Frequently Asked Questions

support@luhnar.com

General

Q. How do you compare to Cloudflare?

Cloudflare's free plan is a great way to get started with caching your static assets in a global CDN while providing an extra layer of DDoS protection. Beyond the free plan, however, many people find that Cloudflare's features are complicated to use, and tend to be tailored for big enterprises and app developers.

At Luhnar, we're out to help a different group of people. We understand how complex and time-consuming it is to deliver custom sites that sell. As a busy web professional in the small business community, you don't have time to go around doing a bunch of configuration push-ups just to shave a few milliseconds off your load time.

That's why we've curated a set of powerful website performance features that work automatically to provide measurable, positive results for your small business clients. And we back everything up with our friendly support team to help you get the most out of Luhnar.

Q. Will Luhnar work for my website?

Luhnar works best for custom business websites built on WordPress and similar CMS platforms.

Site builders like Wix, Shopify, and BigCommerce are designed to be used standalone and tend not to work as well with third-party services like Luhnar.

While Luhnar's defaults work well for many small business sites, in some cases you may need to adjust a few settings in the Luhnar dashboard. For this reason, we always recommend thoroughly testing newly-added sites via our test domain, before going live and switching over the primary domain. This gives you a chance to identify any potential issues and adjust site settings accordingly.

Our friendly support team is always happy to help onboard your site if you run into any snags. Just ask!

Q. How does Luhnar improve SEO?

Because the SEO benefits of performance and security are often overlooked, improving your page speed and enabling HTTPS gives you an unfair advantage (in a good way!). Google believes that a faster, more secure website provides a better user experience, which is why they have become important ranking factors in recent years.

Q. What happens when I go over the data transfer limit?

The monthly price of each plan includes a certain amount of data transfer. Additional data transfer is automatically billed at 10¢ per GiB for the Business Accelerator plan, and 50¢ per GiB for the Smart Essentials plan. You can visit the Luhnar control panel at any time to see how much data each website is using.

We do not limit the number of assets or pages that can be optimized for each site.

Q. Will I still be able to use log into my CMS?

For many content management systems, such as WordPress, the admin area will continue to function normally using Luhnar's default settings. However, if you are using a custom system or have modified the default admin URL for your CMS, you may need to add a URL prefix for the admin portion of your site to the "Never Cache" site setting in the Luhnar control panel. This will prevent Luhnar from caching any admin pages, as they may contain sensitive information.

If your CMS login page simply refreshes after you attempt to log in, your CMS may be trying to associate your login session with a particular client IP address. To work around this, configure your web server to use the X-Forwarded-For header, set by Luhnar, to pass on the correct IP address to the CMS.

Alternatively, you can log into your CMS directly, using the origin domain name you created when setting up Luhnar for the site.

Q. Can I still access email, cpanel, FTP, etc. with Luhnar enabled?

Absolutely! However, it is important to note that in order to prevent abuse and ensure quality-of-service, Luhnar only forwards HTTPS traffic on the standard port (443). Therefore, to access additional services that may be running on your server on different ports, such as FTP, SSH, cPanel, WHM, or email (POP/IMAP), you will need to use the origin domain name that you created when adding the site to Luhnar.

Optimizations

Q. How long does Luhnar cache pages, images, and other assets?

For cacheable pages and assets, Luhnar first checks for any Cache-Control headers returned by the origin web server that hosts the site. If the origin server specifies a cache duration of at least a few hours, Luhnar will cache the item for that same duration. Otherwise, Luhnar uses a default duration that is tuned to balance site performance with content freshness.

Note that you can always manually refresh Luhnar's cache from the site settings page in the Luhnar dashboard.

Q. What if I have an image, JS file, or other asset that I don't want optimized?

By default, Luhnar optimizes all CSS, JS, and image files. If you have an image that you need to provide at studio quality to your visitors (e.g., for professional editing or printing), simply add "no-transform=y" to the query string in the image URL to disable optimizations. Similarly, in the rare case that a particular JavaScript or CSS file is not working correctly after being minified, simply add "no-transform=y" to the query string for the asset's URL. Adding this parameter will disable Luhnar's minifier.

Q. How does Luhnar determine whether something is cacheable?

Luhnar automatically optimizes and caches static assets, such as images, CSS, JavaScript, PDFs, and fonts. When it comes to HTML, Luhnar can be configured to automatically cache  pages if the content appears to be static (the HTML is not personalized for different visitors).

Luhnar will always disable caching for "view cart", "checkout", and "admin" pages for WordPress and other similar CMS platforms.

Otherwise, you can always configure a list of path patterns to force assets to either be cached or not cached by Luhnar, as needed.

Security

Q. Do I have to set up HTTPS on my web server to use Luhnar?

If your web server does not currently have an SSL certificate installed, Luhnar can still talk to it over regular HTTP. However, we still recommend enabling HTTPS on your server if possible, to ensure that all communications are protected end-to-end.

Q. Does my website really need HTTPS?

Although many informational sites still use HTTP today, we join industry experts in highly recommending that you switch to serving all of your content over a secure HTTPS connection.

Doing so not only helps prevent hackers from hijacking your JavaScript libraries and other sensitive assets, but also speeds up your website and improves your SEO. This is why we offer FREE SSL certificates and automatic HTTPS with every plan.

Q. What if my web host already uses Let's Encrypt?

You can still have Luhnar provision a Let's Encrypt (LE) certificate for you to use on our edge servers as long as your web host is using a non-wildcard Let's Encrypt certificate for your site. Unfortunately, due to the design of Let's Encrypt, it is not possible for Luhnar to automatically manage an LE cert for our own edge servers when you use a wildcard cert on your origin server.

If you do not have the option to switch your origin server to use a non-wildcard LE cert, please contact our support team and we will be happy to help.

Q. How does Luhnar handle forms and other POST requests?

Luhnar simply forwards POST and PUT requests to the origin web server that hosts the site. This means that form submissions, XHR requests, and REST API calls will continue to work as expected. Note, however, that all request bodies are limited to 250 MiB.

Q. How can I get the visitor's IP address or User-Agent string?

Luhnar sets the X-Forwarded-For, X-Real-IP, True-Client-IP and Forwarded headers for requests that are passed on to the origin server. Hosting providers such as WPEngine can configure your site firewall to use one of these headers to obtain the true Client IP address.

Because the headers above are easy for an attacker to spoof, you should only trust them when a request is received from one of Luhnar's proxy addresses. The current list of IPs can be obtained by querying the reverse.proxy.rhith.io DNS record, e.g.:

dig +short reverse.proxy.rhith.io

Note that Luhnar will also forward the User-Agent string from the browser when requesting pages, but we recommend not configuring your origin server to return different content based on that string, as doing so may result in sub-optimal caching.

Q. Is Luhnar PCI compliant?

While we take security seriously at Luhnar, we do not currently offer PCI compliance for our standard plans. That being said, we may offer PCI compliance in the future if there is enough demand from the community.

Regardless, it is best to avoid passing card data or personally identifiable information (PII) through your site directly (which would require completing PCI-DSS SAQ C or D), but rather using hosted pages or iframe-based solutions instead (which only requires SAQ A). All modern payment processors support the latter option, making it easy to switch if you need to.

See also: https://docs.recurly.com/docs/pci-dss-compliance#section-pci-compliance-for-merchants