this post was submitted on 26 Jun 2024
297 points (93.5% liked)

Selfhosted

40717 readers
361 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Centralization is bad for everyone everywhere.

That bring said... I just moved my homeserver to another city... and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.

Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.

Why do they have to make it so so easy...

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 134 points 6 months ago (7 children)

The trouble with cloudflare is that there is just one. It’s one of the best registrars out there, the only free/cheap and usable DNS host (have you seen what route53 charges per zone??). That without getting into the whole tunnels and DDoS mitigation end of things, which is nearly unique at any price point.

The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.

[–] [email protected] 56 points 6 months ago (6 children)

The bigger trouble is creating a CDN has a stupidly high barrier to entry. You literally need your own data centers across the world, your own server infrastructure, the man power to manage it, etc.

You could try to host it on a cloud provider but you’d go bankrupt even quicker. Unless someone were to try to build a co-op run CDN, it’s just not gonna happen without a profit motive and a large amount of capital.

[–] [email protected] 24 points 6 months ago* (last edited 6 months ago)

That’s true. The bizarre paradox of the centralization of edge infrastructure is real.

That said, the other edge-lords (haha) could offer similar functionality, but they chose not to.

[–] [email protected] 8 points 6 months ago (2 children)

I once realized so many of my favourite businesses were cooperatives. I started thinking of what other co-ops I could start and grow. The excitement faded once I realized it would have to not be about the money.

[–] [email protected] 11 points 6 months ago

Coops are still about the money. They're about saving money by sharing resources with fellow workers/consumers, and maintaining democratic control over the company. You're not going to get rich from a coop (without embezzlement), but you and your coowners will be cutting out the middle man. Obviously, it only makes sense for industries that you're heavily invested in.

load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 21 points 6 months ago (8 children)

It's not the only free DNS service.

It's only a good registrar if you don't care about privacy and you're ok with their selection of TLDs (selected only from registries without privacy).

The free accounts do not benefit from DDoS protection. Re-read their terms of service, they're vague on purpose. If you were ever DDoS'ed (I don't know who would bother btw but that's another discussion) they'd just drop you.

You can establish the tunneling thing on your own with any VPS.

The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.

You can and should diversify your services and spread them to different providers that are easy to switch. I've been with "all in one" providers before, they inevitably end up leveraging their convenience into all sorts of crap. But until you get burned a couple of times they look really good.

load more comments (8 replies)
[–] [email protected] 10 points 6 months ago (2 children)

only free/cheap and usable DNS host

Check out desec.io als an alternative

load more comments (2 replies)
[–] [email protected] 8 points 6 months ago

there is just one

Well it's cloudflare, not cloudsflare. Maybe overcasthosting, or sunblockservers...

load more comments (3 replies)
[–] [email protected] 77 points 6 months ago* (last edited 6 months ago) (6 children)

Why does Cloudflare get a pass on the "if it's free, you're the product" mantra of the self-hosting community? Honest question. They seem to provide a lot for free, so...

[–] [email protected] 48 points 6 months ago (2 children)

It's usually free tiers of paid products

[–] [email protected] 18 points 6 months ago (5 children)

That makes sense, except Google kinda does the same thing. Everything they have is technically just a "free tier" of the Google One subscription, right? I guess I'm saying that "free tier of paid product" doesn't automatically qualify a company as trustworthy for me. Is there something else that sets Cloudflare apart?

[–] [email protected] 21 points 6 months ago

For me personally, it was all about balance.

15 years ago, Gmail/Inbox was a great email client, the domain was great and popular (so no need to spell it out for people) and I would "pay" by getting ads based on my emails read by a bot.

Now Gmail is a terrible email client, the best updates are ridiculous things like moving buttons around and it takes Google years to roll out. The thing loses emails, mislabels and misclassifies stuff and the rules work for a week then blow up. On top of that, google is now basically a proctologist considering how far up my ass they want to go

The balance is broken... Google now officially sucks (IMO)

[–] [email protected] 7 points 6 months ago

In my opinion, the difference with Google is that Google is actively using your data and you're giving them a lot of it. For Cloudflare, what do they have exactly? Depends on what services you use, but really all they get from me is the list of servers that connect to my domains. Google does that too if you use 8.8.8.8, or if you have any of their hardware that overrides router DNS settings like Chromecast and Google TV.

[–] [email protected] 6 points 6 months ago

Quality of their products maybe? Cloudflare feels like they put a lot of effort into their product, Google not so much with how buggy everything is and how often they just abandon products they offer.

load more comments (2 replies)
[–] [email protected] 14 points 6 months ago

Strictly speaking, they’re leveraging free users to increase the number of domains they have under their DNS service. This gives them a larger end-user reach, as it in turn makes ISPs hit their DNS servers more frequently. The increased usage better positions them to lead peering agreement discussions with ISPs. More peering agreements leads to overall cheaper bandwidth for their CDN and faster responses, which they can use as a selling point for their enterprise clients. The benefits are pretty universal, so is actually a good thing for everyone all around… that is unless you’re trying to become a competitor and get your own peering agreement setup, as it’d be quite a bit harder for you to acquire customers at the same scale/pace.

load more comments (5 replies)
[–] [email protected] 38 points 6 months ago (2 children)

we should definitively have a wiki (though people should use "search" too, I wonder if a wiki would help really). This "topic" comes every month. I have posted this already, here it goes again: https://github.com/anderspitman/awesome-tunneling

load more comments (2 replies)
[–] [email protected] 28 points 6 months ago (10 children)

Sure it's easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.

Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.

Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven't had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.

[–] [email protected] 7 points 6 months ago

That’s a good setup.

