Cloudflare is bad. Youre right.
Cloudflare is bad. Youre right.
Centralization is bad for everyone everywhere.
That bring said... I just moved my homeserver to another city... and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.
Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.
Why do they have to make it so so easy...
The trouble with cloudflare is that there is just one. It’s one of the best registrars out there, the only free/cheap and usable DNS host (have you seen what route53 charges per zone??). That without getting into the whole tunnels and DDoS mitigation end of things, which is nearly unique at any price point.
The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.
The bigger trouble is creating a CDN has a stupidly high barrier to entry. You literally need your own data centers across the world, your own server infrastructure, the man power to manage it, etc.
You could try to host it on a cloud provider but you’d go bankrupt even quicker. Unless someone were to try to build a co-op run CDN, it’s just not gonna happen without a profit motive and a large amount of capital.
That’s true. The bizarre paradox of the centralization of edge infrastructure is real.
That said, the other edge-lords (haha) could offer similar functionality, but they chose not to.
I feel like something like https://www.storj.io/ is on the path to what we would want/need?
There might be some additional requirements for a true CDN to ensure data is closer to where it's needed and in as many regions as needed though with the right amount of bandwidth. The data gets stored all over the place, but that doesn't mean its optimal. But they do seem to claim it's faster on their website...
Edit: For those not wanting to click, TLDR is they use excess storage around the world and make it accessible anywhere, and safe from failures. People with excess storage can join the network if they have enough storage/bandwidth and pass some tests. Their API is S3 compatible.
I mean the optimal cdn is maximally distributed to reduce load and latency right. Unfortunatly the web was not built in a manner that supports this.
Eg if we could have a single url for the same object that could be served by any server that is part of the fediverse then the fediverse itself would be an optimal cdn.
Perhaps we should take some notes from peertube. Plus more legitimate bit torrent content on the internet as a whole is hardly a bad thing make the isp's jobs harder for places without net neutrality.
It's not the only free DNS service.
It's only a good registrar if you don't care about privacy and you're ok with their selection of TLDs (selected only from registries without privacy).
The free accounts do not benefit from DDoS protection. Re-read their terms of service, they're vague on purpose. If you were ever DDoS'ed (I don't know who would bother btw but that's another discussion) they'd just drop you.
You can establish the tunneling thing on your own with any VPS.
The problem with cloudflare is that we’re missing three other cloudflares to move to if they decide to pull evil shit.
You can and should diversify your services and spread them to different providers that are easy to switch. I've been with "all in one" providers before, they inevitably end up leveraging their convenience into all sorts of crap. But until you get burned a couple of times they look really good.
It's only a good registrar if you don't care about privacy and you're ok with their selection of TLDs (selected only from registries without privacy).
I wish they supported my country's two CCTLDs but other than that I'm very happy. I would never buy any of the crazy vanity TLDs anyways.
I mostly own .com domains and two CCTLDs domains.
only free/cheap and usable DNS host
Check out desec.io als an alternative
That sure does seem to tick a lot of boxes. I’m going to check it out!
I've moved a couple of domains to dnssec and it's great, simple DNS.
there is just one
Well it's cloudflare, not cloudsflare. Maybe overcasthosting, or sunblockservers...
So I need to make a VPS setup script to install bind for DNS and wireguard or openvpn and push it to gitlab/GitHub?
I am not sure what that would accomplish.
I have all that, but I still use cf for a ton of stuff.
Why does Cloudflare get a pass on the "if it's free, you're the product" mantra of the self-hosting community? Honest question. They seem to provide a lot for free, so...
It's usually free tiers of paid products
That makes sense, except Google kinda does the same thing. Everything they have is technically just a "free tier" of the Google One subscription, right? I guess I'm saying that "free tier of paid product" doesn't automatically qualify a company as trustworthy for me. Is there something else that sets Cloudflare apart?
