i love how You are progressively moving closer and closer to a proper enterprise setup. There is a real lack of beginner-friendly content on this type of stuff. New JS/TS type developers rarely get exposed to this kind of thing. You are doing great work.
Thank you for keeping us updated! I subbed since the original ddos attack. I was paranoid about this for my own projects, and then came across your videos!
cloudflare seems pretty interesting as a substitute to aws. Idk why aws don't have a bill limiting for people who just want to learn, test things and build side projects
Yeah true. I think they might just be hoping people incur larger bills than intended, and make extra money off those people. I would assume they have to deal with lots of charge backs though, so I don't know if that would be a net gain.
@@Dom-zy1qy They're very forgiving for small projects and will usually give you a refund like in Cody's case, I don't think they're actively trying to make an extra buck here.
Now that I think more about it maybe aws don't want to attract side project people or don't want to invest on it. For enterprise these problems aren't really problem they'll just buy a WAF plan.
It would be nice to see a mindmap, flowchart, etc. of the various possibilities of deployment. I've more familiarity with k8s and oddly enough most people think it's difficult but that's my biggest frame of reference because it's so easy to set up a new ingress, service and deployment for me now. I think these videos where you give a wide view of these topics are the most helpful for me at least.
When I worked for Amazon they seemed to have a pretty forgiving policy for people who accidentally used more than they thought they would. I would try talking to their customer service and seeing if you could get a refund for the high usage. Edit: that'll teach me to watch to the end before commenting 😅
They’ve said they would refund the charges. But going forward I’ve decided I’d rather just have my entire application die if I accidentally misconfigured something rather than to have to hope the hosting company will refund me before I need to declare bankruptcy 😂
5:50 most important advice for all. Be aware of unexpected costs if you don't setup correctly and not use the RIGHT tool for your project. It's pretty stressful to get $1.000 bill for nothing.
Great video, a nice niche of tutorial content that really missing; moving from local dev env to real world deployment issues. At least vercel now added hard cap project pausing instead of the custom webhook being the only way to cancel.
Have you played around with cloudflare workers? Looks like they've got everything I need to build an app these days, DB, queues/crons and serverless functions.
Would Cloudflare tunnels work for projects deployed in Vercel (or similar services)? I currently have a project setup with a Cloudflare proxy after seeing your original DDOS video but this seems much more secure
Hey Cody! I'm trying to set this up as well but running into some issues and I'm not sure what I'm doing wrong. Any chance you could do a quick tutorial from start to finish on this when you have some time?
I wouldn’t worry about it; if you have your app private and through cloudflare, it’s protected. Also I’d recommend setting up a waf rate limit rule so no one ip can hit your app over and over again
Ddos is a concern for anything that is charge per use. I’d personally add rate limiting to any api. Luckily an api usually requires auth which means you can easily ban anyone abusing and track by userId instead of ip.
Cloudflare, point your domain to cloudflare and point cloudflare to your amplify distribution hostname probably. Although, if there isn’t a way to prevent traffic to your default amplify hostname, someone might still be able to hit your underlying distribution
@@WebDevCody cloudflare is asking for ipv4 for root domain and it doesn’t seem to support ALIAS like in Route53, is there any work around to make CloudFlare support amplify hosted link for root domain?
Hey Cody, Can you clarify the stack you're using to avoid DDOS and secure your service for you site (Ex): - Hosting in Railway (No public access - Only private) - Secured your hosting with Cloudfared (Tunnel in Railway as service) - On cloudflare side, what do you have? Thanks a lot.
I think it kind of acts like your reverse proxy. You have the tunnel point directly to your running service on the machine. Meaning you don’t need caddy or nginx to setup certs or point to your service. You can still keep ssh enabled for your ip on the machine, but you don’t need to have open http ports I believe
Cloudflared CLI basically starts a reverse proxy (you can configure which domain goes to which address, if you run a VM, you use localhost:$PORT, Cody used Railway which starts up a second machine, that acts as a reverse proxy and routes to internal address), but you don't need to open http port on the machine, because you create a reverse tunnel (connect from the machine to cloudflare instead of cloudflare connecting to you), which minimizes the chance of you fucking something up. It's the same thing as ngrok or localtunnel basically, but meant for production instead of development.
Why is Railway so cheap compared to other services, offering 8GB and 8vCPU for $5/month, while you get only 512MB and 1vCPU with Digital Ocean's droplet for a similar cost?
Newer company trying to get customers probably. Also their bandwidth charges are 10x DO at $.10 a GB where DO is $.01 a GB. So maybe that cost difference let’s them provide more compute for less
As a freelance systems administrator, a little known secret of the hosting industry I had to find out is that X vCPUs can mean X amount of threads you have access to. The thing is, those threads are shared. Example: At some points you may be able to get 95% access to those threads, and at other times only 10%, effectively limiting your performance. Hence why virtual dedicated server (VDS) is a term but poorly used because some companies think a VPS and VDS are the same thing. Not accusing railway of anything because I have no evidence, but that's been my experience in the past with cheaper hosting services.
