GAE access from mainland china and cloudfare

[Eric Ka Ka Ng]

before heard that there were access problem to GAE (ghs.google.com) from mainland china. 

would like to know latest status about this. 

now we hv domain mapped to GAE instance and seems some users from mainland china can access it without problems. but not sure if all users from different part of china can access, at anytime? also, any help if going through cloudfare?

- eric

[Will]

GAE is still blocked in mainland China.

The regime is constantly monitoring the network traffic and servers and taking actions whenever it sees fit. So I don't believe any simple method can claim access for 'all users' from 'all parts' at 'anytime'. If one server is deemed a 'threat', the whole DNS may be blocked, as is the case of GAE.

Good luck,

Will

- eric

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.

[Eric Ka Ka Ng]

Thx Will for your input. so cloudfare is not going to help?

- eric

[Jeff Schnitzer]

This is an interesting question. If I am not mistaken, the Great
Firewall is IP-based. CloudFlare is a proxy. If you are on public
(non-ssl) CF, you are using a shared IP and chances are you will have
erratic problems. If you are using ssl, then you are still using a
shared IP, but only shared with ~20 other sites. The chance that one
of those other sites will trigger a GFW ban is low... but not zero.

Depending on the consequences of China downtime for your app, it might
be a viable solution. You can probably get CF to regenerate the
certificates and land you on a different IP if the old one ever gets
blocked. Chances are it will never be an issue.

Of course, this requires making your app full-time SSL. Which is not
a bad idea.

Jeff

On Tue, May 22, 2012 at 8:02 AM, Eric Ka Ka Ng <ngk...@gmail.com> wrote:

[Will]

For sure, cloudfare will help. I'm simply using Amazon's EC2 and it works great for me. Yes, occasionally there are a few minutes glitches here and there, especially when there is a political freak show going on such as recently. Not ideal certainly but acceptable for my purpose. Don't know if that is alright for your business model.

Best,

Will

[Brandon Wirtz]

If you use CloudFlare you will be sad. You can put a Proxy/Squid on AWS and
Use Route53 to do Geo-Balancing.

CF often gets blocked by well... Pretty much everything because it is used
by Pirates and Porn sites, and quite often you will share IP's with those.

Plus CloudFlare will throw Captcha's to Google Bot and that will cause your
site to get de-ranked if not de-listed.

I used to make a lot of money cleaning up after CloudFlare.

[Damon Billian]

Hi Brandon,

I think it would be helpful to clarify a few things:

1. You fancy yourself as a competitor to CloudFlare, so your comments
here can hardly be considered as impartial.

2. "CF often gets blocked by well... Pretty much everything because it

is used
by Pirates and Porn sites, and quite often you will share IP's with
those. "

Not true at all. We actually have our IPs whitelisted at a number of
places. We also wouldn't have established relationships with a large
number of hosting providers if that were the case.

"Plus CloudFlare will throw Captcha's to Google Bot and that will
cause your
site to get de-ranked if not de-listed."

This infrequently happens when Google adds new IPs that they do their
crawls from. Fixed very quickly once we add the new IPs to our Macro &
we do a lot internally to identify search engine traffic so that the
chances of a search engine actually getting challenged is very slim.

[Brandon Wirtz]

1. I have never viewed myself as a Cloud Flare Competitor. We built a
Product because Cloud Flare F***ED so many bloggers and local businesses
that we needed something that they could use as a stop gap until they could
move to infrastructure that worked.

2. BULL CRAP

3. "Infrequently" yeah... When your site get delisted it makes you feel
better that it only happens once every 100 days.

I may be an ass at a time. I may have taken clients that are "scum of the
earth" for doing reputation management. I wouldn't Piss on a Cloud Flare
employee if they were on fire. That's where CF ranks in relationship to
Cash For Gold, Politicians, and Pet Food companies that have had major
recalls.

I should encourage people to use Cloud Flare because it typically was very
good for getting me SEO business.

[Damon Billian]

"1. I have never viewed myself as a Cloud Flare Competitor. We built a
Product because Cloud Flare F***ED so many bloggers and local
businesses
that we needed something that they could use as a stop gap until they
could
move to infrastructure that worked. "

Umm...your product isn't competitive?

"> 2. BULL CRAP"
Prove something valid? Or something that wasn't resolved?

"> 3. "Infrequently" yeah... When your site get delisted it makes you
feel
> better that it only happens once every 100 days."

There are tons of reasons that a site could get delisted from Google,
using CloudFlare or not. To assume that we're the cause because they
are on CloudFlare is flawed logic. I also explained the Google
crawling from new IPs that could cause a temporary issue.

