fluffy rambles: This site now Cloudflare-free

This site now Cloudflare-free

February 16, 2026 10:52 PM (12 hours ago)

About a year ago I set up Cloudflare as a fronting CDN for this site and my music site because it was the most expedient way of dealing with an AI bot onslaught. It helped a bit but the bots very quickly figured out how to get around all that and while Cloudflare gave me some slightly-better management tools for some stuff, I figured out better approaches to the bot mitigation.

Cloudflare was also super aggressive about caching some stuff that I didn’t want to be cached, and of course, there are many, many political and ideological reasons to not want to use Cloudflare. So my plan was always to switch back to not being under Cloudflare, but the longer I waited the harder it seemed like it would be, due to how SSL certificates work. In particular, I use wildcard Let’s Encrypt certificates, which require DNS to be current, and a big thing that Cloudflare does is… take over your DNS.

But tonight I got a hair up my butt and switched back to my own termination, and it wasn’t too hard to do, with just a little bit of DNS and TLS juggling, and I wanted to minimize my website downtime.

The steps I took were roughly:

Added some temporary A records on Linode’s DNS, mapping @ and * to one of Cloudflare’s exit servers
Added some propagation-debugging TXT records (_moo.beesbuzz.biz and _moo.sockpuppet.band in case you’re curious)
Swapped my SOA records back over to Linode
Waited for dig TXT _moo.beesbuzz.biz and dig TXT _moo.sockpuppet.band to return the expected value
Reenabled certbot on the domains and waited for it to get updated certificates
Flipped the TLS certificates in nginx over to Let’s Encrypt
Flipped @ and * back over to my actual origin server

Thankfully, I had basically no site downtime, since Cloudflare was accepting my LE certificates on the origin (rather than requiring the use of their self-signed origin certificate). I did have a bit of delay on getting the updated cert on sockpuppet.band due to DNS propagation¹ being slightly slower on that one for some reason and I got impatient, but it only took a few minutes to catch up.

So anyway, yeah, I’m now Cloudflare-free. No more creepy injected analytics spyware, no more contributing to the erosion of the decentralized web, and no more having to worry about Cloudflare suddenly deciding I needed an enterprise account instead of being fine with the free tier. My site is still performing just as well as before, as far as I can tell.

At present I’m not even seeing a significantly higher request rate on my server, although presumably it’ll be some time before the AI crawlers have caught up to the new DNS records, because I’m sure they’re doing their own broken caching like everything else they do is broken, so maybe in a day or so I’ll be regretting this choice. Also I’m sure there’s still plenty of people actually going through Cloudflare because of things like DoH caching, so it’ll probably be a day or so before I get the real performance metrics. But according to Cloudflare’s own dashboard it was only caching about 2.5% of my overall requests.

The domains are still configured on Cloudflare for now, but I’m sure at some point they’re going to notice that the zone isn’t mapped to their DNS anymore and so at some point any stragglers who are still trying to use Cloudflare’s exit server are going to get some sort of error message. And I’m totally fine with that.

One way to tell if your browser is still going through Cloudflare is by visiting my robots.txt, which Cloudflare also adds a bunch of crap to. Or you can view source on this page; if there’s a <script> tag referencing static.cloudflareinsights.com at the very bottom then you’re still going through Cloudflare. For me at this very moment, Firefox is still going through Cloudflare to beesbuzz.biz but not to sockpuppet.band, and Safari and curl are going direct to my own server for both domains with no TLS problems, so I’m satisfied with the current state of things.