this post was submitted on 09 Jan 2024
40 points (95.5% liked)

Selfhosted

40383 readers
805 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I read a comment on here some time ago where the person said they were using cloudflared to expose some of their self-hosted stuff to the Internet so they can access it remotely.

I am currently using it to expose my RSS feed reader, and it works out fine. I also like the simplicity of Cloudflare's other offerings.

Any thoughts on why cloudflared is not a good idea? What alternatives would you suggest? How easy/difficult are they to setup?

all 40 comments
sorted by: hot top controversial new old
[–] [email protected] 70 points 10 months ago (4 children)

I think concerns come in two flavours:

  1. Privacy/security: Cloudflare terminates HTTPS, which means they decrypt your data on their side (e.g. browser to cloudflare section) then re-encrypt for the second part (cloudflare to server). They can therefore read your traffic, including passwords. Depending on your threat model, this might be a concern or it might not. A counterpoint is that Cloudflare helps protect your service from bad actors, so it could be seen to increase security.
  2. Cloudflare is centralised. The sidebar of this community states "A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.", and Cloudflare is for sure a service you don't control, and arguably you're locked into it if you can't access your stuff without it. Some people think Coudflare goes against the ethos of self-hosting.

With that said, you'll find several large lemmy instances (and many small ones) use cloudflare. While you'll easily find people against its use, you'll find many more people in the self-hosted community using it because it's (typically) free and it works. If you want to use it, and you're ok with the above, then go ahead.

[–] [email protected] 21 points 10 months ago

There's a third point which is: Things in CloudFlare are publicly accessible, so if you don't put a service on front for authentication and the service you're exposing has no authentication, a weak password or a security issue, you're exposing your server directly to the internet and bad actors can easily find it.

Which is why some services that I don't want to have complicated passwords are only exposed via Tailscale, so only people inside the VPN can access them.

[–] [email protected] 4 points 10 months ago (1 children)

In addition to the above, most of the percieved advantages of CF are non-existent on the free tier that most people use. Their "DDoS protection" just means they'll drop your tunnel like a hot potato, and their "attack mitigation" on the free tier is a low-effort web app firewall (WAF) that you can replace with a much better and fully customizable self-hosted version.

[–] [email protected] 4 points 10 months ago (1 children)

They explicitly use free DDoS protection as a way to get you in the door, and upsell you on other things. Have you seen them "drop your tunnel like a hot potato"?

Now obviously if their network is at capacity they would prioritise paying customers, but I've never heard of there being an issue with DDoS protection for free users. But I have heard stories of sites enabling Cloudflare while being DDoSed and it resolving the problem.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago) (1 children)

Any stories you've heard about websites enabling CF to survive DDoS were not on the free tier, guaranteed.

Please re-read the description for the free tier. Here's what "DDoS protection" means on free tier:

Customers are not charged for attack traffic ever, period. There’s no penalty for spikes due to attack traffic, requiring no chargeback by the customer.

Will they use some of their capacity to minimize the DDoS effects for their infrastructure? Sure, I mean they have to whether they like or not, since the DNS points at their servers. But will they keep the website going for Joe Freeloader? Don't count on that. The terms are carefully worded to avoid promising anything of the sort.

[–] [email protected] 7 points 10 months ago

They also say "Cloudflare DDoS protection secures websites and applications while ensuring the performance of legitimate traffic is not compromised.", with a tick to indicate this is included in the Free tier.

You are honestly the first person I've heard complain about Cloudflare failing to protect against DDoS attacks. However, I have no doubt that not having Cloudflare, I would fare no better. So still seems worthwhile to me.

[–] [email protected] 3 points 10 months ago (1 children)

I have a cloudflare tunnel setup for 1 service in my homelab and have it connecting to my reverse proxy so the data between cloudflare and my backend is encrypted separately. I get no malformed requests and no issues from cloudflare, even remote public IP data in the headers.

Everyone mentions this as an issue, and I am sure doing the default of pointing cloudflared at a http local service but it's not the ONLY option.

[–] [email protected] 3 points 10 months ago (1 children)

I'm not quite sure I get what you're getting at. If you're using Cloudflare (for more than just a nameserver), then the client's browser is connecting to Cloudflare via a Cloudflare SSL certificate. Any password (or other data) submitted will be readable by Cloudflare because the encryption is only between the browser and Cloudflare. They then connect to your reverse proxy, which might have SSL or it might be unencrypted. That's a second jump done by re-encrypting the data.

How does the reverse proxy help, when the browser is connecting to Cloudflare not to the reverse proxy?

[–] [email protected] 2 points 10 months ago

Fair, I was more thinking from the server side not the client side where cloudflare certs are the ones seen first.

