I exposed my Homelab through Cloudflare Tunnels

9 pointsposted a day ago
by ebourgess
(ebourgess.dev)

9 Comments

user

a day ago

[deleted]

palata

a day ago

> The classic approach [Internet -> Router -> Server] is a recipe for disaster

I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?

The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?

I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?

grim_io

21 hours ago

I also expose some of my homelab through the cloudflare tunnel.

Every IP, except a choice few, are banned before any request reaches my router.

I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.

palata

20 hours ago

> I don't need to worry about filtering using my limited bandwidth and resources

But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.

grim_io

19 hours ago

Sure, but they can't connect the domain names to my IP or infer what services I run.

The ports are closed, the only way to reach the services is to go through the domain name, the firewall and the tunnel, in probably that order.

palata

18 hours ago

> they can't connect the domain names to my IP

They can't, but does it matter? They can connect the domain name to your server (through the tunnel).

> or infer what services I run

Why not? The port is open on Cloudflare's side, it's exactly the same.

The one thing you get from Cloudflare is that probably Cloudflare has a list of blocked IPs and they will prevent them from reaching your server. Though I'm sure there are public lists of "bad IPs" and it shouldn't be too hard to have a firewall that uses them. And anyway in your case you have a list of allowed IPs, so it's not a concern at all.

grim_io

16 hours ago

It is not immediate public information what person is behind my domain.

By having cloudflare as the mitm proxy in between my domain and my server, that link between the two is also not immediately apparent to the public.

Then, all the filtering and access control happens outside of my network, and only the absolutely valid traffic that I want to deal with hits my own network.

I want all of those features.

palata

13 hours ago

> I want all of those features.

Sure, I was not saying those features were worthless. I was just saying that not using them doesn't sound like a "recipe for disaster" to me.

ebourgess

a day ago

My main issue is that I didn't want to expose the ports to the internet. The only port now exposed on my server is the SSH port only. Everything else is just handled through the connection between the cloudflared daemon and cloudflare itself.