Putting Alaveteli behind Cloudflare
24 views
Skip to first unread message
Ben Fairless
Dec 5, 2025, 12:45:24 AMDec 5
to alavet...@googlegroups.com
Hi all,
We are actively considering putting Right to Know behind Cloudflare. I’m wondering if anyone else has had any success and if so, would they be willing to share (either here or on a confidential basis) any tips, tricks or configuration that was needed to make it work.
Cheers,
Ben
--
Ben Fairless (He/Him)
Gareth Rees
Dec 9, 2025, 6:00:31 AMDec 9
to Alaveteli Dev
Hey Ben,
We've recently put WhatDoTheyKnow behind Cloudflare. Sam, who did the majority of the work, will follow up with some details when he gets some time.
Obviously if others have done this (or with an alternative service) we'd be interested to hear about it too!
Best,
Gareth
Sam Pearson
Dec 10, 2025, 5:30:12 AMDec 10
to Alaveteli Dev
Hi,
We moved WDTK behind Cloudflare quite recently. This wasn’t too difficult in the end, but there are a few things to consider.
Firstly, some background.
As is sadly a familiar story at the moment, we have been struggling to manage constant crawling, scraping and what amounts to a constant ongoing low-level DDOS. This was causing availability issues, generating alerts and diverting time and energy away from more constructive activities. Although we’re quite experienced at this, it was becoming overwhelming and we run multiple services, each with separate requirements and considerations. WDTK was suffering more than most, and we decided we needed to take action to reduce the amount of effort that was being put into simply keeping the service up.
Why Cloudflare?
We’re aware that there are risks associated with using a large, centralised service run by a for-profit organisation. I think that these concerns are largely the same for any of the options that are large enough to be effective choices. We don't operate out of one of the large Cloud providers, so there's not an immediately obvious choice in that sense. Cloudflare offer a basic but functional free tier, and they also run Project Galileo, where they provide free higher tier services to organisations working in human rights, civil society, journalism, or democracy, so we applied for this.
As is sadly a familiar story at the moment, we have been struggling to manage constant crawling, scraping and what amounts to a constant ongoing low-level DDOS. This was causing availability issues, generating alerts and diverting time and energy away from more constructive activities. Although we’re quite experienced at this, it was becoming overwhelming and we run multiple services, each with separate requirements and considerations. WDTK was suffering more than most, and we decided we needed to take action to reduce the amount of effort that was being put into simply keeping the service up.
Why Cloudflare?
We’re aware that there are risks associated with using a large, centralised service run by a for-profit organisation. I think that these concerns are largely the same for any of the options that are large enough to be effective choices. We don't operate out of one of the large Cloud providers, so there's not an immediately obvious choice in that sense. Cloudflare offer a basic but functional free tier, and they also run Project Galileo, where they provide free higher tier services to organisations working in human rights, civil society, journalism, or democracy, so we applied for this.
From a technical perspective, the key is to avoid becoming too deeply coupled with any particular service that onward migration would be difficult (whether for practical or philosophical reasons).
In our case, we are using Cloudflare mainly for the WAF and DDOS protection features, rather than as a CDN/cache - in fact we currently bypass the cache entirely and continue to use our own Varnish layer for caching, although this might change in future.
In our case, we are using Cloudflare mainly for the WAF and DDOS protection features, rather than as a CDN/cache - in fact we currently bypass the cache entirely and continue to use our own Varnish layer for caching, although this might change in future.
Practical Considerations - some brief things that came up or we considered:
- The free tier is quite limited, but at a push you could probably get by with it if you needed to but you might find it constraining
- DNS setup was straightforward, we moved to using Cloudflare for DNS some time before activating the proxying to ensure this was all fine and get SSL certificates, etc, set up
- You’ll need to consider how you’ll manage internal SSL certificates - you’ll still want these on your origin, and it’s important that these should be valid in case you need to move away from CF quickly; we use wildcard certs and just integrated our existing automation with Cloudflare’s DNS API - which was very easy as this is well supported by most tools
- We replicated some of our internal rules at the edge - it may seem obvious but remember that any TCP/IP layer blocking needs to be moved to Cloudflare
- For application layer controls, make sure you’re whitelisting Cloudflare IPs and looking at the actual client IPs, etc
- We locked down all traffic to WDTK from Cloudflare at our edge (meaning we don't accept requests unless they come from Cloudflare)
- We set the Super Bot Fight mode to block definitely automated traffic and challenge likely automated traffic
- We had to add rules for managing access to /feed/ URLs as some RSS readers were being blocked
- We whitelisted a bunch of our addresses to avoid potential issues with our own automation
- We had to whitelist some IP addresses of API service users as these were being blocked
- Here in the UK, we needed to ensure we mentioned our use of Cloudflare in our privacy policies, considered GDPR, etc - so consider any local legal / regulatory / best practice compliance questions as appropriate
- The actual migration was pretty straightforward - the only problem we had was a brief blip when we had clashing HTTP - HTTPS redirect rules - other than that it was almost seamless
Hope that's of some use - happy to answer any other questions you might have.
