> The classic approach [Internet -> Router -> Server] is a recipe for disaster
I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?
The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?
I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?
ebourgess•1mo ago
My main issue is that I didn't want to expose the ports to the internet. The only port now exposed on my server is the SSH port only. Everything else is just handled through the connection between the cloudflared daemon and cloudflare itself.
grim_io•1mo ago
I also expose some of my homelab through the cloudflare tunnel.
Every IP, except a choice few, are banned before any request reaches my router.
I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.
palata•1mo ago
> I don't need to worry about filtering using my limited bandwidth and resources
But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.
grim_io•1mo ago
Sure, but they can't connect the domain names to my IP or infer what services I run.
The ports are closed, the only way to reach the services is to go through the domain name, the firewall and the tunnel, in probably that order.
palata•1mo ago
> they can't connect the domain names to my IP
They can't, but does it matter? They can connect the domain name to your server (through the tunnel).
> or infer what services I run
Why not? The port is open on Cloudflare's side, it's exactly the same.
The one thing you get from Cloudflare is that probably Cloudflare has a list of blocked IPs and they will prevent them from reaching your server. Though I'm sure there are public lists of "bad IPs" and it shouldn't be too hard to have a firewall that uses them. And anyway in your case you have a list of allowed IPs, so it's not a concern at all.
grim_io•1mo ago
It is not immediate public information what person is behind my domain.
By having cloudflare as the mitm proxy in between my domain and my server, that link between the two is also not immediately apparent to the public.
Then, all the filtering and access control happens outside of my network, and only the absolutely valid traffic that I want to deal with hits my own network.
I want all of those features.
palata•1mo ago
> I want all of those features.
Sure, I was not saying those features were worthless. I was just saying that not using them doesn't sound like a "recipe for disaster" to me.
palata•1mo ago
I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?
The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?
I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?
ebourgess•1mo ago
grim_io•1mo ago
Every IP, except a choice few, are banned before any request reaches my router.
I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.
palata•1mo ago
But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.
grim_io•1mo ago
The ports are closed, the only way to reach the services is to go through the domain name, the firewall and the tunnel, in probably that order.
palata•1mo ago
They can't, but does it matter? They can connect the domain name to your server (through the tunnel).
> or infer what services I run
Why not? The port is open on Cloudflare's side, it's exactly the same.
The one thing you get from Cloudflare is that probably Cloudflare has a list of blocked IPs and they will prevent them from reaching your server. Though I'm sure there are public lists of "bad IPs" and it shouldn't be too hard to have a firewall that uses them. And anyway in your case you have a list of allowed IPs, so it's not a concern at all.
grim_io•1mo ago
By having cloudflare as the mitm proxy in between my domain and my server, that link between the two is also not immediately apparent to the public.
Then, all the filtering and access control happens outside of my network, and only the absolutely valid traffic that I want to deal with hits my own network.
I want all of those features.
palata•1mo ago
Sure, I was not saying those features were worthless. I was just saying that not using them doesn't sound like a "recipe for disaster" to me.