Reducing PieFed’s dependence on Cloudflare

When Cloudflare had problems recently pretty much every PieFed instance went offline. This was a real “wtf are we doing” moment, for me. What’s the point of having multiple instances (there are now 64 PieFed instances!) if they all have a single point of failure.

Due to some technical limitations of the way I wrote PieFed, the official installation instructions have been strongly pushing people towards using Cloudflare since the beginning. Getting caching right is hard and grappling with the problem can mostly be avoided by just clicking around inside the Cloudflare dashboard a bit, so that was the approach in the early days.

Those technical limitations have been overcome now so we can do caching at the Nginx/Caddy level, rather than leaning on Cloudflare. We just need to make a few tweaks to the nginx configuration:

proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=mycache:20m max_size=1g inactive=100m;

upstream app_server {
    # fail_timeout=0 means we always retry an upstream even if it failed
    # to return a good HTTP response

    # for UNIX domain socket setups
    # server unix:/tmp/gunicorn.sock fail_timeout=0;

    # for a TCP configuration
    server 127.0.0.1:5000 fail_timeout=0;
    keepalive 2;
}

server {
    server_name piefed.social
    root /whatever

    keepalive_timeout 30;
    ssi off;

    location / {
        # Proxy all requests to Gunicorn
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://app_server;
        ssi off;
        
        # Enable caching
        proxy_cache mycache;
        proxy_cache_bypass   $http_cache_control;
        proxy_no_cache       $http_cache_control;
        proxy_cache_valid any 0;

    }

    # Serve static files directly with nginx
    location /static/ {
        alias /whatever/app/static/;
        expires max;
        access_log off;
    }

}

Although we’ve just removed one the main reasons to use Cloudflare, you may still need it for it’s ability to block by ASN (good for countering aggressive scrapers) but alternatives to that are being worked on.

Leave a Reply

Your email address will not be published. Required fields are marked *