Don’t do any of that crap, just put it behind a free cloudflare account. It’s not only the best protection you can get, but also has the distinct advantages of caching static content in their CDN and hiding your real IP address from attackers. Cloudflare free is an amazing deal.
My immediate guess would be that it attracts customers. It’s only for free to get started really, as soon as it grows to a certain size, it’ll cost. Chance for someone moving their entire site/app/whatever when it starts costing, is limited.
Also, by looking at what other customers do. Lets say what a lowend paying customer use within one year represents 100%, then offering future customers 80% for free, there’s a reasonable probability they’d become paying customers within the first year.
At the same time, free customers most likely run on overhead hardware that’s already online, but not doing anything, if you use the resources to run the hardware, it might as well do something.
Can come up with several more reasons for them doing it, but I think you get the gist. It’s quite simple, want someone to do something, present them with two options, where there’s one they’d probably be fine with “A”, and one that’s better “B”. You just sold them “B”.
Out of curiosity I’m interested in knowing how they do it, but at the end of the day, I’d like to know how to set something like that up on my own hardware, so I can host my own stuff, on my own server, in my own house. Without anyone mooching off of meta data and whatever else they can derive from what I’m doing.
Cloudflare free is a loss-leader, plain and simple. It’s feature-limited, BUT the features they give away are the ones everybody wants-- DDOS protection, a CDN to reduce your bandwidth usage, hiding your IP address, and transparent SSL.
If you want their much cooler features, and CF has some badass features, you need to pay. Stuff like load-balancing, more than a handful of page rules, their web application firewall, threat-blocking and suspicious visitor challenges, PCI compliance, detailed reporting, phone support, or any of their extensions, some of which are really cool, you gotta open up your wallet.
And their plans start at only $20/month, which is no big deal.
Setting it up is really easy. Sign up on their website and transfer your authoritative nameservers over. Their web UI is very easy to follow and fully documented.