[–] [email protected] 2 points 10 months ago (1 children)

The first point is only when you use the tunnel function, right ?

Because I noticed, if use the tunnel function (hiding your private ip) the sites gets an Cloudflare certificate, but if just using it as DNS (without tunnel) the page has my certificate.

[–] [email protected] 3 points 10 months ago

If you use DNS with proxy it still applies, you should get a Cloudflare certificate then. But yes, if you use Cloudflare as DNS only, then it should be direct. I believe you get none of the protection or benefits doing this, you're just using them as a name server.

The Cloudflare benefits of bot detection, image caching, and other features all rely on the proxy setting.

Also if proxying is enabled, your server IP is hidden which helps stop people knowing how to attack your server (e.g. they won't have an IP address to attempt to SSH into it). You don't get this protection in DNS only mode either.

Basically if you're using DNS only, it's no different to using the name server from your domain registrar as far as I can tell.

[–] [email protected] 9 points 10 months ago (1 children)

I use a VPS I have for many purposes and a setup of Netbird + Caddy to do what Cloudflare does (but without their redundancy and worldwide distribution of hardware of course) but self-hosted. Personally I'm very much against relying on a large corporation which doesn't give a fuck about me as a customer for access to my stuff.

[–] [email protected] 1 points 10 months ago (1 children)

Oh... I like this. Anymore ideas and suggestions?

[–] [email protected] 2 points 10 months ago

I'm unsure what you're asking for? You could replace Netbird with any other WireGuard implementation and Caddy with any other reverse proxy. I just found those two to be very self hosting and FOSS friendly options.

As for what to use it for it allows me to run Jellyfin from home, while having Authentik be a forward authentication proxy in front of it so only people with an account can reach it while still allowing me to reach it from any device anywhere with Internet. It's very nifty.

[–] [email protected] 5 points 10 months ago (1 children)

No idea abiut cloudflare.

If you want a meshvpn, use zerotier. Easy as installing it on both devices and connecting them

[–] [email protected] 2 points 10 months ago (2 children)

I use and love zerotier. Just that using it on mobile is a bit of an effort with the VPN. Also, it doesn't seem to support DNS like cloudflared does? Am I missing something in zerotier or is the only way you can access your servers is by IP address?

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago)

I setup AdGuard DNS on the network I host my services on and made Tailscale use it as a second DNS. This let's me access services using domain names. I'm sure you can do something similar with zerotier but I've never used it.

Also, it doesn't have to be AdGuard DNS. Any DNS will be fine.

https://tenekev.com/posts/internal-dns-for-your-tailscale-network/

[–] [email protected] 2 points 10 months ago (1 children)

You can always use regular DNS and simply point your domain's records at hosts on your home's local network and/or the mesh VPN addresses. I do that with Tailscale.

[–] [email protected] 2 points 10 months ago (1 children)

Never done that before. Interesting! Will try that out and see what happens.

[–] [email protected] 2 points 10 months ago

Note that some SOHO router appliances block DNS responses with local addresses ("rebind protection"). You may have to explicitly allow-list your domain(s).

[–] [email protected] 4 points 10 months ago

Nothing, go ahead.

[–] [email protected] 3 points 10 months ago

Cloudflare has been controversial for dragging their feet when it was time to stop providing protection to nazi websites like The Daily Stormer, 8chan and Kiwi Farms. Also the Taliban, ISIS and so on More about this.

For this reason, a lot of fediverse servers do not use CloudFlare.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago) (1 children)

Using CloudFlare and using the cloudflared tunnel service aren't necessarily the same thing.

For instance, I used cloudflared to proxy my Pihole servers' requests to CF's DNSoHTTPS servers, for maximum DNS privacy. Yes, I'm trusting CF's DNS servers, but I need to trust an upstream DNS somewhere, and it's not going to be Google's or my ISP's.

I used CloudFlare to proxy access to my private li'l Lemmy instance, as I don't want to expose the IP address I host it on. That's more about privacy than security.

For the few self-hosted services I expose on the internet (Home Assistant being a good example), I don't even both with CF at all. use Nginx Proxy Manager and Authelia, providing SSL I control, enforcing a 2FA policy I administer.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (1 children)

Actually you dont need to trust a upstream DNS server. Checkout dnscrypt-proxy in github. You can use dnscrypt with Anonymized DNS relays. You can use the IP of this dnscrypt-proxy as your DNS resolver.

[–] [email protected] 1 points 10 months ago

Yeah, I cam across this project a few months ago, and got distracted before wrapping my head around the architecture. Another weekend project to try out!