Cheers
Sam
On Tuesday, 9 December 2025 at 11:00:31 UTC Gareth Rees wrote:
Hey Ben,We've recently put WhatDoTheyKnow behind Cloudflare. Sam, who did the majority of the work, will follow up with some details when he gets some time.Obviously if others have done this (or with an alternative service) we'd be interested to hear about it too!Best,Gareth
On Friday, 5 December 2025 at 05:45:24 UTC
Hi all,
Ben Fairless
Dec 10, 2025, 5:50:58 AMDec 10
to 'Sam Pearson' via Alaveteli Dev
Hi Sam,
Thanks for the comprehensive information. It’s going to be really helpful as we upgrade!
Are there any code level changes that you’re aware of that we should review and implement between 0.42 and 0.46? I would prefer to prioritise implementing Cloudflare before upgrading if possible.
Thanks again,
Ben
--
Ben Fairless (He/Him)
--
You received this message because you are subscribed to the Google Groups "Alaveteli Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alaveteli-de...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/alaveteli-dev/7515e26c-7aff-406d-b38c-384f0d23dd6fn%40googlegroups.com.
Gareth Rees
Dec 10, 2025, 6:43:09 AMDec 10
to alavet...@googlegroups.com
Hey Ben,
No specific code changes were necessary. FWIW we deploy straight off the develop branch, but at the time we'd have had most of the commits in 0.46.0.0.
The later versions do have more features around account management that may be of interest, but you should be able to get going with Cloudflare on the version you're already on.
Feel free to reach out if you have any questions during the implementation, and let us know how it goes once its been running for a while.
Best,
Gareth
You received this message because you are subscribed to a topic in the Google Groups "Alaveteli Dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/alaveteli-dev/xs45u5VtpNE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to alaveteli-de...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/alaveteli-dev/CAKnAbpb%3DkNHgMaWj20SE9zC7QRU7-bdJkTynnY50ZxOUm%3D9wPw%40mail.gmail.com.
Gareth Rees
Trésor Elumbu_Lifongo
Dec 11, 2025, 4:59:16 AMDec 11
to Alaveteli Dev
Hi
I hope this message finds you well.
I am Mr. Trésor ELUMBU LIFONGO, a web developer for Collectif 24, a platform of civil society organizations in the Democratic Republic of Congo (DRC).
Presentation of Collectif 24
Mission and Objectives Our primary mission is to make access to information an essential tool for defending fundamental rights, improving governance, and fighting corruption in the DRC. We firmly believe that information is "the oxygen of development."
Areas of Action Our main areas of action include:
The right to access information.
Freedom of expression and Internet governance.
Open government and citizen engagement.
Key Activities Collectif 24 carries out various activities to achieve its objectives:
Advocacy for a Law on Access to Information: The platform lobbies the Congolese government and parliament for the adoption of a specific law on public access to information, as its absence is considered a major obstacle to transparency.
Awareness Campaigns: We regularly organize workshops and conferences to educate the public, journalists, and political stakeholders on the importance of this right.
Request for Development and Technical Assistance
We are looking to develop a website similar to the platforms KiMitTud and WhatDoTheyKnow, utilizing the Alaveteli system.
Is this technically feasible? Could you assist us or recommend an expert capable of ensuring the development, setup, and launch of this site?
This outlines the purpose of my communication.
Thank you very much for your collaboration and the time you dedicate to our project.
Sincerely,
Mr. Trésor ELUMBU L.
Web Developer
Reply all
Reply to author
Forward
0 new messages