Can Cloudflare be used as a CDN for Backblaze B2?

According to the terms of service clause 2.8 (https://www.cloudflare.com/en-gb/terms/#:~:text=2.8) and many comments across this community, using Cloudflare as a CDN “for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.”

These terms at time of writing are “Effective November 10, 2022”

However, according to Backblaze, in an article on their site titled Delivering Backblaze B2 Content Through Cloudflare CDN (https://help.backblaze.com/hc/en-us/articles/360010017893) dated October 19, 2022 20:09, the author clearly states, “Cloudflare can be used as a CDN for a B2 bucket without workers if the bucket is public, not private.”

The article goes on:

Many customers have expressed interest in hosting static data for their website (ranging from minified Javascript applications to multi-hour 8K video) because of the security, reliability, and affordability of Backblaze B2 storage. One solution to ensuring performance and availability is to route requests through a CDN (Content Delivery Network) such as Backblaze’s Bandwidth Alliance partner Cloudflare, taking advantage of Cloudflare’s performance and the free data transfer between Backblaze B2 and Cloudflare.

The message in the Backblaze article is very clear: we can use Cloudflare as a CDN in front of B2 for “static data”.

My interpretation is that as long as the assets being served from B2 though the CDN are primarily in the service of rendering a website and associated APIs then Cloudflare will be fine with it. E.g., running your WordPress website with static content hosted on B2 is fine, whereas running a huge Pixelfed or Peertube instance will probably get their attention (that is, “disproportionate” use of images and video).

This seems a lot like a fair-use policy. But it is unclear. What does disproportionate mean? Disproportionate to what? HTML? Nearly all websites serve a disproportionate amount of non-HTML content (in terms of data over the wire) as compared to the HTML (See https://httparchive.org/reports/page-weight). Can anyone shed any further further light?

With independent instances of the Fediverse enjoying rapid growth and perhaps serving a lot of static media, this is a question I am sure many others would like clarity on. Mastodon supports storage of media in S3 compatible buckets, and, as I understand it, many instance administrators use Cloudflare to cache those assets. In fact, Cloudflare is mentioned in the Mastodon documentation (https://docs.joinmastodon.org/admin/config/#trusted_proxy_ip).

Many thanks,

Charles

I am also wondering this. I’m using a B2+CF setup for my personal Mastodon instance, and indeed a straight reading of the CF TOS would suggest this is not allowed? Backblaze is a CF partner, yet has numerous blog posts about how to configure this exact setup, including with Mastodon.

Some clarity here would be appreciated.

Cloudflare and Backblaze really do need to bang their heads together on this and come up with a definitive answer to this. Backblaze have published several articles explicitly encouraging use of B2 with Cloudflare to serve and cache non-HTML content. Yet Cloudflare ToS clearly state serving a “disproportionate” amount of non-HTML content could get your account suspended.

In light of the fact that Backblaze are actively promoting use of Cloudflare’s CDN to serve non-HTML content (such as 8K video!), I asked Backblaze if they could clarify, but they dismissed me with “You will need to reach out to the Cloudflare support team for clarification on their Terms of Service.”

But at least they answered. I asked the same to Cloudflare support 4 days ago and yet to receive a reply.

Use of Blackblaze, S3 or you using an old CD-ROM on your Pentium II 133Mhz tower are all subject to the same Cloudflare’s ToS for the plan that you are on. The only difference between Backblaze and the other examples above is that Backblaze is part of the Cloudflare Bandwidth alliance and so you’re receiving free/discounted egress from Backblaze when you use Cloudflare as a CDN.

That would indeed seem to be a example which would violate the ToS.

I’ve seen many claims of “I wasn’t abusing the system” where upon further review the site was serving hundreds of TB or a PB+ of content through Cloudflare a day/week/month.

You’re running a small Mastodon server on a free/pay-go plan … Cloudflare has millions of websites on the platform, they’re not going to even notice.

Backblaze doesn’t make decisions on whether or not something violates the ToS Cloudflare has established. They didn’t dismiss you, they provided you with a valid answer.

Disproportionate means that which Cloudflare at their sole discretion determines constitutes disproportionate. If my website serves 99% video content this month at 20MB total it is almost certainly not going to rise to a level where Cloudflare considers it as all, in any fashion. If I served 50% video content this month at 2PB total it would likely be considered and likely be determined a violation of their ToS.

The language is likely intentionally vague, but it really boils down to DBAD. If you have difficulty recognizing what constitutes BAD behavior then you’ll want to opt for an Enterprise plan; Cloudflare has an $ offering for almost all types of D behavior.

Thanks for the reply. What you write here makes sense and I largely agree with you, but unless you work for Cloudflare, or have specific experience of the scenarios you talk about, this is conjecture, and it is conjecture I am seeking to avoid.

I recognise what you are saying; if you’re “big enough” to feel like you should be worried, you probably should be worried. But how big is big? 100GB, 1TB, 100TB, 1PB? Do you get warned first if you’re getting “big” or “disproportionate”? As I wrote in my original post, the wording and sense of this clause seems more like a fair-use policy, and you seem to agree. “Disproportionate means that which Cloudflare at their sole discretion determines constitutes disproportionate” sounds a lot like fair-use to me.

