trisanachandler

joined 1 year ago
[–] [email protected] 1 points 11 months ago

I do agree, they should use the same address space for ingress and egress. Though tunnels I would hope would be immune, but perhaps not.

[–] [email protected] 1 points 11 months ago (2 children)

Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?

[–] [email protected] 1 points 1 year ago

That's both a really honest answer and a good reason to use it depending on the person. Nice work.

[–] [email protected] 1 points 1 year ago

Try to not run containers as root?

[–] [email protected] 1 points 1 year ago

I admit there is a level of trust needed in cloudflare, but I also need to trust the container makers, and the hardware manufacturers as well. I use cloudflare with O365 and jumpcloud for my auth sources and I've been thrilled. Different policies by subdomain, works great.

[–] [email protected] 1 points 1 year ago

Honestly my load is so light I don't bother monitoring performance. Uptime kuma for uptime, I used to use prtg and uptime robot when I ran a heavier stack before I switched to an all docker workload.

[–] [email protected] 1 points 1 year ago

Yeah, might be for the best.

[–] [email protected] 1 points 1 year ago (2 children)

Do you have any auth in cloudflare? If so, that mitigates a lot of zero-days. First they have to get past cloudflare, then a zero-day in your nginx.