I wonder what are suitable methods to protect a Lemmy instance against DDOS attacks.
For example, can we use Cloudflare? Or it could break the federation?
Anything about running your own Lemmy instance. Including how to install it, maintain and customise it.
Be sure to check out the docs: https://dev.lemmy.ml/docs/administration.html
If you have any problems, describe them here and we will try to help you fixing them.
Unless your VPS host has good DDOS protection, there really isn’t a good answer. Cloudflare should never be considered as they are a man in the middle, who gets every web form post ( think username and passwords ), unencrypted.
Passwords should never go unencrypted, shouldn’t they? For example, my mail password doesn’t travel unencrypted using using tls, etc. Nor my passwords travelling using https, do they?
So, are Lemmy passwords traveling unencrypted??
When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)
In either case, Cloudflare sees everything sent to hostnames hosted by them.
Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.
Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).