So if that’s what it really is, it would be helpful for the ToS to say that. It would be helpful so customers can avoid FUD. ToS are supposed to clarify, remove vagueness, and provide some certainty and confidence, not the other way around.

Aside re. Backblaze reponse. Yes, you could argue they did provide a technically valid answer, but it was also an unsatisfactory answer and, to me, dismissive. They make decisions about what advice and encouragement they publish on their site. They make it very clear that we can use Cloudflare’s CDN to cache non-HTML content “for free”. So they should take some responsibility for the legitimacy and consequences of their advice on their customers. It’s about customer care; that is, caring for customers and taking an interest in their concerns (it seems many share the same concerns - it’s not like this is an isolated question). A sign of care would be for them to say, “Good point, we don’t want anyone to have their account suspended, we’ll talk to Cloudflare, get some clarity, and publish an update.”

It’s a cross between a fair-use and obscenity standards. And like both of those (at least in the US), there is no clear line or definition.

If Cloudflare’s Pay-Go ToS aren’t sufficient there are really only 2 possible solutions I see. The first I have already mentioned… get an Enterprise plan which covers your expected use case. The second is to not use Cloudflare to cache your content.

Like Backblaze’s response you may find “[I] did provide a technically valid answer, but it was also an unsatisfactory answer and, to me, dismissive”; I can’t help that. The answer is based on 10+ years using Cloudflare, being a member of this forum in some capacity since it’s inception and direct experience helping to onboard tens of thousands of domains to the platform.

Right. So why not call it a fair-use policy and describe it as such? That would be the more customer-friendly, helpful approach I think. As you say, no clear line. ToS are supposed to be about clear lines.

How do I determine if they are sufficient? What do I base my decision on? How can I justify my decision to others?

That’s fine - you’re not Cloudflare and I’m not saying you’re being dismissive. Presumably, you are answering questions here in a voluntary capacity? You’re not being paid to answer customer queries (I am guessing), so the situation is incomparable to that of Backblaze where I was unhelpfully brushed off by a paid support rep. You’ve already been much more helpful.

If I find your answer is technically valid, then I’ll gladly mark it as as solved. But the question is: how do I determine if it is technically valid or not?

I too have been a Cloudflare user and customer since 2009/10 and also worked with hundreds of domains on this platform (I’ve even got a grey t-shirt with the classic Lindon Leader logo on it). I like and recommend the service, and have taken issue with very little in all that time, but I think this is an area that would be helpful to have some clarity on, even if that’s just some ballpark figures. Intentional ambiguity is fine as long as it is clear that the ambiguity is intentional and can be roughly scoped. I’m not being angry or unreasonable here; I’m just pointing out an area that could easily be improved. Feedback welcome, right?

I’m also playing devil’s advocate to a certain extent here. I’ve used Cloudflare and Backblaze B2 together since 2016 and in all instances have never felt concerned about having my accounts suspended because my usage is light – a mere particle in a drop in the ocean. I have a good “feel” for this. I also wrote an article[1] which I uploaded as a gist so I could easily find it again and perhaps help others. It’s now got over 800 stars (unusual for a gist), so this is obviously a quite popular use case. But in all discussions I have about using Cloudflare and B2 together, this issue of the ToS seemingly disallowing this use rears its ugly head and won’t go away.

[1] https://gist.github.com/charlesroper/f2da6152d6789fa6f25e9d194a42b889

By using a plain text reading of the ToS.

Your capacity to not BAD.

I’m not being paid today. But I have been paid to do so. My answer to similar threads remains consistent regardless:

It’s a How long is a piece of string? question.

So is “What constitutes fair use?”

Can I use 3 lines from a poem?

• If it’s a koan that’s 100%.
• If it’s The Iliad that’s 0.0191168%.

Can I quote 1% of a book?

• Maybe?
• What if I register 100 websites and hyperlink from the end of each section to the next on a different website until all 100% of the book is available?

Cloudflare pays different prices for different regions in terms of bandwidth. S. Korea is much more expensive for bandwidth than Australia which is much more expensive than bandwidth in the US. Cloudflare also has different capacity and utilization in different datacenters… bandwidth that is barely a blip on the radar in their largest datacenter might be a full percentage point or more of total utilization in another.

What if you’re claiming to serve .css content (the file extension says css) but the underlying mime type is a video format and you’ve obfuscated the true content type to try and play fast and loose with the ToS as written? Should you be allowed to stream the same amount (or any) content as someone else who was honest about the file extension type?

Could a site which hosted a video of you and your friends for 5+ years which you shared for nostalgia’s sake suddenly run you afoul of Cloudflare’s ToS if it turns out that unbeknownst to you, your best friend from 7th grade just started dating a celebrity and TMZ found the video featuring your friend and linked directly to it? Yes, it’s theoretically possible.

Understood. I have some degree of confidence the current language is intentional because the real answer is complicated for the reasons outlined above among others… and “abuse of our goodwill by being a cockwaffle brings the ban hammer” is not as user friendly even if it is ultimately more accurate in most circumstances.

There are sites with tremendous levels of traffic (bandwidth and visitors) operating on every tier of Cloudflare’s services. And then there’s my site with 3 visitors a month (2 of them are bots).

OK, got it. I can live with this. I might just roll out the cockwaffle line next time someone challenges the legitimacy of using Cloudflare and B2 together – it’s a good one.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.