About a month ago I decided to rent a $16/month VPS from Gandi, hosted in Paris, that I’ve been using to run a fast Tor exit node called gollum. I wanted to tunnel my Thunderbird, Pidgin, and IRC traffic through gollum as well, but realized that that wasn’t a good idea. Tor recommends that you don’t mix personal traffic with exit traffic, not to mention freenode and other IRC networks block Tor exits.
Shortly thereafter I heard about DigitalOcean, and they were so nice to me on Twitter that I decided to rent a $5/month VPS from them, hosted in Amsterdam, to tunnel my traffic through. I called my new Amsterdam server smaug.
I started this blog about 3 weeks ago. I’d been thinking about starting a blog, and since smaug was so under-utilized I decided to use it to host my blog on LAMP and WordPress. Smaug has 512mb of RAM and a single core. As long as I use WP-Super-Cache, I shouldn’t run into any scaling problems, right?
My third blog post, Why I’m Leaving Ubuntu for Debian, turned a few heads. It went viral on reddit. As of this writing, it has 698 up votes, 307 down votes, and 469 comments. It was also on the front page of Hacker News for awhile, but sadly both reddit and Hacker News traffic turned into a DDoS against poor smaug, and 512mb of RAM just wasn’t enough (no matter what Bill Gates didn’t say). The blog post itself currently has 79 comments.
To make sure the blog post stayed live I decided I (temporarily) needed a content delivery network to sit in front of smaug and handle the beating. So I signed up for CloudFlare. I first heard about CloudFlare at DEFCON 19 in a talk about denial of service attacks, where someone from CloudFlare told war stories about successfully defending LulzSec’s website from almost non-stop DDoS attackers over the course of 23 days. When Freedom of the Press Foundation‘s website (which I built and manage) was the target of a DDos attack, I decided to use CloudFlare to protect it and we haven’t had any downtime since.
So how much traffic did my website get while my blog post was going viral? It’s hard to tell, actually. I don’t use Google Analytics for privacy reasons. I use Piwik, a free software PHP/MySQL web application that you can host yourself that lets you get all the pretty graphs about your web traffic without handing all that data over to Google. You may notice this page isn’t trying to load piwik.js or piwik.php though. I’m using Piwik’s little-known server log importing feature, which lets me feed logs directly into Piwik.
Here’s what my Piwik analytics look like. January 28 is when it went viral, and January 29 is when CloudFlare took over the bulk of the traffic, so the post-January 28 Piwik analytics are no longer accurate.
Here’s what traffic looks like from CloudFlare’s side.
So apparently people really care about why I switched from Ubuntu to Debian.
Or, more accurately, Canonical’s invasion of privacy by default is a controversial issue that a lot of people have strong opinions about, and is losing them a lot of support right now.
CloudFlare is actually free. However, when I signed up for CloudFlare I chose to pay $20/month for a pro account in order to keep HTTPS on this site. Keeping HTTPS is important because:
- I’m trying really hard to get the world to deprecate HTTP in favor of HTTPS (and fix the HTTPS certificate authority nightmare at the same time), so I couldn’t bring myself to let micahflee.com be accessible over http://.
- I configured Apache to use the HTTP Strict Transport Security (HSTS) header. This means that for users of modern browsers, like Firefox, Chrome, or smartphone users, as soon as someone successfully visits https://micahflee.com their browser will refuse to make any http://micahflee.com requests at all for a specified amount of time. If I had gone with the free CloudFlare account instead of pro, none of the original 15,820 people would be able to load my website again without clearing stuff in their browsers.
My month of CloudFlare service is almost up. So, before then, I’m going to re-architect what’s running on smaug. I’m going to install nginx and make it listen on port 80 (HTTP) and 443 (HTTPS). Obviously, nginx is going to redirect all HTTP traffic to HTTPS, and I’m also going to make it set the HSTS header. Nginx on port 443 is going to forward all of that traffic to Varnish, running on some other port. I’m going to use Varnish as a reverse caching proxy because it’s much more efficient at handling craploads of requests than Apache is. The reason I need nginx at all is because Varnish can’t do HTTPS. And finally, Varnish will be forwarding all it’s traffic to Apache, running on some other port, which will continue to host WordPress.
I’m fairly confident that after my new nginx/Varnish/Apache setup is complete, should I choose to blog about Ubuntu’s screw-up again, my 512mb single-core VPS will be able to handle the beating all on its own.