I'll first start off by saying I'm no sysadmin or by any means knowledgable on servers, I'm just a developer tasked with a job of setting up the infrastructure for a SaaS application I'm working on, so forgive me for not entirely understanding everything. I've been doing a lot of research on this but still need a little guidance.
I'm thinking of using DigitalOcean Droplets for a Laravel application. There will be 3 Droplets, 2 acting as website/servers while the 3rd being used as a load balancer, all which will be setup using Laravel Forge. There will be a Digital Ocean Managed Database which both servers will connect to, as well as using Digital Ocean Spaces for assets being delivered through their CDN.
Cloudflare will be used for DDoS protection but I'm just wondering how this would be setup, I assume it would be best placed on the load balancer as this is the first line in the chain when viewing/connecting to the site? So a request comes in, Cloudflare handles it, passes the request to the load balancer, which then distributes to either server, where the server then connects to the Managed Database thus protecting both servers and the database in one go.
Is this considered a good setup or is there a better way to configure this? I'm also thinking that the Spaces CDN would need additional DDoS protection as it's a separate area but I'm not sure how to best handle this either or if there is a way to use Cloudflare for the Droplet/Database and the CDN.
I've also read about hiding the servers public IP which could be used to bypass Cloudflare, what steps can I take to prevent this to give me the best protection against an attack?
Best Answer
Putting Cloudflare in front of the load balancer is the way to go, since then your load balancer then only sees "real" traffic. Cloudflare's DDOS protection works by "hiding" your web server behind their Anycast network, which essentially means that the specific IP that Cloudflare serves as the answer to DNS queries for your site is available at over 100 locations around the world, and would-be attackers then can't overwhelm your web servers since they don't know how to send traffic to it except through Cloudflare.
I'd recommend also looking into using Cloudflare or DigitalOcean for the load balancing part as well, they both offer a dedicated product for this purpose, which is easier to set up and quite a bit more robust. They can also do things like SSL offloading, caching and other things, greatly reducing the load on your web servers.
As for putting Cloudflare infront of the DigitalOcean Spaces CDN, that might be a bit overkill, since DO's CDN should already be quite capable of handling DDOS attacks.