Today I've migrated all Magic Pages sites from Bunny.net to Cloudflare. This is an unexpected addition to the ongoing infrastructure change from Kubernetes to Docker Swarm, which has started last year. I wanted to share some background on why I made this switch.
The spam problem
If you've been following my personal blog, you might have seen my post about fighting Ghost magic link spam. Ghost's passwordless login is elegant, but it's become a target for spammers who abuse the "send magic link" endpoint to flood inboxes. One potential goal for this is to test inboxes and find potential victims for phishing (if they click a random magic link button they might also click other buttons in random emails).
The attacks are sophisticated – requests come from rotating Tor exit nodes, making traditional IP-based rate limiting ineffective.
Bunny.net's WAF could help, but it would mean an upgrade from their free Shield product to the Advanced tier. However, their pricing model charges per site. Even with negotiated pricing, this became unattractive to the point where I'd need to use about 30% of Magic Pages monthly revenue just to pay for this feature. That simply wasn't viable.
Why Cloudflare
Cloudflare for SaaS works differently. Instead of per-zone pricing, there is a single zone which covers all customer domains. This means a single WAF rule can protect every Magic Pages site simultaneously. Even better, Cloudflare identifies Tor exit nodes with a special country code, so I can challenge suspicious requests before they ever reach your site.
The performance gains were a pleasant surprise. Testing showed 40-50% faster load times compared to Bunny.net, thanks to Cloudflare's larger edge network.
What changed for you
Custom domains now go through Cloudflare's infrastructure. SSL certificates are issued automatically, and DNS validation is more reliable.
The switchover revealed a small number of customers with incorrect DNS setups. These worked on Bunny.net, since Bunny.net essentially just said "well, if it reaches our server somehow it's fine". Cloudflare, on the other hand, is more strict.
The affected customers have been contacted via email.
What's next
I'm monitoring everything closely. If you notice anything unusual with your site's performance or domain setup, just reach out. The migration has been smooth so far, but I'm here if you notice any bumps.