1
submitted 11 months ago by HorizonTGC@alien.top to c/main@selfhosted.forum

In response to the discussion on a recent thread about whether to trust Cloudflare, as some people are not very comfortable with it terminates HTTPS (MITM).

There is this thing called Fast Reverse Proxy (FRP) https://github.com/fatedier/frp

It's open source, very lightweight and I have used it in multiple instances. Frankly there doesn't seem to be a lot of people know/use it here. The idea is you deploy this on a VPS with public IP, and have your server at home connect to it. It is pretty much like your own Cloudflare tunnel, only you have much more control over it (ports, TCP/UDP/HTTP, auth, etc).

I use it on the cheapest VPS ($5) I can find close to where I live. It acts as a simple TCP reverse proxy to my server, where Nginx Proxy Manager handles the actual HTTPS. (You can let FRP handle HTTPS but then you need to think about if you trust the VPS and also keep the certs updated there, so nah.)

It's developed by a Chinese dude as it is pretty much a necessity for selfhosters (mostly minecraft servers) in China, since Public IP is scarce there and most people live behind CGNATs.

you are viewing a single comment's thread
view the rest of the comments
[-] sinofool@alien.top 1 points 11 months ago

What recent thread about trust Cloudflare?

Tunnel needs a client software, it's higher risk, larger attack surface than normal http reverse proxy.

The Cloudflare tunnel feature is part of its zero-trust product. It make sense if you are capable of audit the client source code. If you trust the client as you trust nginx reverse proxy software, tunnel is safer.

Regular free Cloudflare proxy include basic WAF, it is more useful than selfhosted VPS reverse proxy or fail2ban. These commercial services learn attack patterns much earlier.

My homelab exposed services all have real HTTPS certs behind Cloudflare. My service is configured trust Cloudflare origin only so attackers cannot bypass WAF. This is also the same setup my workplace setup to protect multi-million transactions.

If the tunnel is used not for security reason, but bypass CGNAT, it's at least not worse than selfhosted reverse proxy.

this post was submitted on 22 Nov 2023
1 points (66.7% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS