File download is very slow

Hello,

I own a dedicated server where I store BIG files, usually a folder contains 30GB of data. If I download the files from the server by direct ip address, I got around 20MB/s.
With Cloudflare only 1.5MB/s.

I tried everything suggested in this post, but nothing changed.
So, I tried to add the page rule with cache bypassing, using only dns and not proxy and of course purging cache. Zero result, the download speed is always around 1.5MB/s.

Is this a cap for Cloudflare Free Plan or what?
If this is an issue, does anybody know how to solve it?

Thanks in advance!

It would be better to download that large files with a hostname which is unproxied :grey: cloud (DNS-only), if so, due to the ToS as far as I remember.

2 Likes

Hello, thanks for your reply.

Yes, I just verified without proxy (waiting more times for the cache, otherwise too soon has the same ip) and now the download is at full speed.

Anyway, with these setup an attacker may easily identify the ip address of my server and potentially perform a DDOS, one of the main reason to use Cloudflare.
Is there a way to hide the ip while preserving the full download speed?

There are two questions above my head currently:

  1. May I ask who needs to download them (one user or more than one)?
  2. Why downloading them over the HTTPS (hopefully) and not (S)FTP being directly connected to the IP by not exposing any ftp.yourdomain.com DNS hostname, or even via rsync, etc.?

Is your site/server strictly for a storage and/or a download portal using Cloudflare services?
Are you downloading them or streaming (if a video is to consider)?

Regarding the storage, have you considered some CDN like BunnyCDN, or BackBlaze B2 storage for that (even using a CNAME setup and your own custom domain)?

Cloudflare can cache files at least 10GB large. But if you’re using it to cache media files, you may end up violating ToS 2.8:

Maybe you should disable HTTP/2 and try out if any differences, if so.

Can you get another static IP and lock it up for the needed port (443?) and only TCP connections (preventing at least the free 1Gbps UDP flood from online services nowadays), including other measurements to prevent DDoS?

Furthermore, may I suggest you reading articles from the below:

Maybe, in this particular case, Cloudflare Spectrum or Magic Transit could help?

1 Like

and now the download is at full speed.

For how long? It seems like you are not rate-limiting the download speed and knowing that, multiple accesses to that page will overwhelm your system without requiring to attack it at all.

Is there a way to hide the ip while preserving the full download speed?

Cloud storage and a CDN, I believe that AWS for example has built-in tools to do exactly what you need.
The bandwidth is going to be pricy but that’s to be expected when you are serving 30G files to each visitor, if you are afraid of DDoS attacks to the storage layer then you’d need to reach out to the cloud provider.
The common rule for cloud protection is that by paying a flat amount, you will be protected through obesity, basically, you will scale as much as needed and the service won’t bill you for the resources that were used during the attack.

1 Like

Thank you for the detailed answer.

  1. more than one
  2. because final users need to download them via Nextcloud.

Strictly storage, no streaming.
I don’t know if using such services I can hide the ip and still use a software as Nextcloud, this deserve more investigation.

This is the most critical point, so I need to completely redesign the infrastructure (considering possible DDOS attacks).

Could you please explain this into detail?
I was thinking to buy some additional IP addresses and rotate them only when a DDOS is detected.

If I disable the proxy I can benefit without problem the full download speed.
I also disable the resources access by direct ip, only domain name. In this way CF can rate-limit and manage every request even without being proxied.

I need to investigate this solution. but
it looks like Nextcloud (the one I’m using) and a CDN are definitively not compatible.