limits. I just asked chat gpt and got: // middleware.js or a specific middleware file in your Next.js project import { NextResponse } from 'next/server'; // Example of a very basic in-memory rate limiter const rateLimitMap = new Map(); export function middleware(request) { const ip = request.ip; const currentTime = Date.now(); if (rateLimitMap.has(ip)) { const { lastRequestTime } = rateLimitMap.get(ip); if (currentTime - lastRequestTime < 1000) { // Limit to 1 request per second for example return new Response('Rate limit exceeded', { status: 429 }); } } rateLimitMap.set(ip, { lastRequestTime: currentTime }); return NextResponse.next(); }

Would love too see how to set up a VPS

@@belkocik you put your shit in docker and if you want multiple webapps you use nginx to map the ports to their correct domain, thats pretty much it.

@@belkocik It's not fun with initial setup, but it's not that difficult either. A bit more tricky if you want to do everything right with not running as root and per-app users in terms of getting NodeJS up and running for those accounts. My usual setup was something like Domain from NameCheap CloudFlare as DNS, with proxying for protection NGINX as reverse proxy to multiple NodeJS apps

If correctly set yes.

yeah probably, everyone here says their service is great

@@WebDevCodycloudflare is literally the best we use it in production for 4M monthly active users site

@@WebDevCody what about if it was on vercel, they say they have some ddos protection...

@@StanOgn there are articles where you can read how to configure Cloudflare and Vercel. The main issue is caching, so to avoid two layers of caching (in Cloudflare and Vercel), some adjustments are needed.

But a lot of VpS providers still charge Ingress fees. So the 1TB of data might have still added up? Any confirmation on this?

@@oSpamdepends on the provider. Vultr is $0.01 per GB when going over your plan's limit(2TB or more)

Yeah, just kind of sucks that you just can’t trust anyone. At least there’s way of prevent it I was just too lazy to actually do the work on my side projects when I should have done it from the get-go.

Don't do it, not worth it on AWS. First off, you have Fargate and if you want to autoscale that it's complicated and expensive anyways (1vCPU + 1GB RAM is 20$ I think), you will then also need an IP which is 3.5$ + you will need a load balancer, which is 20$ + 2 IP (7$) for a grand total of ~50$/month. Congrats, you pay 50$ for 1vCPU and 1GB RAM. It is absolutely criminal. For reference: on Hetzner you can get a server with Intel Xeon E5-1650V3, 256GB RAM + 2 500GB Datacenter SSD disks for this price. Pro tip: Don't ever fall for lambda. Yes, you get 1M requests free, but you are locked in, have a weird programming model + if something like in the video happens and you fuck up caching/don't cache some stuff, AWS will skin you alive. Pro tip 2: Don't ever host your shit on AWS, pick Linode or something similar and put CloudFlare in front. Hell, pay 5$/month on DigitalOcean and you will get CD for free + have a way better experience because of UI.

Yeah doing it soon

On Hetzner you have around 20 TB free, but after you start to pay pro consumed TB, but they also have an anti ddos in place

Yea I am surprised that even entry level vps have 20TB bandwidth. So it's great@@neevot

I'm pretty sure it's always enabled by default

I'll have to read up on that

I second budget actions

🤣

To be fair that’s a great idea. It comes with the drawback of too many requests will just make it slower and slower and timeout requests. It would just be like a proxy that filters through traffic. Great idea, I’d love to hear more about this

@@oSpam It's a terrible idea and it defeats the purpose of CloudFront. You have CloudFront (edge locations) to serve as proxy close to the user and cache the response. For example - you host your site in N. Virginia and I make a request in Italy. Request will go from my home, to the nearest data center to my location, to US, come back to data center, be cached and come to me. The next request a user close to me will make, will not make the round trip to US, but will just return the same response that got cached. If you put a proxy in front of cloud front in N. Virginia for example, my request will go from my home, to the proxy in US, to cloudfront edge location, to the server in US, be cached in US cloudfront, be cached on the US proxy, and only then be returned to me. The next request will have to go to US. If you have a static site, you would ideally cache everything for a long time on cloudfront and for some time in the browser, and on each deploy, invalidate the cloudfront cache if needed. If you get DDoSed, you will just pay a lot, but there is nothing you can do in that situation.

Oh, I hadn't gotten to the point in the video before commenting this. You mentioned cloudflare has DDoS protection for $20/mo. That's actually not entirely true, you *can* get DDoS protection for free, though I'm not sure what the licensing agreement is (commercial uses etc etc)

Cloudfront has shield standard which says they handle some ddos 🤷‍♂️

@@WebDevCodythey handle everything basically if you know what you’re doing basically you can set up a reverse proxy on your backend and block all requests bypassing cloudflare

Mxl 990, got it on Amazon for like $100

Is there guide to how to do this?

No you can't.. you can setup billing alerts that tell you when you hit a limit, but nothing is going to shut down

@@TheStruders yeah after that I went looking, and it seems that I have to code a hard shutdown myself using lambda and billing event. I think I'll try doing that for my pet project. Not really a hard shutdown but just turning off the public access of any api

@@EduarteBDO can you programmatically turn off cloudfront access too? I know you can add deny policy to apigw, but apigw wasnt what got dos here

@@SogMosee I don't know much about cloudfront but with aws sdk you can do pretty much anything that you can do in the console, so in the worst case you can delete the cloudfront configuration.