"> I should encourage people to use Cloud Flare because it typically
was very
> good for getting me SEO business."

Yes, you should. Please do.

" I wouldn't Piss on a Cloud Flare
> employee if they were on fire. "

We wouldn't even accept it.

[Eric Ka Ka Ng]

Thx you guys for all the suggestions (and debating ;)) 

Will, our site is for general public, not mission critical, so infrequent downtime or a few minutes glitches could be acceptable. Guess from your description it's not ideal solution but acceptable, and should apply to us too. 

Jeff, full-time SSL, according to you, should further minimize chances for getting blocked. i think we can consider that too, thx

Brando and Damon, thx a lots for the debating and i learn a lots from it. Damon, we want to launch a site in China and I prefer to run on GAE (just becoz i'm more familiar with dev on GAE than like EC2 or others) If you have any advises /settings for using CF to help us to minimize downtime / enhance performance / increase rank on SE (or have actual figures for downtime with GAE apps on CF in China) , please drop me an email. thx!

cheers,

eric

[Brandon Wirtz]

Competitive would imply we actively compete in the market. Rolls Royce
doesn't compete with Kia. Both make cars that is where the comparison ends.

Or that Tent's compete with the housing market. Our Commercial Product does
so much more than CF ever dreamed that they aren't in the same league, and
our "stop gap" product is for clients that need a stop gap while they get
things worked out.

If you want access from mainland china setup a Reverse Caching Proxy on AWS
or Rack. Use Route 53 so that you can send only your china traffic through
it. You will be happy.

You can also set up IAS on Azure which actually works really well and
dynamically scales more easily than AWS. But we have had some issues with
SSL Cert errors every so often for reasons no one can explain.

[Damon Billian]

" Rolls Royce
doesn't compete with Kia. Both make cars that is where the comparison
ends. "

Glad that you're admitting that CloudFlare is a Rolls Royce.

"Competitive would imply we actively compete in the market. "

And glad you finally admit to offering a service (CDN) that is
somewhat competitive to CloudFlare. It also helps dispel any notion
that your views on CloudFlare are either impartial or unbiased.

[Damon Billian]

Hi Eric,

We haven't seen any issues with China and GAE per se. A couple of
things:

The primary problem, as you probably already know, is the GFW does
often block by IP when they have an issue with a site. If they happen
to block our IP for some reason, we have to move the site(s) to a
different map.You should most certainly contact us if you see this
happening & a traceroute to the domain (with CloudFlare active and
from China) would confirm. We don't run into this too often, however.

China routes traffic in/out in a very controlled manner (I believe our
network engineer said they only have 1 or 2 exit points). If you point
your service to CloudFlare, all of the traffic from China would hit
the United States (this would create a little latency for visitors
from mainland China).

If you're going to use SSL, you would want to make sure you're
choosing the FLEXIBLE SSL option on CloudFlare (requires a Pro
account)

Performance Enhancement:
You could enable optional services like Rocket Loader and Auto Minify
(we also have some good things for Pro accounts coming soon) to
further help speed up the site.

[Brandon Wirtz]

Damon,

Seeing as you only hit up the GAE forums when you want to push your product,
you are a spammer.

That said. Since you want to claim your product competes with my product,
and that I'm a Kia to your Rolls Royce, I'll play.

My typical client has a $30k a month bill with their current provider before
they come to us. We reduce that by 2/3s and take half. We don't work with
clients who will generate less than $2000 a month in billings.

What is yours?

Our Cheap package CDN In A Box is truly meant for SEO clients who got kicked
out of Google because Cloud Flare Screwed them over. I didn't even offer
that service until we picked up our 15th client who was in that boat. I am
much happier telling people use AWS, or Rack with Squid, rather than signing
them up, because I don't want to support a $30 a month client. And if they
are a $300 a month kind of client I push them to IAS on Azure.

We offer the following enterprise features which do you have?

Load balancing and Server Delegation by Path: (yourdomain.com/users and
yourdomain.com/sales need not go to the same backend device)

Session and Authentication off loading: (we can be your Pay Wall and prevent
the need to do pay wall or security integration in your code)

Bcrypt Acceleration with GPU: (we can off load all of your Bcrypt so that
you can offer faster more secure authentication)

Points of presence in China, Armenia, Turkmenistan, Hondura, Ethiopia, to
keep sites up even during black outs.

Last known Good Uptime Protection: In the event a site is down we will serve
the last know good version until it comes back up.

Automatic Malware Removal: In the event that you are hacked Malware is
automatically removed from the pages served to the end user. We will also
automatically filter infected binaries. And Log all canonical tags for
inspection to confirm those are not hijacks.

