Supporting Net Neutrality with CloudFlare

This post (and therefore, site) is now being hosted by a server sitting in my basement! To many of my international colleagues, this didn’t sound like anything special until I explained to them that most United States IPSs block outgoing traffic on port 80. They were very surprised by this (and I was very aggravated). After all, would we accept the phone company restricting who we could accept phone calls from (same concept)?

I should be able to host a small site on the internet leveraging the connection and hardware I have already purchased. Granted, it’s a residential connection and non-server hardware so there are inherint risks and limitations. I don’t expect magic, after all. Fortunately I have figured a way around the port blocking and and quite happy with all of the implications of the workaround.

The key to all of this is CloudFlare. Basically it is a CDN that offers free introductory plans and a few features that make this all possible. Here’s how you set it all up (after you register for your account, of course):

  1. Add your site, configure your DNS
  2. Configure your server to host SSL-based pages (port 443)
  3. Configure CloudFlare crypto settings
  4. Create page rules

Add your site, configure your DNS

The first step is of course to add your site to CloudFlare. The setup is fairly straight forward and is well-guided by CloudFlare so I won’t be duplicating that information here. I will add that waiting on DNS refreshes can be frustrating, so after I got it set up I switched my local DNS resolution over to Google’s (8.8.8.8) so I could test more quickly.

Configure your server to host SSL-based pages (port 443)

My ISP blocks port 80, but not 443. It would probably not hurt anything to leave port 80 running and open but I figured why chance it, so I shut all port 80 configurations down. My home server and all my sites are only configured for port 443 traffic now. The important part is that you must have port 443 (HTTPS) configured and running on your server.

This brings up the first implication and rather cool solution: self-signed certificates. Configuring HTTPS requires that you have a SSL cert which usually costs money. You can create a self-signed cert but then traffic would be prompted about how your certificate didn’t come from a Certificate Authority.

With CloudFlare, they actually handle the certificate between themselves and the browser, and will accept your self-signed certificate between your server and their servers. This is great news as it means you can have HTTPS traffic without having to buy a certificate and without having users prompted on every visit that your cert … blah blah blah.

So, set up your web server to serve up pages via HTTPS on port 443 and configure the related self-signed SSL cert for it.

Configure CloudFlare Crypto Settings

Now comes the really good stuff. There are two aspects here; SSL (with SPDY) and HTTP Strict Transport Security (HSTS).

After you select your site in CloudFlare, go to the crypto section.

CloudFlare Crypto Section

SSL (with SPDY)

This config is easy. Just make sure it’s set to “Full”.CloudFlare SSL Settings

HTTP Strict Transport Security (HSTS)

Right below the previous config is the HSTS section. HSTS is a little more involved but not bad. Basically we want to force this domain to always serve HTTPS traffic and never allow for HTTP, even if a user tries to downgrade.

Click  ‘Change HSTS settings’ to enter into the configuration screen. You’ll first be prompted with some warning text to read and then check an ‘I understand’ box and click ‘Next Step’. Now you’re into the good stuff:

CloudFlare HSTS Settings

Here are the important settings:

  1. Turn the enable switch on
  2. Set the Max Age Header (I accepted the default of 6 months)
  3. Apply HSTS policy to subdomains. I did this as a precaution in case I ever wanted to add self-hosted subdomains in the future

Create page rules

The last step is to set up page rules. This ensures that we redirect any attempted undesirable traffic to use our desired configurations.

Select the ‘Page Rules’ section from the top of the screen:

CloudFlare Page Rules

You’ll want to add 2 page rules:

  • http://*.YOURDOMAIN.COM/*
  • http://YOURDOMAIN.COM/*

These two rules capture any subdirectory of natenine.com (or your domain in your case), as well as any subdomains with any subdirectory of nateofnine.com.

When entering these rule patterns, the only setting you need to select is ‘Always use https’. This will disable all other settings.

CloudFlare Always use HTTPS

That’s it!

Now, you are happily hosting from your port-80-blocked home ISP! You have complete control over your server, can use it for other household automation or serving tasks, etc. Mine is also hooked up to a Drobo for redundant backups and I’m also researching for an offsite backup solution. Just because I host in my basement doesn’t mean I’m throwing caution to the wind.

You may also want to investigate using one of the many DNS updaters to keep CloudFlare up to date with your current home IP address. Apparently DDclient works well though I opted for RealDNS.

The really nice part is, you’re protected by CloudFlare from traffic increases by both popularity and attacks, as well as forcing all traffic to always be secure over HTTPS. Keep in mind this is all through CloudFlare’s free-tier service. You may want to consider upgrading to a higher level of service especially if your site becomes more popular.