Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?
Try to not run containers as root?
I admit there is a level of trust needed in cloudflare, but I also need to trust the container makers, and the hardware manufacturers as well. I use cloudflare with O365 and jumpcloud for my auth sources and I've been thrilled. Different policies by subdomain, works great.
Honestly my load is so light I don't bother monitoring performance. Uptime kuma for uptime, I used to use prtg and uptime robot when I ran a heavier stack before I switched to an all docker workload.
Yeah, might be for the best.
Do you have any auth in cloudflare? If so, that mitigates a lot of zero-days. First they have to get past cloudflare, then a zero-day in your nginx.
trisanachandler
joined 1 year ago
I do agree, they should use the same address space for ingress and egress. Though tunnels I would hope would be immune, but perhaps not.