[–] [email protected] 2 points 10 months ago (2 children)

I dont use it, but video streaming is against their TOS. Other than that I just read good experience with them

[–] [email protected] 2 points 10 months ago

Pretty sure that's only if you use their proxy service on your domain. Regular, non-proxied, DNS should not have any restrictions like that.

[–] [email protected] 1 points 10 months ago

I believe this is old information and any restrictions around serving none HTML content has been removed from their terms of service related to cloud flare tunnels.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (2 children)
Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.

You'll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none. They pinky promise not to fuck you over, but they also promise to legally burry you for any infringement at their discretion.

For me, this is a non-starter.

[–] [email protected] 2 points 10 months ago (1 children)

This is disingenuous.

The full clause says...

You and your End Users (as such term is defined in the Privacy Policy) will retain all right, title and interest in and to any data, content, code, video, images or other materials of any type that you or your End Users transmit to or through the Services (collectively, “Customer Content”) in the form provided to Cloudflare. Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.

So to paraphrase, you retain your interest, but assign sufficient rights to cloudflare for them to provide the service you're using. For example, they can't give you a CDN if you don't give them the right to transmit your data.

[–] [email protected] 1 points 10 months ago (1 children)

Disagree. "Necessary to provide the service" means whatever they want it to mean. If they deem it necessary to monetize your data so they can offer you their service "for free", that is well within their right to do. The fact that you " retain all rights" just means you can use your data too without asking Cloudflare for permission.

[–] [email protected] 1 points 10 months ago (2 children)

Surely you have to acknowledge that it's disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you're trying to make.

You're reading "bad faith" into the vagaries of a terms & conditions document. T&Cs will never say "we will never monetise this data", that's just not how T&Cs work, and it's naive to conclude that the absence of such a statement means that cloudflare intends to monetise the data.

If you look at cloudlfares strategy here, they want to be the sweetheart of everyone who knows what a VPN is in order that they will be selected by those people for corporate projects. Monetising the data that flows through their network is antithetical to that objective.

Additionally I would venture that the data doesn't really have any value, it would be impossible to use it to build data about an individuals browsing or buying habits.

[–] [email protected] 1 points 10 months ago (1 children)

Surely you have to acknowledge that it's disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you're trying to make.

No it doesn't. The first sentence does not state anything that is not already clarified by law. Hence, it adds zero value to the actual meaning of the paragraph.

You are a person. Your basic human rights are guaranteed to you by law. Given that, you hereby grant me the right to enter your house and shave your head at my discretion and however often I wish, if I deem it necessary to provide to a free service that I don't classify further in this agreement.

Same thing, you can say if I redact the first two sentences from the quote I'm being disingenuous, but really I'm just trying to get one over on you by making you feel like you have some control in this when in actually you do not.

[–] [email protected] 2 points 10 months ago

The first part of the sentence you quoted says "subject to the terms of this agreement". The most salient part of the agreement is the sentence you omitted.

Your claim was:

You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none.

... and you omitted the sentence which describes the rights you have as the user, contradicting your assertion that users have none. If you don't think that's disingenuous then I don't know what to tell you mate.

[–] [email protected] 1 points 10 months ago (1 children)

If you look at cloudlfares strategy here, they want to be the sweetheart of everyone who knows what a VPN is in order that they will be selected by those people for corporate projects. Monetising the data that flows through their network is antithetical to that objective.

This is just naïve. Cloudflare is a business and if they see more value in selling you out, and legally you agreed they may, then they will. Acting "antiethical" has never stopped a big player from infringing on the rights of small players, especially in the tech industry where individuals essentially have zero rights.

Additionally I would venture that the data doesn't really have any value, it would be impossible to use it to build data about an individuals browsing or buying habits.

Interesting. I would pay you $5 monthly for all the data going through your tunnel under the same conditions that cloudflare requires you to agree to. How about it?

[–] [email protected] 1 points 10 months ago

Cloudflare is a business and if they see more value in selling you out, and legally you agreed they may, then they will.

Exactly. My whole point is that there's no value in selling you out. Their whole strategy is to garner favor with privacy conscious individuals like your good self.

Acting “antiethical”

You realise antiethical is not a word right?

I would pay you $5 monthly for all the data going through your tunnel

I don't actually use any cloudflare products. However, I believe this is more or less the crux of our delightful tête-à-tête: how do you propose to derive value from my data?

[–] [email protected] 1 points 10 months ago

Eh. ISPs in the US are much the same.

[–] [email protected] 0 points 10 months ago* (last edited 10 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

8 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #414 for this sub, first seen 9th Jan 2024, 07:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] -3 points 10 months ago

Cloudflared is great.