Strictly speaking, they’re leveraging free users to increase the number of domains they have under their DNS service. This gives them a larger end-user reach, as it in turn makes ISPs hit their DNS servers more frequently. The increased usage better positions them to lead peering agreement discussions with ISPs. More peering agreements leads to overall cheaper bandwidth for their CDN and faster responses, which they can use as a selling point for their enterprise clients. The benefits are pretty universal, so is actually a good thing for everyone all around… that is unless you’re trying to become a competitor and get your own peering agreement setup, as it’d be quite a bit harder for you to acquire customers at the same scale/pace.
They have for public benefit program where they give out their paid security tiers for free? If you can get recommended into it. Build a lot of goodwill there for non-profits community.
Because most self hosted things are free already. It doesn't apply to FOSS.
randomly came across these, so yeah.
edit: about this apparently https://archiveofourown.org/works/54711364
Do you have an alternative to cloudflare tunnels? I'd love to hear it, because I'm also not really happy about relying on them either, but tailscale only works up to an extent because not all devices can connect to it and it's a pain in the ass to get random family members to connect to it as well.
@shiftymccool @Kuvwert cause nobody wants to think about that.
we should definitively have a wiki (though people should use "search" too, I wonder if a wiki would help really). This "topic" comes every month. I have posted this already, here it goes again: https://github.com/anderspitman/awesome-tunneling
Thanks for sharing!
That's awesome thanks!
Sure it's easy to set up, but the same behaviour is what I get with my handrolled solution. I rent a cheap VPS with a fixed IP solely for forwarding all traffic through wireguard. My DNS entries all point to the VPS and my servers connect to the VPS to be reachable. It is absolutely network agnostic and does not require any port shenanigans on the local network nor does it require a fixed IP for the internet connection of my home server.
Data security wise the HTTPS terminates on my own hardware (homeserver with reverse proxy) and the wireguard connection is additionally encrypted. There are no secrets or certificates on the rented VPS beyond the bare minimum for the wireguard tunnel and my public key for SSH access.
Shuttling the packets on the VPS (inet to wireguard) is done by socat because I haven't had the will or need to get in the weeds with nftables/iptables. I am just happy that it works reliably and am happy to loose some potential bandwidth to the kernelspace/userspace hoops.
Does this cause all traffic at the reverse proxy to appear to come from the source IP of your VPS or does it preserve the original source IP?
I've been working on setting up a similar setup myself and am trying to figure out specifically how to handle the forwarding on the VPS.
I also have a similar setup to maiskanzler. But I use iptables to forward the traffic over wireguard and I am able to preserve the original client IP by not snat the packets. I then have to use policy based routing to make sure that traffick goes back out through the wg tunnel.
I'm happy to share info on how to get this working.
I have a similar setup and I just have the reverse proxy on the VPS. It then proxies back to the home server on whatever port the service is on. And yes you can forward the original client IP if you wish.
It depends on how you set it up
Yes, I do loose the origin IP and I'm a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That's totally my personal preference though.
I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It's by design much easier for them to do statistics or snooping.
Enough people have already commented on the "proxy at the vps solution". Another option is to configure routing and nat on the VPS and have it route over the wg tunnel.
Requires you to have postup/predown scripts that modify your routing tables on the wg endpoint.
That’s a good setup.
This is the right answer
What VPS do you use for this?
If you want something cheap check out RackNerd yearly deals. Last I checked they still have listings for black Friday and other old deals once you've made an account. I got a server for like $12 a year with 5tb monthly bandwidth. I have 3 servers total with them and haven't had a problem for the 3 years I've been using them.
I am using the smallest tier VPS from IONOS for 1€/month. Good, reliable and trustworthy as it is a subsidiary of 1&1 telecommunications.
Same here. Works great, incredibly cheap too.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
13 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #830 for this sub, first seen 26th Jun 2024, 04:45] [FAQ] [Full list] [Contact] [Source code]
Good bot.
It's almost like the big tech companies are really good at their jobs....
Woah, let's not be hasty. A few big tech companies are really good at their jobs...
Let's not forget the dozens of big tech companies run by absolute morons that bring products that nobody wants or needs and only stay afloat due to legacy, stealing data & selling it, and/or venture capital.
Let’s not forget the dozens of big tech companies run by absolute morons that bring products that nobody wants or needs and only stay afloat due to legacy, stealing data & selling it, and/or venture capital.
You just described Twitter/X
👌👍
Unless you are behind CGNAT; you would have had the same plug+play experience by using your own router instead of the ISP supplied one, and using DDNS.
At least, I did.
Yes, but it does expose your own IP address and thus where you live. Tunnels don't.
@qaz @Darkassassin07 what are you even saying? Ip address doesn’t expose where you live. And better get off the internet right now if your concern is exposing your ip cause it was never secret to begin with.
Tunnels stop you from opening a port so nothing is exposed openly to the internet but it does not keep your ip private.
No. You are skipping DNS.
I didn't skip it, I installed ddclient.
Cloudflare is the devil!
and using DDNS
As in, running software to update your DNS records automatically based on your current system IP. Great for dynamic IPs, or just moving location.
Not entirely. CF can protect you from DDOS of up to a few millions of calls per minute. Your home router would melt with that traffic. They also act as a firewall if you enable the proxy dns feature. They do a sanity check before forwarding the call. Also a home router cannot do this. And there's more.
Both your ISP and CF will drop you like a hot potato if you're ever under that kind of attack.
CF has other features that are nice like, like WAF, bot detection, geo blocking, caching etc. But it's only a taste.
All their real services are paid and the whole reason they offer a free tier is to upsell you to their paid services.
@f2sfljLhdtTZ @Darkassassin07 Eveyone so worried about DDoS. They are not going to DDoS a resedential Ip address. Sure if youbpiss someone off they well they're going to do it even without selfhosting anything.
Sure, cloudflare provides other security benefits; but that's not what OP was talking about. They just wanted/liked the plug+play aspect, which doesn't need cloudflare.
Those 'benefits' are also really not necessary for the vast majority of self hosters. What are you hosting, from your home, that garners that kind of attention?
The only things I host from home are private services for myself or a very limited group; which, as far as 'attacks' goes, just gets the occasional script kiddy looking for exposed endpoints. Nothing that needs mitigation.
I also really like the tunnels feature. It makes self hosting at home easy for those under NAT/CGNAT or whatever it was called.
I prefer Tailscale Funnel for these kinds of things. NetBird and ZeroTier also work just fine if you don't want to expose your services to the public.
Tailscale is so cool too. I'll definitely be switching if I can ever use my own domains
Actually you can.... I do that with my setup. Just point your domain to the new ip assigned by tailscale to your server. Thats all. Recently they started supporting the https certificate also.. Even though it's not needed, for internal only communication.
You can set A DNS entries without wildcard in the configs (with head scale at least), just use their magic DNS thing that works with hostnames or just self host DNS and tell your tailnet to use that.
I looked at headscale but as far as I can tell their is no active directory or SSO integration. Which is very unfortunate.
Good news, they support OIDC! Haven't tested it myself so your mileage may vary.
Just stop supporting the biggest actor in the market.
That's just a bandaid on capitalism's issues. Urging people not to support the biggest actor will never work in the grand scheme of things, when said actor provides their best immediate interests.
I use Cloudflare as my registrar and public DNS. And only for that. Sorry but they don't get to peek at my network traffic.
Well, centralization and giving up your freedoms, letting someone else control you, is always kinda easy. Same applies to all the other big tech companies and their platforms. I'd say it applies to other aspects of life, too.
And I'd say it's not far off from the usual setup. If you had a port forward and DynDns like lots of people have, the Dns would automatically update, you'd need to make sure the port forward is activated if you got a new router, but that's pretty much it.