I'm not sure if it's me misunderstanding at this stage as I see lots of people taking that from their pricing page, but that doesn't seem to be the case - I feel like the railway pricing is quite confusing From what I can tell, they don't include 8GB and 8 CPU for $5/month - you are allowed to allocate up to 8GB and 8 CPU per service on the Hobby plan and the $5/month gives you $5 of usage. I have a small PHP app using 0.1 CPU and ~500MB ram including database - this comes to $6 last month (only recently moved so can't tell if I'm going to get charged yet) As it's usage-based pricing, If you used 8GB and 8 CPU you'd be charged $240 a month according to their pricing page
First of all first time commenting on to you keep up man lately discovered your great content 🫡secondly What I am currently curious about is after blocking public access did you remove the rate limits ?
i love how You are progressively moving closer and closer to a proper enterprise setup. There is a real lack of beginner-friendly content on this type of stuff. New JS/TS type developers rarely get exposed to this kind of thing. You are doing great work.
this type of thumbnails are far more interesting than recent ones
True, but they don’t get as many views 🤷♂️
@@WebDevCody use any just here for the knowledge ❤
In the Unix world, programs ending in d are usually daemons (like sshd, smbd, etc)
🧐 good observation
Thank you for keeping us updated! I subbed since the original ddos attack. I was paranoid about this for my own projects, and then came across your videos!
cloudflare seems pretty interesting as a substitute to aws. Idk why aws don't have a bill limiting for people who just want to learn, test things and build side projects
Yeah true. I think they might just be hoping people incur larger bills than intended, and make extra money off those people. I would assume they have to deal with lots of charge backs though, so I don't know if that would be a net gain.
@@Dom-zy1qy They're very forgiving for small projects and will usually give you a refund like in Cody's case, I don't think they're actively trying to make an extra buck here.
Now that I think more about it maybe aws don't want to attract side project people or don't want to invest on it. For enterprise these problems aren't really problem they'll just buy a WAF plan.
Thanks a lot ❤, I was able to setup a tunnel for my server running on digital ocean droplet using docker environment. Thanks for being my mentor ❤
I feel so happy you saw my comment and even made a video about it haha!
I see all comments 😜 thanks for pointing it out
More of this please! Great content!
Great video! I didn't realize how simple it was to setup cloudflare tunnels. Subbed!
Genuinely cool content. Awesome to be along for the journey
It would be nice to see a mindmap, flowchart, etc. of the various possibilities of deployment. I've more familiarity with k8s and oddly enough most people think it's difficult but that's my biggest frame of reference because it's so easy to set up a new ingress, service and deployment for me now. I think these videos where you give a wide view of these topics are the most helpful for me at least.
Never knew about this, super helpful video. Thanks for sharing.
amazing little series here, thanks so much!
Thank you Cody! I'm making a side project and I'm going to do this exactly
very interesting I had no idea this was possible. thanks for covering it !
Good job love! I see someone already took my “good job babe” lol we are all vying to be your babe 😂❤
You’re the OG. They’ll never have anything over you babe
Thanks a lot on so many video about infra...Im learning a lot your channel
When I worked for Amazon they seemed to have a pretty forgiving policy for people who accidentally used more than they thought they would. I would try talking to their customer service and seeing if you could get a refund for the high usage.
Edit: that'll teach me to watch to the end before commenting 😅
They’ve said they would refund the charges. But going forward I’ve decided I’d rather just have my entire application die if I accidentally misconfigured something rather than to have to hope the hosting company will refund me before I need to declare bankruptcy 😂
@@WebDevCody I 100 percent agree. I got a 2.5G up/down connection to my house recently so my hosting fees are paid upfront 🎉
Thank you for sharing!
5:50 most important advice for all. Be aware of unexpected costs if you don't setup correctly and not use the RIGHT tool for your project. It's pretty stressful to get $1.000 bill for nothing.
was just about to write that on your other video :-) Thnx for you videos tho
would love to see a video about cf rules and stuff as well
Great video, a nice niche of tutorial content that really missing; moving from local dev env to real world deployment issues.
At least vercel now added hard cap project pausing instead of the custom webhook being the only way to cancel.
good share again Cody
R2 is definitely the future
Looking forward to the s3 compatible R2 setup!
Thank you so much.
Have you played around with cloudflare workers? Looks like they've got everything I need to build an app these days, DB, queues/crons and serverless functions.
You get charged by the number of requests. Be careful with that.
don't go serverless, rather learn how to use linux w docker, much better in the long run and is more marketable
I’m moving away from serverless for my side projects. I don’t need infinite scaling
@@yarmgl1613 I usually do these for my projects, but how do I make them public? For atleast some users on them.
Can you please make a series tutorial about cloudflare workers , such as building a website by using cloudflare workers.
at 1:01 u mentioned bandwith, do both incoming and outgoing charge money? or its only specific to outgoing?
Thank you
Is there a benefit to using tunnels for this instead of adding ip cidr ranges in the firewall?
Would Cloudflare tunnels work for projects deployed in Vercel (or similar services)? I currently have a project setup with a Cloudflare proxy after seeing your original DDOS video but this seems much more secure
can you make a video on comparing S3 VS R2?