Proxy Side Templating: Templates can be applied at the proxy reducing the
bandwidth and load on the origin server

Multi-source Page Creation: User Customization of content can be sourced
independently of the primary content, allowing for better caching and
reduced load.

Load balancing, failover, and Geo Optimization using multiple networks:
Because we run on GAE, Azure, Rack, AWS, and Co-located servers in specific
countries, the Internet has to suffer cataclysmic failure for us to be down.

[Jeff Schnitzer]

Brandon, I admire your chutzpah (especially the combination of calling
someone else a spammer in the same message that you include the
contents of one of your marketing pages), but really, enough.

I'm quite happy that CloudFlare has chosen to participate in this
forum - I've tried to encourage it through what contacts I have. And
so far, I'm happy with their service. If you want to point out
specific issues that we (users) should be aware of, I'd love to hear
it, but "screwed over" isn't really enough technical detail. And the
tone makes you look like a jerk.

As far as I'm aware, the biggest complaint is that the integrated DOS
protection system will sometimes false-positive users with a CAPCHA.
This is, AFIACT, a non-issue if you disable the DOS protection system
(which I have - I can always turn it on manually). If you'd like to
explain why I'm making a mistake by using this service, I'm listening,
but it had better be good.

Jeff
(a paying customer of CF, and I know a member of the engineering staff
there, but otherwise I don't have a horse in this race)

[Brandon Wirtz]

Jeff,

Glad you have good luck. That hasn't been the case for many others, and it
is not just the captcha.

Several Schools found that their students couldn't go to their own sites
because the Net Nanny deemed their School Porn sites because of a Shared IP.


Sites have been delisted after the "robot" protection blocked their access.

Sites with malformed HTML have had their page munged to the point that most
of the page didn't render. Resulting in having their site mis-indexed or
lose their rankings. And because CF just randomly "improves" their Page
optimization tools it might not be because the user changed anything, and
depending on which IP is serving the page at any moment it might not appear
to the Site admin the way it does other users.

Shared IPs have resulted in Legal Notices being sent to the wrong party.
Often (I suspect) because CF provided the smaller clients contact
information rather than the larger ones when responding to a court order.

Jeff, I thought you had better taste in friends. When you have taken phone
calls from people who are crying because of how bad a product worked for
them, and how it has cost them their livelihood, or their reputation. You
can tell me what a Jerk I am. Because we all know I have the appearance of a
jerk. I like it that way. That way you know that I don't give a damn what
people think, so I can be honest. When you have done a conference call
with the school board of the IT administrator who installed CF because they
thought it would save them money, but is now on suspension for allowing porn
to be installed school computers, even though there was none, because of a
False positive that resulted from Cloud Flare, you can judge me. When you
have donated time to a YMCA camp that got delisted from Google because CF
blocked the Google bot and as a result no one could find the website that
was mentioned in the Radio ads they ran, and so their enrollment was off 30%
and they almost shutdown. You can Judge me.

As to posting my marketing materials being spam... If you think anyone on
this list is a potential client for services in that price, and that those
people would opt to buy rather than build, you have a different opinion of
the types of people on this list than I do. I posted those because I do
care about my reputation. Because I have earned it. You will never find a
bad experience from any of my customers. Because I will fight tooth and nail
for my customers. And I won't take a customer that my products won't work
well for.

I'll stick with my if you are considering trying to Reverse Proxy, or
Reverse Nat your AppEngine, Squid on AWS, or IAS on Azure, depending if you
are in the $20 or the $300 Price range.

[Jeff Schnitzer]

Cutting this down to only the relevant parts:

On Thu, May 24, 2012 at 11:21 AM, Brandon Wirtz <dra...@digerat.com> wrote:
>
> Several Schools found that their students couldn't go to their own sites
> because the Net Nanny deemed their School Porn sites because of a Shared IP.

Seems like the issue of a shared IP is moot to people running on GAE.
Or at least, it's a known issue that requires nontrivial effort to
work around. From my own perspective, I find the $20/mo we pay for
full-time ssl and an IP address shared with 20 other domains to be a
reasonable compromise. The main thing is that I don't need to set up
servers (virtual or otherwise).

At any rate, I'm not sure it's fair to criticize CF over this issue.
At the very least, it doesn't represent any additional problem over
running on GAE's shared IPs - especially now that there is porn on
GAE.

> Sites have been delisted after the "robot" protection blocked their access.

The robot protection is optional. Turn it off.