But sure. if it's too inconvenient to put in the 5 minutes of effort it requires to set up port forwarding everytime you move, I also don't see an alternative to tunneling. Or you'd need to pay for a VPS.
I mean, I used to think Google Public DNS was great until I switched to 1.1.1.1...
If you like 1.1.1.1 the. You should try 9.9.9.9. Or better yet host unbound pihole if you’re up to the challenge. Best dns experience I’ve had.
If you use 9.9.9.9, you should try Mullvad DNS (with adblocking) or AdGuard Public DNS
What benefits are you having from switching?
1.1.1.1/cloudflared responds crazy fast compared to anything else i've used. I really just wanted off Google (and before them OpenDNS). That's about it.
Commenting as I am curious about this too!
9.9.9.9
Their static website hosting is probably the best in the business. We seriously need some competition though.
Even when you host a HUGE static website (e.g. maps with thousands of image files). You can just throw it on R2 add a few transform rules, point a domain at it, and you are done. Also highlights the usability of Cloudflare compared to other solutions.
There are tons of CDNs out there.
I am out of the loop, what's going in with snooping?
I use their cloudflared tunnel sometimes for accessing home hosted stuff.
Because Cloudflare acts as a reverse proxy it can see everything that happens in a session.
This is also known as a man in the middle attack. But Cloudflare meds to do this in order to do it's checks for bad actors.Now, as Cloudflare has access to the unencrypted traffic and we know that NSA is all about data vacuuming due to the Snowdn leaks we can make a tin foil hat guess whaylt goes on.
I don’t understand why Cloudflare gets bashed so much over this… EVERY CDN out there does exactly the same thing. It’s how CDN’s work. Whether it’s Akamai, AWS, Google Cloud CDN, Fastly, Microsoft Azure CDN, or some other provider, they all do the same thing. In order to operate properly they need access to unencrypted content so that they can determine how to cache it properly and serve it from those caches instead of always going back to your origin server.
My employer uses both Akamai and AWS, and we’re well aware of this fact and what it means.
Thank you!
I use cloud flare tunnel for my home server too. Are there any viable and somewhat easy alternatives?
DNS names are restricted to your tailnet’s domain name (node-name.tailnet-name.ts.net)
I guess that's fine for some. Not a compromise I'm willing to make though.
As soon as I can use my personal domains with tailscale funnel I'll be switching, I like tail scale a lot
Get a cheap VPS and set up a VPN of your choice.
Just make sure the VPS will shut down if the bandwidth is exceeded rather than giving you a big overage charge.
DynDNS? I'm not 100% sure what CF Tunnel does, but from my 2 min reading it seems that DynDNS would accomplish what OP described just as well.
It might help to read it once more then 🙂
Oh, it's way more than what any dyndns can do.
Port forwards in the router + DynDns.
I have written a small blog post about how to Bypass CGNAT, and have also mentioned why you should not use Cloudflare if you are hosting for privacy.
DIY your own Cloudflare
Are there browser plugins (or other solutions) to see if an site uses cloudflare before visting?
also, when you have 5g failover on the router and the fiber it's down, it automagically continues to work without admin intervention
Is there a way to do reverse tunnels, or something like it, so not opening any ports at all on the network, without cloudflare?
Closest to that XP I got was generating VPN keys and distributing them to close friends, running DDNS (no-ip) on my Pi with a pivpn server and then accessing JellyFin that way.
Rent a VPS, point DNS to it, have it act as central wireguard peer and connect your server(s). Then bridge incoming traffic to server via socat or firewall rules. Done
That's a lot of work. Thanks though.
Do you have a VPS or server with its own IPv4 address outside your home?
If you want I can maybe help you with configuring my new tool/service to replace Cloudflare Tunnels
But it depends on how you use it also, if you want to explain that send me a reply or a private message and I can answer if I think it is possible and give you the basic configuration for it, or check out the project and its sources I posted here