Tell HN: Be careful enabling Cloudflare features
I've been a cloudflare user and advocate for many years. I even hold a small amount of NET stock. A few months ago I enabled their web3 offering which gives you an ethereum gateway and added it as a backup to an other gateway I had set up for a small site of mine which gets around 1000 unique visitors a day. It has been running in the free tier for awhile and I thought everything was fine.
Then I got an invoice for $400, I immediately removed cloudflare eth gateway from my site and thought I had unsubscribed from the web3 service on cloudflare's site. The next month I got another $490 invoice (~49 million requests) and saw that it was still enabled on the site so I completely deleted and removed it as best I could from their UI. Additionally their website dashboard UI has zero visibility into where the traffic comes from, how much there is or what the bill will be until you get an invoice.
This is the entirety of the information you get in the invoice (1):
> Ethereum Gateway Queries (First 500,000 requests are included
> 01/17/2023 - 02/16/2023 48,788,614 $0.00 $490.00
The support ticket was open for 12 days unanswered, I sent a follow up reply and the next day the ticket was closed with this message:
> Cloudflare only issues refunds in very specific situations, such as fault in service. As this is not the case, we will not be able to attend your request.
I accept that I'm liable for the charges and have no recourse, but I wanted to share this as a warning to others and also to hopefully reach some cloudflare employees or leadership about the need for better visibility into paid features usage. Being able to set up access rules for the service and having user set limits would also be very helpful. With this service in particular there is zero way to prevent someone from abusing it as all the customer can do is point DNS to cloudflare's managed server.
1. https://i.imgur.com/DFrQEoO.png Here's a similar example with Google Cloud: https://issuetracker.google.com/issues/35874988 Under certain circumstances there is no way to delete an App Engine application, which results in potentially nontrivial charges indefinitely, with the only solution being to delete the entire Google Cloud Project, which can be very painful because tools for migrating resources from one project to are limited. At the above link you can read about how this missing functionality has annoyed people since 2008. Speculation: Nobody working on Google cloud is motivated to fix it, since fixing it would mean less money for them. The surprising thing to me is that even with the $500/month support plan, you can't get somebody to just somehow manually fix the problem in a specific case. I would contact any available regulatory bodies, ex if you are in US maybe a state attorney general or some consumer protection bureau. Keep your ticket open and let cloudflare know that you are pursuing help via regulatory bodies. Their shitty UI and failure to alert you when crossing the free requests threshold is basically a fraudulent business practice and you should fight on principle I know it sucks to hear, but be careful about being litigious unless losing access to your account is not a problem. This isn't specific to Cloudflare, always keep in mind those huge tech companies aren't treated as utility and can boot you on a whim. Is retaliation illegal? Only in very specific circumstances like Whistleblowing. In general companies are allowed to decide who they do business with or don’t. They aren’t immune from critique for the practice however. I had a really bad experience with their domain registration system. It doesn't let you set up different billing addresses for each domain. I have my private domains and my business domains. Unfortunately, it wasn't that obvious, and I had the impression that I am able to set up different billing addresses. Turned out that I just always overwrote the last billing address. They refused to help me set straight the invoices for my business and for my private donains. Their UI failed me (it is really bad and not intuitive in this case), this is such a basic feature. Support was also not helpful. Overall it was a very bad experience. They also have authenticationless DNS offerings I was subjected to an attempted (and partially-successful) domain hijacking a few years ago For several days, everyone who used Cloudflare as their DNS resolver had a scam site respond to my domain Actually I had a similar experience with trying to create a business account, only the account who created it can set up billing. There is no concept of a team account or billing managers which surprised me. >I accept that I'm liable for the charges and have no recourse Why would you "accept" this? You attempted to disable a feature, it didn't actually disable because of their broken UI Their customer disservice told you "suck it up, buttercup", and you're just going to roll over because of their screwup? Is this a cloudflre problem or a web3 problem? Famously Ethereum has been liked to ‘a TRS-80 with a coinslot attached.’ People think somehow $10 million is going to fall out of the sky and hit them, but more likely people will get ripped off just like what happened to you. Let it be a cautionary tale. Stay clear! It's a cloudflare problem related to their lack of visibility and billing practices for paid products. I don't want to get into a crypto is bad debate as that's entirely unrelated to the point of my post. Its Cloudflare’s implementation of an Ethereum node The node level doesn't involve any speculation or payment, you would have more applicable discussions if you were willing to separate the platform from whatever you really wanted to talk about The developer side is pretty benign Cloudflare's business model seems to be "offer enough 'free' services to screw you over as soon as you pay for something" They're a pariah on the internet > Being able to set up access rules for the service and having user set limits would also be very helpful. The documentation is pretty clear on that: https://developers.cloudflare.com/web3/how-to/restrict-gatew... Thank you this is actually something that appears to solve one of my main issues. I did not see this before, and it's not linked to from their dashboard UI or the ethereum gateway docs [1]. It appears that I could make the DNS record go through another cloudflare product Cloudflare Zero Trust[2] which can do the access management. While this is good to know, I still would much like visibility into public usage and user set billing limit caps. A large portion of use cases for an ethereum gateway is going to be frontend client side calls, and yes I know I could make another proxy layer on my own servers and set limits there, which if I could do things over I would have. 1. https://developers.cloudflare.com/web3/ethereum-gateway/
2. https://developers.cloudflare.com/cloudflare-one/ It’s pretty terrible that they even allow public access to these gateways, let alone default to it. At a very bare minimum some sort of origin header checks should be done. Who in their right mind would want to pay an exorbitant rate to put a frontend-specific JSON-RPC API out on the public internet to be abused for free by other sites? Well thats terrifying. I'm going to guess you are setup a IPFS universal gateway[1]: > When you set up a Universal Path gateway — a gateway without a DNSLink record — you are creating an unrestricted gateway that allows users to access any content hosted on the IPFS network. > This differs from a restricted gateway, which restricts the gateway to a particular piece of content (either a specific Content Identifier (CID) or an Interplanetary Name Service (IPNS) hostname). That's basically like creating yourself an open proxy. Bad idea if you don't know what you are doing. From your post: > I sent a support email asking if they would consider a refund as the traffic was very likely not from my site visitors, one feature other ethereum gateway service providers offer that cloudflare does not is the ability to add a domain whitelist or even API key authentication. Cloudflare just lets you set up a domain name that they happily accept any requests to. This isn't true. https://developers.cloudflare.com/web3/ipfs-gateway/concepts... is for this. [1] https://developers.cloudflare.com/web3/ipfs-gateway/concepts... > I'm going to guess you are setup a IPFS universal gateway why would you assume OP did something totally different from what he said he did? I didn't set up an IPFS gateway I set up an Ethereum Gateway where the rest of your comment doesn't apply.