I 💯 agree at this point and I’m moving alll my side projects into a single vps and hosting behind cloudflare

Ah you just prompted me to check my hobby account and people have been spamming my sites with tons of bots trying to find vulnerable wordpress paths. :( It's a placeholder site that I don't share the URL of! Nothing is safe :(

Pretty much

I didn’t setup real monitoring and logging either 😂 no clue what the ip

I’m getting charged for CDN requests, not from api requests

You still get charged if attacks get through, which they do. Limiting spending caps to pro plans is also BS

@@nickwoodward819 Yeh they do in some cases, but as we've learned from twitter, tweeting about it gets that sorted fairy quick. But for what they offer for the price, its extremely entising

Can't you use the free plan from Vercel? Since it doesn't require a payment method (ex. credit card,) you won't get charged. Or is the free plan too limiting?

@@karlembeastusing the free plan can still get you charged though most likely. Just because you don’t have a linked card doesn’t mean you don’t sign a contract with them. It’s likely illegal to just not pay, you’d need to speak to their support

@@karlembeast Just because you've not provided a card doesn't mean you don't owe the money

the front end is what caused this high charge; it was all the requests to the VPN cache

@@WebDevCodyCDn? Yeah you’re right. They probably didn’t watch the video 😅 I think too many people are suggesting bad rush moves. They need to watch your other video on why to never use a VPS for production 😂

I believe like he briefly mentioned in the video that he didn’t use Cloudflare. Likely used Route53. Which out of the box just comes with DNS and not WAF. You’re correct, with CF you get an ootb firewall - not sure how good it is but I know it works at least. He was asking in the video if he should use cloud front, probably is a good plan

But still, he had cloudfront why didnt it block requests

@@aspirine17 did he say that though? Like I say, he likely just used Route53. If he does, yeah the default settings should protect. Though personally I add additional rate limits and block suspicious activity in cloudflare for free under their “10 free rules”

you can't host commerical applications which make money (which my side projects do sometimes make money) on vercel free plan according to their license.

so the up sell is that below their Pro plan they're inadequate?

@@zeusvargasLaughably only if you *pay* for the Pro tier. So they're admittedly leaving you exposed as a customer because you're on the wrong tier. Vercel are a joke.

@@nickwoodward819if you don't pay for the pro tier, they don't have your CC. so there is no way for them to charge you if your hobby tier site gets ddosed.

​@@nickwoodward819 pro tier 20$, i think you are the joke 😂 Maybe you want that your bill will be negative one also?

@@maitre999 Not sure that I care what you think if that's the level of English you use to express your thoughts, but just for the hard-of-thinking at the back: *The cost of the pro tier quite obviously doesn't justify the gutting of basic spending controls in the free plan. No one should expect to be left vulnerable to massive bills because they haven't upgraded* It could be $3 and there would be no justification for *not* having spending caps when they're obviously available.

I trust what you say. I didn’t have monitoring setup or logging to view ip addresses so at this point I’m in the dark 😂

search the channel, you'll find this video

Doesn't cloudflare have limited support for node?

@@neociber24 what about node? Use Cloudflare proxy, nothing to do with node

what's your question? I talk about cloudflare in this video.

@@WebDevCody I watched half of your video, and just suggested to put a Cloudflare proxy to avoid these situations. Cloudflare has a free plan that gives the DDOS protection. just the free plan has simple Bot mitigation. From docs: All Cloudflare plans offer unlimited and unmetered mitigation of DDoS attacks. Customers are not charged for attack traffic ever, period. There’s no penalty for spikes due to attack traffic, requiring no chargeback by the customer.

I think he meant cloudflare for managing DNS and you will get free DDOS protection I guess@@neociber24

The thing is that free is still cheaper than cheap. This definitely helps weigh the pros and cons, but I’ll still use google cloud run with a max instance of 1 before I use a VPS.

I think aws shield advanced does but it’s 3k a month

Yeah, just don’t use route53 and instead point your domain to cloudflare and then point cloudflare to your cloudfront distribution I think

Even if you pay for waf I think they still charge you per request? Idk you’d think off of this would be very black and white to understand, but it’s not

We’ll see

XDD

Don't be, it's not nearly as common as you might think. You should be worried about not finding users.

2 of my apps use convex free tier, 1 of my applications used planetscale free tier for a year, another 2 application use supabase db free tier

They do. The budgeting service he showed has the option to cut off all services at a certain price. He may not want to do that for what I can only guess to prevent disruption for users.

yes

not when the static assets are hosted on a CDN; then you have no code that executes.

Yeah, I'm not relying on their judgment as to whether I should pay them... The fact that they haven't got a spend cap is *nuts*

They have some automatic mitigation but they dont pay your bill, unless you are a popular content creator

​@@nickwoodward819 I think they added it the last week

This just isn't true. Plenty of examples online of nobodies getting their DDoS bills refunded.@@AndersGustafsson87

is that written in writing in their SLA? "we will pay for any DDOS bandwidth your app receives"? I highly doubt it

I think so

This is not true. Netlify or Vercel will still charge you for execution time and bandwidth.

​@@doreto95 but vercel has basic DDoS Mitigation on Pro plan

@@doreto95 Didn't they recently implement soft and hard limits (at least I'm sure Vercel did) because of a scandal where somebody got charged $100k on their hobby project?

Incorrect, you should change this comment - Vercel and Netlify *DO* charge you for attacks, and if their protection was adequate enough they wouldn't provide spending caps to Pro account holders like it was a benefit

Hey guys, sure Netlify or Vercel charge for execution time etc. BUT they handle DDOS protection for you without you having to pay extra. AND they are willing to not charge users if their protection failed.