[–] [email protected] 7 points 6 months ago (9 children)

Does this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?

I've been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.

[–] [email protected] 6 points 6 months ago* (last edited 6 months ago) (4 children)

I also have a similar setup to maiskanzler. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.

I'm happy to share info on how to get this working.

load more comments (4 replies)
load more comments (8 replies)
load more comments (8 replies)
[–] [email protected] 27 points 6 months ago* (last edited 5 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAT Network Address Translation
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #830 for this sub, first seen 26th Jun 2024, 04:45] [FAQ] [Full list] [Contact] [Source code]

load more comments (1 replies)
[–] [email protected] 24 points 6 months ago (8 children)

Unless you are behind CGNAT; you would have had the same plug+play experience by using your own router instead of the ISP supplied one, and using DDNS.

At least, I did.

[–] [email protected] 6 points 6 months ago (10 children)

Yes, but it does expose your own IP address and thus where you live. Tunnels don't.

[–] [email protected] 11 points 6 months ago (3 children)

True, but the downside of cloudflare is that they are a reverse proxy and can see all your https traffic unencrypted.

load more comments (3 replies)
load more comments (9 replies)
load more comments (7 replies)
[–] [email protected] 18 points 6 months ago

I also really like the tunnels feature. It makes self hosting at home easy for those under NAT/CGNAT or whatever it was called.

[–] [email protected] 16 points 6 months ago (3 children)

I prefer Tailscale Funnel for these kinds of things. NetBird and ZeroTier also work just fine if you don't want to expose your services to the public.

[–] [email protected] 6 points 6 months ago (2 children)

Tailscale is so cool too. I'll definitely be switching if I can ever use my own domains

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 15 points 6 months ago (1 children)

Just stop supporting the biggest actor in the market.

[–] [email protected] 8 points 6 months ago

That's just a bandaid on capitalism's issues. Urging people not to support the biggest actor will never work in the grand scheme of things, when said actor provides their best immediate interests.

[–] [email protected] 14 points 6 months ago

I use Cloudflare as my registrar and public DNS. And only for that. Sorry but they don't get to peek at my network traffic.

[–] [email protected] 11 points 6 months ago* (last edited 6 months ago)

Well, centralization and giving up your freedoms, letting someone else control you, is always kinda easy. Same applies to all the other big tech companies and their platforms. I'd say it applies to other aspects of life, too.

And I'd say it's not far off from the usual setup. If you had a port forward and DynDns like lots of people have, the Dns would automatically update, you'd need to make sure the port forward is activated if you got a new router, but that's pretty much it.

But sure. if it's too inconvenient to put in the 5 minutes of effort it requires to set up port forwarding everytime you move, I also don't see an alternative to tunneling. Or you'd need to pay for a VPS.

[–] [email protected] 10 points 6 months ago (2 children)

Their static website hosting is probably the best in the business. We seriously need some competition though.

load more comments (2 replies)
[–] [email protected] 10 points 6 months ago (5 children)

I mean, I used to think Google Public DNS was great until I switched to 1.1.1.1...

[–] [email protected] 22 points 6 months ago (11 children)

If you like 1.1.1.1 the. You should try 9.9.9.9. Or better yet host unbound pihole if you’re up to the challenge. Best dns experience I’ve had.

load more comments (11 replies)
load more comments (4 replies)
[–] [email protected] 8 points 6 months ago (1 children)

I am out of the loop, what's going in with snooping?

I use their cloudflared tunnel sometimes for accessing home hosted stuff.

[–] [email protected] 27 points 6 months ago (3 children)

Because Cloudflare acts as a reverse proxy it can see everything that happens in a session.
This is also known as a man in the middle attack. But Cloudflare meds to do this in order to do it's checks for bad actors.

Now, as Cloudflare has access to the unencrypted traffic and we know that NSA is all about data vacuuming due to the Snowdn leaks we can make a tin foil hat guess whaylt goes on.

[–] [email protected] 9 points 6 months ago (2 children)

Just note, OP, that the last part of his statement is pure speculation. The first part is technically true, which can lead to that inference, but no information has been released which corroborates it. However, that does not mean it’s not possible.

[–] [email protected] 14 points 6 months ago (1 children)

This is true. Which is why I said tinfoil hat guess.

[–] [email protected] 14 points 6 months ago* (last edited 6 months ago)

Though those leaks showed they actually did it on a large scale. I don't think they stopped for some arbitrary reason. Why would they? And technology developed further, surveillance is only getting easier. I'd say even without a tin-foil hat on, it's more likely they do it than not.

load more comments (1 replies)
[–] [email protected] 6 points 6 months ago

I don’t understand why Cloudflare gets bashed so much over this… EVERY CDN out there does exactly the same thing. It’s how CDN’s work. Whether it’s Akamai, AWS, Google Cloud CDN, Fastly, Microsoft Azure CDN, or some other provider, they all do the same thing. In order to operate properly they need access to unencrypted content so that they can determine how to cache it properly and serve it from those caches instead of always going back to your origin server.

My employer uses both Akamai and AWS, and we’re well aware of this fact and what it means.

load more comments (1 replies)
[–] [email protected] 6 points 6 months ago (10 children)

I use cloud flare tunnel for my home server too. Are there any viable and somewhat easy alternatives?

[–] [email protected] 11 points 6 months ago* (last edited 6 months ago) (2 children)
load more comments (2 replies)
[–] [email protected] 7 points 6 months ago (1 children)

Get a cheap VPS and set up a VPN of your choice.

[–] [email protected] 7 points 6 months ago

Just make sure the VPS will shut down if the bandwidth is exceeded rather than giving you a big overage charge.

load more comments (8 replies)
load more comments
view more: next ›