this post was submitted on 18 Nov 2023
1 points (100.0% liked)

Self-Hosted Main

502 readers
4 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
[email protected]
1
Benefits of Cloudflare Access (alien.top)
submitted 10 months ago by [email protected] to c/[email protected]
26 comments fedilink hide all child comments
 

For a self-hosted application with a valid SSL certificate and support for OAuth, what are the benefits that Cloudflare Access provides? From what I can tell, it also filters traffic to possibly block attacks? Can it even be used with a self-hosted app if you aren't also running Cloudflare Tunnel? Is there a better alternative (that also integrates with major OAuth providers like Google, Github, etc) for self-hosters? Thanks for the help in understanding how this works.

top 26 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 10 months ago (1 children)

I can expose things like HASS and my Unifi controller to the public internet, but stick it behind Cloudflare Access (and Office 365) for protection.

I can essentially unlock my door anywhere in the country, as O365 has conditional access setup to block international logins and I’ve got MFA set up on it.

My port forwarding is only enabled for Cloudflare IP’s, as is Nginx (for extra piece of mind) and I’ve got CF client certificates installed as well.

It mitigates the need for me to configure and use a VPN (although I’ve got one of those configured as well) - which I’ve noticed can be disabled on some networks (I always had trouble using VPN’s on T-Mobile in North America when I was there in 2018)

[–] [email protected] 1 points 10 months ago

which I’ve noticed can be disabled on some networks

I've found a few networks where my normal VPN connection won't work. Typically they just block all outgoing ports except common ones like 80,443,22,53,etc. I've got a few of those setup so I can try alternates. 22 usually works.

[–] [email protected] 1 points 10 months ago (1 children)

Remember that cloudflare will see your traffic, Even with an ssl certificate.

[–] [email protected] 1 points 10 months ago (1 children)

Right, so I'm trying to determine if that is worse or if exposing a service without Cloudflare (and being more at risk from someone trying to break into my service because of not having the monitoring/protection Cloudflare provides) is worse.

[–] [email protected] 1 points 10 months ago

If you have an EC2 Amazon Compute Instance, you don’t hear people saying “Amazon can read your data”. Cloudflare is a major provider like Google or Amazon. Use Tailscale if your not convinced

[–] [email protected] 1 points 10 months ago

Maybe try OCserv for your VPN it is using https as a fallback and never failed me.

[–] [email protected] 1 points 10 months ago (2 children)

Don't forget that Cloudflare offers no protection against traffic from within Cloudflare. There were several incidents in the past where Cloudflares services where used to break into other clients services (hijacking).

[–] [email protected] 1 points 10 months ago

Thank you, didn't realise that!

[–] [email protected] 1 points 10 months ago (1 children)

Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?

[–] [email protected] 1 points 10 months ago (1 children)

You can look online. Basically Cloudflares blocking features exclude Cloudflares own IP ranges. Someone used their own services (in their own IP range) to attack services and since the request came from a Cloudflare IP it was not blocked or filtered. Pretty embarassing if you ask me. But this is normal in the cloud.

[–] [email protected] 1 points 10 months ago

I do agree, they should use the same address space for ingress and egress. Though tunnels I would hope would be immune, but perhaps not.

[–] [email protected] 1 points 10 months ago (2 children)

There’s not much reasons of exposing any of your local services to internet. Use vpn to have access to your local resources. This is best you can come up with for your home lab

[–] [email protected] 1 points 10 months ago (2 children)

Question : what if I need to access my home computer from a work laptop and I’m not allowed to install things such as the WireGuard VPN client. Do I use native say Windows VPN?

[–] [email protected] 1 points 10 months ago

Never perform personal tasks on work equipment. If it's not something you'd expose to the open net, you definitely shouldn't be accessing it from equipment you don't own.

Get a personal laptop for remote tasks, or use your phone.

[–] [email protected] 1 points 10 months ago (1 children)

Assuming it's a Linux server at home and you can use SSH on your work computer, there's a couple ways to do this.

  • Install a web based terminal client
  • Setup Cloudflare tunnels on your home server and use the the SSH proxy. I do this with a simple helper in ~/.ssh/config:
Match host "*.cf"
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname $(echo %h | sed 's/\.cf$/.homelab.nz/')
  ForwardAgent yes
[–] [email protected] 1 points 10 months ago

Wait don’t you need the Cloudflare agent to be able to connect to a tunnel that’s set up?

[–] [email protected] 1 points 10 months ago

For most things I agree but I this case I'm thinking of a service where you want to have a group of people access and they all aren't willing or tech-saavy enough to install a VPN

[–] [email protected] 1 points 10 months ago (1 children)

Benefits have been listed out here by others. The few restrictions I found on the free tier of Cloudflare is that they limit file size for uploads to 200MB. If you were exposing your NAS and want to upload a large file then you need to pay for Cloudflare or it will be restricted.

[–] [email protected] 1 points 10 months ago (1 children)

Didn’t they changed their TOS about streaming?

[–] [email protected] 1 points 10 months ago

Last I'd checked (a couple years ago), they don't permit media streaming via a free account, just serving static files. (I mean... Fair.)

I had several issues with emby/plex not loading streams through cloudflare connections, or really struggling to do so. Disabling cloudflare proxying for that subdomain solved that.

Now I just have cloudflare proxying my static file server and Ombi. Emby is a direct connection and everything else is behind OpenVPN.

[–] [email protected] 1 points 10 months ago (1 children)

I use it within my Kubernetes to expose services outsides my house, and then I use Azure AD to manage access.

I know this isn’t very self hosted, but for me where I have a dynamic IP and don’t want to play with port forwarding, it’s really good. Nice and easy especially with Kubernetes and the helm chart I wrote

[–] [email protected] 1 points 10 months ago (1 children)

Don’t you need to configure DDNS regardless? And port forwarding as well unless you went with tunnels?

[–] [email protected] 1 points 10 months ago (3 children)

For cloudflare tunnels no, it does a nat punch through I think it's called, where it connects from inside your network out to 2 edge locations to cloudlfare, where it then can send traffic back and forwards.

If I wanted to expose by port forwarding, then yes you are correct, I could configure ddns.

Personally, I would configure my own version of DDNS where it's just a cron job once every 5 minutes to run terraform and check if my public IP has changed, and if it has run an apply.

Does that answer the question?

[–] [email protected] 1 points 10 months ago

Whoa that’s a clever solution for ddns

[–] [email protected] 1 points 10 months ago

Ye, I though tunnels needed a public ip still but it makes sense it doesn’t given there’s a service running in your network that can do that check

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

There's a great tiny little program/docker container called cf-ddns that is great for this