Hey Cody! I'm trying to set this up as well but running into some issues and I'm not sure what I'm doing wrong. Any chance you could do a quick tutorial from start to finish on this when you have some time?
Are you trying to apply it with next JS or something else?
One 👏of 👏 us 👏 one 👏 of 👏 us 👏
Since you are moving away from serverless are you also moving away from event driven architecture? (Sqs, sns, etc) and dynamodb
i was looking for someone to explain cloudflare and found your channel.I cant access your thumnail critique website for some reason.
Love you babe
Aht aht aht ☝🏿 I don’t share like that lol 😅
How do I test this kind of DDoS protection setup? Can I perform an attempted DDoS attack on my own service to see if it is indeed blocked?
I wouldn’t worry about it; if you have your app private and through cloudflare, it’s protected. Also I’d recommend setting up a waf rate limit rule so no one ip can hit your app over and over again
🙌
Is DDoS a concern of yours regarding Convex?
Ddos is a concern for anything that is charge per use. I’d personally add rate limiting to any api. Luckily an api usually requires auth which means you can easily ban anyone abusing and track by userId instead of ip.
could you do a JavaScript challenges using codewars
can this integrate with Vercel?
I’m currently using Route 53 with Amplify to host my Nextjs app. Do you have any suggestions for ddos prevention in this setup?
Cloudflare, point your domain to cloudflare and point cloudflare to your amplify distribution hostname probably. Although, if there isn’t a way to prevent traffic to your default amplify hostname, someone might still be able to hit your underlying distribution
@@WebDevCody cloudflare is asking for ipv4 for root domain and it doesn’t seem to support ALIAS like in Route53, is there any work around to make CloudFlare support amplify hosted link for root domain?
Hey Cody,
Can you clarify the stack you're using to avoid DDOS and secure your service for you site (Ex):
- Hosting in Railway (No public access - Only private)
- Secured your hosting with Cloudfared (Tunnel in Railway as service)
- On cloudflare side, what do you have?
Thanks a lot.
Cloudflare I setup rate limits and inside my app I added various rate limits to all endpoints that hit my database. Database is also on railway
@WebDevCody what if you do a video talking about all together?
I've been following you and the way you express is very clear, thanks a lot
Does it work for SSE and http streaming?
I wouldn’t see why they wouldn’t
So tunnel is before reverse proxy? Can you still ssh into vps with ip address of vps?
I think it kind of acts like your reverse proxy. You have the tunnel point directly to your running service on the machine. Meaning you don’t need caddy or nginx to setup certs or point to your service. You can still keep ssh enabled for your ip on the machine, but you don’t need to have open http ports I believe
Cloudflared CLI basically starts a reverse proxy (you can configure which domain goes to which address, if you run a VM, you use localhost:$PORT, Cody used Railway which starts up a second machine, that acts as a reverse proxy and routes to internal address), but you don't need to open http port on the machine, because you create a reverse tunnel (connect from the machine to cloudflare instead of cloudflare connecting to you), which minimizes the chance of you fucking something up. It's the same thing as ngrok or localtunnel basically, but meant for production instead of development.
then does it mean vercel is good since they have DDOS mitigation.
Idk I thought aws had DDoS mitigation but here I am with a $1500 bill. I know vercel uses aws under the hood 🤷
Why is Railway so cheap compared to other services, offering 8GB and 8vCPU for $5/month, while you get only 512MB and 1vCPU with Digital Ocean's droplet for a similar cost?
Newer company trying to get customers probably. Also their bandwidth charges are 10x DO at $.10 a GB where DO is $.01 a GB. So maybe that cost difference let’s them provide more compute for less
As a freelance systems administrator, a little known secret of the hosting industry I had to find out is that X vCPUs can mean X amount of threads you have access to. The thing is, those threads are shared.
Example: At some points you may be able to get 95% access to those threads, and at other times only 10%, effectively limiting your performance. Hence why virtual dedicated server (VDS) is a term but poorly used because some companies think a VPS and VDS are the same thing.
Not accusing railway of anything because I have no evidence, but that's been my experience in the past with cheaper hosting services.
I'm not sure if it's me misunderstanding at this stage as I see lots of people taking that from their pricing page, but that doesn't seem to be the case - I feel like the railway pricing is quite confusing
From what I can tell, they don't include 8GB and 8 CPU for $5/month - you are allowed to allocate up to 8GB and 8 CPU per service on the Hobby plan and the $5/month gives you $5 of usage.
I have a small PHP app using 0.1 CPU and ~500MB ram including database - this comes to $6 last month (only recently moved so can't tell if I'm going to get charged yet)
As it's usage-based pricing, If you used 8GB and 8 CPU you'd be charged $240 a month according to their pricing page
Thank you, I didn't know that@@ikanexus
Thank you, I didn't know that.@@ikanexus
Can you please be my mentor🙏🙏🙏🙏🙏🙏🙏🙏
First of all first time commenting on to you keep up man lately discovered your great content 🫡secondly What I am currently curious about is after blocking public access did you remove the rate limits ?
No I kept rate limits on