Mike Slinn
Mike Slinn

Considering Cloudflare R2 for Static Websites

Published 2022-06-09. Last modified 2022-06-19.
Time to read: about 5 minutes.

This site is categorized under AWS, Cloudflare, Internet.

After deciding to close my AWS account, I started looking for alternatives to host my static web sites. Without getting into my selection criteria, my short list of possible hosting companies was Microsoft Azure, Cloudflare, Digital Ocean, Linode, and Netlify. Many other options exist.

Cloudflare has a free tier that has no time limit. It includes an S3 work-alike called R2, SSL and a built-in world-wide CDN that works automatically. 250 GB of storage and 1TB/month of transfer are provided at no charge, forever. There are also no ingress or egress charges. Cloudflare’s edge network now spans 275 cities around the world, with nearly all Internet users within 50 milliseconds of a Cloudflare server.

This blog post documents my experience with Cloudflare. If you don't care about details, and want to know my verdict on Cloudflare R2, skip to the end.

For PaaS vendors such as AWS, Azure, Digital Ocean, Cloudflare, ScaleWay, etc: “pay-as-you-go” is shorthand for “there is nothing you can do to limit your financial liability”.

This is what I did

After creating an account, I followed the directions at R2 get started guide.

Wrangler

The directions told me to set up Wrangler v2, a command-line interface for transferring files to R2.

Shell
$ npm install -g wrangler
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
npm WARN deprecated rollup-plugin-inject@3.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
added 56 packages, and audited 57 packages in 8s
10 high severity vulnerabilities
To address issues that do not require attention, run: npm audit fix
To address all issues, run: npm audit fix --force
Run `npm audit` for details.

The above messages do not inspire confidence. Wrangler is written using Node. I believe that Node has more security issues than any other computer language, particularly in package management. The OWasp recommendations do not address the fundamental security vulnerabilities in the Node package management infrastructure.

RClone

I looked for alternatives to Wrangler and found RClone. RClone is a command-line program to manage files on cloud storage. It has many subcommands, including two types of sync. Although the RClone documentation does not mention Cloudflare, the Cloudflare docs described how to set up RClone.

Limits

Platform limits are important. Not only are the technical limits important for defining inputs and outputs, users should be particularly interested in spend limits, so they are not subject to unlimited financial liability.

Workers Paid plan is separate from any other Cloudflare plan (Free, Professional, Business) you may have. If you are an Enterprise customer, reach out to your account team to confirm pricing details.

Only requests that hit a Worker will count against your limits and your bill. Since Cloudflare Workers runs before the Cloudflare cache, the caching of a request still incurs costs. See definitions and behavior after a limit is hit in the limits article .

 – Cloudflare Workers Pricing Fine Print

Setup

Caching

Cache control.

Pages

Cloudflare Pages is a JAMstack platform for frontend developers to collaborate and deploy websites.

 – pages.cloudflare.com

Cloudflare Pages supports Jekyll sites. However, it looks like Cloudflare Pages builds the site in the cloud. While this might be a useful mechanism for many, my Jekyll builds need to access my local machine, and use my Jekyll plugins.

Cloudflare Workers Sites suits my use case. The Start From Existing documentation looks appropriate, except it is written for using Wrangler, which I view as a security threat.

The Verdict: No to Cloudflare

CloudFlare does not offer a spend limit for accounts on paid plans. This is unacceptable. I tried to remove my credit card, but found I could not. I then deleted my user account, and saw:

It could take up to 12 months to delete your information completely.

There is no way to reframe this as an example of how Cloudflare is looking out for the best interests of their customers.