from Hacker News

Tell HN: Be careful enabling Cloudflare features

by anonfunction on 3/3/23, 12:21 AM with 20 comments

I've been a cloudflare user and advocate for many years. I even hold a small amount of NET stock. A few months ago I enabled their web3 offering which gives you an ethereum gateway and added it as a backup to an other gateway I had set up for a small site of mine which gets around 1000 unique visitors a day. It has been running in the free tier for awhile and I thought everything was fine.

Then I got an invoice for $400, I immediately removed cloudflare eth gateway from my site and thought I had unsubscribed from the web3 service on cloudflare's site. The next month I got another $490 invoice (~49 million requests) and saw that it was still enabled on the site so I completely deleted and removed it as best I could from their UI. Additionally their website dashboard UI has zero visibility into where the traffic comes from, how much there is or what the bill will be until you get an invoice.

This is the entirety of the information you get in the invoice (1):

    > Ethereum Gateway Queries (First 500,000 requests are included
    > 01/17/2023 - 02/16/2023 48,788,614 $0.00 $490.00

I sent a support email asking if they would consider a refund as the traffic was very likely not from my site visitors, one feature other ethereum gateway service providers offer that cloudflare does not is the ability to add a domain whitelist or even API key authentication. Cloudflare just lets you set up a domain name that they happily accept any requests to. I should have assumed someone would have abused it but unfortunately I did not. However without any data provided it would be entirely possible for cloudflare themselves to have a bug that mistakingly hits my set up domain and inflates the bill. At the least I would like to be able to see where the requests came from, on what dates, and other information.

The support ticket was open for 12 days unanswered, I sent a follow up reply and the next day the ticket was closed with this message:

> Cloudflare only issues refunds in very specific situations, such as fault in service. As this is not the case, we will not be able to attend your request.

I accept that I'm liable for the charges and have no recourse, but I wanted to share this as a warning to others and also to hopefully reach some cloudflare employees or leadership about the need for better visibility into paid features usage. Being able to set up access rules for the service and having user set limits would also be very helpful. With this service in particular there is zero way to prevent someone from abusing it as all the customer can do is point DNS to cloudflare's managed server.

1. https://i.imgur.com/DFrQEoO.png

by williamstein on 3/3/23, 2:05 AM
Here's a similar example with Google Cloud: https://issuetracker.google.com/issues/35874988
Under certain circumstances there is no way to delete an App Engine application, which results in potentially nontrivial charges indefinitely, with the only solution being to delete the entire Google Cloud Project, which can be very painful because tools for migrating resources from one project to are limited.
At the above link you can read about how this missing functionality has annoyed people since 2008. Speculation: Nobody working on Google cloud is motivated to fix it, since fixing it would mean less money for them. The surprising thing to me is that even with the $500/month support plan, you can't get somebody to just somehow manually fix the problem in a specific case.
by kyleee on 3/3/23, 2:41 AM
I would contact any available regulatory bodies, ex if you are in US maybe a state attorney general or some consumer protection bureau. Keep your ticket open and let cloudflare know that you are pursuing help via regulatory bodies. Their shitty UI and failure to alert you when crossing the free requests threshold is basically a fraudulent business practice and you should fight on principle
by ruc0la on 3/3/23, 6:23 AM
I had a really bad experience with their domain registration system. It doesn't let you set up different billing addresses for each domain. I have my private domains and my business domains. Unfortunately, it wasn't that obvious, and I had the impression that I am able to set up different billing addresses. Turned out that I just always overwrote the last billing address. They refused to help me set straight the invoices for my business and for my private donains. Their UI failed me (it is really bad and not intuitive in this case), this is such a basic feature. Support was also not helpful. Overall it was a very bad experience.
by warrenm on 3/3/23, 12:33 PM
>I accept that I'm liable for the charges and have no recourse
Why would you "accept" this?
You attempted to disable a feature, it didn't actually disable because of their broken UI
Their customer disservice told you "suck it up, buttercup", and you're just going to roll over because of their screwup?
by PaulHoule on 3/3/23, 1:26 AM
Is this a cloudflre problem or a web3 problem? Famously Ethereum has been liked to ‘a TRS-80 with a coinslot attached.’
People think somehow $10 million is going to fall out of the sky and hit them, but more likely people will get ripped off just like what happened to you. Let it be a cautionary tale. Stay clear!
by warrenm on 3/3/23, 12:31 PM
Cloudflare's business model seems to be "offer enough 'free' services to screw you over as soon as you pay for something"
They're a pariah on the internet
by tejado on 3/3/23, 5:15 AM
> Being able to set up access rules for the service and having user set limits would also be very helpful.
The documentation is pretty clear on that: https://developers.cloudflare.com/web3/how-to/restrict-gatew...
by gregjw on 3/3/23, 10:32 AM
Well thats terrifying.
by nl on 3/3/23, 2:53 AM
I'm going to guess you are setup a IPFS universal gateway[1]:
> When you set up a Universal Path gateway — a gateway without a DNSLink record — you are creating an unrestricted gateway that allows users to access any content hosted on the IPFS network.
> This differs from a restricted gateway, which restricts the gateway to a particular piece of content (either a specific Content Identifier (CID) or an Interplanetary Name Service (IPNS) hostname).
That's basically like creating yourself an open proxy. Bad idea if you don't know what you are doing.
From your post:
> I sent a support email asking if they would consider a refund as the traffic was very likely not from my site visitors, one feature other ethereum gateway service providers offer that cloudflare does not is the ability to add a domain whitelist or even API key authentication. Cloudflare just lets you set up a domain name that they happily accept any requests to.
This isn't true. https://developers.cloudflare.com/web3/ipfs-gateway/concepts... is for this.
[1] https://developers.cloudflare.com/web3/ipfs-gateway/concepts...