[-] trisanachandler@alien.top 1 points 11 months ago

I do agree, they should use the same address space for ingress and egress. Though tunnels I would hope would be immune, but perhaps not.

[-] trisanachandler@alien.top 1 points 11 months ago

Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?

[-] trisanachandler@alien.top 1 points 1 year ago

Try to not run containers as root?

[-] trisanachandler@alien.top 1 points 1 year ago

I admit there is a level of trust needed in cloudflare, but I also need to trust the container makers, and the hardware manufacturers as well. I use cloudflare with O365 and jumpcloud for my auth sources and I've been thrilled. Different policies by subdomain, works great.

[-] trisanachandler@alien.top 1 points 1 year ago

Honestly my load is so light I don't bother monitoring performance. Uptime kuma for uptime, I used to use prtg and uptime robot when I ran a heavier stack before I switched to an all docker workload.

[-] trisanachandler@alien.top 1 points 1 year ago

Yeah, might be for the best.

[-] trisanachandler@alien.top 0 points 1 year ago

Do you have any auth in cloudflare? If so, that mitigates a lot of zero-days. First they have to get past cloudflare, then a zero-day in your nginx.

trisanachandler

joined 1 year ago