Login/Register
Does firebase hosting benefit from CloudFlare?
Asked Answered
Solved sslcdncloudflarefirebase-hostingddos
K

3

25

I was looking at https://material-ui-next.com who seem to be running on firebase hosting and use CloudFlare on top of it.

This raised a question. Do firebase hosting websites need additional layers for things like DDoS protection? As as I am aware, firebase provides SSL, CDN, DDoS and caching out of the box? When would one want to add CloudFlare on top of that?

Kettledrummer answered 21/11, 2017 at 9:45 Comment(2)
I have the same question. Here is a similar question with an answer which I can relate to. However I am not 100% sure about it, maybe the Material UI team has a reason to use CloudFlare as well.Implead
How did you add DNS records within Custom Domain (or did you use file validation) along with DNS record for the same domain in Cloudflare?Disorientate
L
26

UPDATE: I've moved from Firebase hosting to Netlify

While deploying our website (https://mfy.im) we ran into a similar debate. However, we decided to go with Firebase hosting without CloudFlare

The main reason is the performance:

  • Firebase hosting without CloudFlare: 732ms
  • Firebase hosting with CloudFlare: 1.2s

Using Firebase config json I was able to configure most of the things that I did earlier in CloudFlare.

However, if you're not much concerned about performance, I recommend to use Firebase with CloudFlare due to the following reasons:

  • Firebase provides some basic DDOS prevention, but no rate limiting. See: Rate Limiting on Firebase Hosting
  • Brotli compression - Firebase only provides gzip
  • Pricing - only 10GB bandwidth is free. After that, it's $0.15 per GB. If you enable CloudFlare on top of Firebase it will cover most of your bandwidth
Leitman answered 24/5, 2018 at 3:12 Comment(7)
In post you linked, it does say Firebase has some DDOS protection built-inPeeples
Why did you moved to netlify?Nuncio
@DanielVilela it's much easier to work with, auto-deployment from git, asset optimization, split testing, staging environment and much more...Leitman
Cool i`'ll give it a try!Nuncio
i moved from netlify to firebase, why, I get a realtimeDBGlassware
Hey can you please checkout this question #68369680Ratha
It looks like firebase now offers brotli compression: firebase.googleblog.com/2020/08/…Atworth
A
5

To anyone looking to put Cloudflare or another CDN in front of Firebase - bear in mind that Firebase sees only one IP making a massive number of requests and may decide to block that IP. I'm not sure if this is something happening recently, but here's the (arrogant) response from Google Support on the matter:

The specialist we involved in the issue recommended us to escalate this with one of the Firebase Engineers which we did.

The engineers mentioned us that CloudFlare integration is limited as Firebase hosting already provides content through the Firebase CDN[1] and adding a second CDN on top is discouraged as it can actually bring down the site performance.

This causing a limitation preventing us to allow the cloudflare IPs.

Edit: If you're interested in doing this, Google have opened a "Feature request" here to whitelist / stop blocking CDN IPs:

https://issuetracker.google.com/issues/185590945?pli=1

Please star it if you would like it resolved faster.

Acetylate answered 16/4, 2021 at 7:0 Comment(7)
Ugh. This is ridiculous IMO.Disorientate
@MattHudson It is, I was furious with their "you are holding it wrong" response tbh - there's a million reasons why I'd want to put cloudflare in front of firebase. Rate limiting requests, notable hosting speed improvements, MUCH better control over security, security reports that aren't visible only to Google Engineers, page and redirection rules, and so on.Acetylate
Cloudflare also reduces Firebase costs by caching. Cloudflare is working for me at the moment, but the logs show Cloudflare's IP addresses instead of the visitors' IP addresses, which isn't going to work.Swart
Depends on your traffic. Once we hit 300 visitors a day the issues startedAcetylate
Hey can you please checkout this question #68369680Ratha
Update: got tired of waiting so moved the app to cloudflare pages. It's much faster now and I have full control. Took almost no time at alll to move, cloudflare has made this super easy with their github actions, it's literally a wizardAcetylate
@Acetylate I have to comment. I'm receiving the same arrogant, delusional responses from Firebase "people". Wondering why on earth i'd want to restrict public access to my hosted dev/stage/prod environments. I've never had such an experience.Skittle
D
0

We put Fastly in front of firebase. We put it in front of functions AND hosting.

We did this using rewriters to point to the functions, then we requested Fastly to do a force override to pull the hosting domain properly (we were getting site not found).

Using Fastly to pull data from Firebase is working very well. We get additional logging, control of WAF, etc.

We did not have to setup a custom domain in Firebase to achieve this, but we did have to allow Fastly to call with CORS settings.

Disorientate answered 17/6, 2021 at 21:24 Comment(2)
As far as I know, Firebase Hosting already uses Fastly as their CDN (see: firebase.google.com/terms/subprocessors), so basically using Fastly on top of Fastly doesn't sound like a very good idea to me in general. In your case using it for functions as well makes way more sense on top of the control you gain, just wanted to add the above as context for readers that only use hosting. I wish that Firebase would just offer more control over Rate Limiting, WAF, etc. so the option of using another CDN/Service on top wouldn't even come up.Yorktown
Yes they do use Fastly. And just because they use it for CDN doesn't mean much in regards to control. For instance we wanted to lock calls from our domain into Firebase only. We also wanted to be able do various checks by URL. We also used Signal Science within Fastly to check for bots. All things that wouldn't be possible without our own instance of Fastly.Disorientate

© 2022 - 2024 — McMap. All rights reserved.