> Sites with malformed HTML have had their page munged to the point that most
> of the page didn't render. Resulting in having their site mis-indexed or
> lose their rankings.  And because CF just randomly "improves" their Page
> optimization tools it might not be because the user changed anything, and
> depending on which IP is serving the page at any moment it might not appear
> to the Site admin the way it does other users.

There are two thoughts on this, both of which should be pretty
obvious. Either turn off page optimization or simply don't serve
malformed HTML. We choose the later approach. The HTML minification
is actually really convenient.

FWIW, I don't believe this kind of page optimization is enabled by
default, so you really have to trip over it.

> Shared IPs have resulted in Legal Notices being sent to the wrong party.
> Often (I suspect) because CF provided the smaller clients contact
> information rather than the larger ones when responding to a court order.

Amusing, but this doesn't keep me up at night.

> I'll stick with my if you are considering trying to Reverse Proxy, or
> Reverse Nat your AppEngine, Squid on AWS, or IAS on Azure, depending if you
> are in the $20 or the $300 Price range.

I prefer infrastructure I don't have to maintain.

Honestly, it feels like your crying customers really just needed
someone competent to click the right buttons at CloudFlare. It really
isn't rocket science either; the UI is pretty straightforward.

Jeff

[Brandon Wirtz]

> Honestly, it feels like your crying customers really just needed someone
> competent to click the right buttons at CloudFlare. It really isn't
rocket
> science either; the UI is pretty straightforward.
>
> Jeff

And I'm the jerk?

[vlad]

I liked the part about point of presence in Turkmenistan and Ethiopia. LMAO

[Brandon Wirtz]

Vlad,

I donate a lot of time and resources to freedom of speech and human rights
organizations. So we have servers in some really nasty places. And DNS in
those places as well. I really wanted to have an Oceania server, but can't
justify the price, and the blocking of content is usually of stuff hosted
there, not them trying to get out.

One of my primary missions in life is to enable citizens the ability to tell
their story without government censorship.

[Damon Billian]

"Seeing as you only hit up the GAE forums when you want to push your
product,
you are a spammer."

The only reason I'm here is because of the following:
1. You're spreading misinformation about our product and making
unfounded statements.
2. You're the one that decided to hop in and say negative things about
our us.

If anyone takes a look at the Google forums, or any other forum for
that matter, I do not spam the forums with our product offerings at
all. I address questions or concerns relative to CloudFlare & get
involved in trying to fix issues that may arise. I do not, unlike some
other named party in this thread, look for mentions of a competitor
and decide to slag them.. It would be very easy for me to look for
mentions of you or your product, since there are so few mentions
online, and try to jump in with some comment to discourage people from
using it. I have chosen not to take that path...nor will I lower
myself to your level of what you consider to be "civil discourse".

[Brandon Wirtz]

If I was spreading misinformation you would have served me (another)
C&D. We have been there, done that. Didn't work out last time.

[Klaus K.]

> Glad you have good luck. That hasn't been the case for many others, and it
> is not just the captcha.
>
> Several Schools found that their students couldn't go to their own sites
> because the Net Nanny deemed their School Porn sites because of a Shared IP.

Very weak point. GAE also has a pool of shared IP adresses and allows
hardcore pornography. You should know best since you've created your
own porn site on GAE and posted it everywhere in this group for your
little "policy-test".

[Brandon Wirtz]

PS. My porn site received 5 visitors yesterday. I don't really want
to be in the porn business, I just want to know if the world changes
one day and Google turns the site off. It is a Canary.

[Brandon Wirtz]

>
> Very weak point. GAE also has a pool of shared IP adresses and allows
> hardcore pornography. You should know best since you've created your
> own porn site on GAE and posted it everywhere in this group for your
> little "policy-test".

I think it is a very strong point. If you install CloudFlare to
Prevent the AppEngine Limitation, it won't work. Where as if you get
a Static, or use a non-porn enabled host you won't have that issue.

If you use CF to "enable" China, you may not always be enabled. If you
use A Squid at Amazon Or Rack Space, you will. And if you use route 53
you can make sure that all your non-China traffic can still be routed
to AppEngine.

Also, it appears that Net-Nanny type software tends to "flag"
appengine as a "Proxy By Pass site" rather than porn. I am probably
the only porn provider on AppEngine because you can't have a good
Domain Name. But most blockers do block *.appspot.com because of all
the Mirrrror (is that the right number of R's?) Web Proxy's on the
service.

[Damon Billian]

That's easy to address. I asked our CEO, who also happens to be a lawyer, if we have ever sent you a C&D letter from the company or from our attorneys. His response: "No".

Perhaps it was some other company?