I read a comment on here some time ago where the person said they were using cloudflared to expose some of their self-hosted stuff to the Internet so they can access it remotely.
I am currently using it to expose my RSS feed reader, and it works out fine. I also like the simplicity of Cloudflare’s other offerings.
Any thoughts on why cloudflared is not a good idea? What alternatives would you suggest? How easy/difficult are they to setup?
You must log in or register to comment.
I think concerns come in two flavours:
- Privacy/security: Cloudflare terminates HTTPS, which means they decrypt your data on their side (e.g. browser to cloudflare section) then re-encrypt for the second part (cloudflare to server). They can therefore read your traffic, including passwords. Depending on your threat model, this might be a concern or it might not. A counterpoint is that Cloudflare helps protect your service from bad actors, so it could be seen to increase security.
- Cloudflare is centralised. The sidebar of this community states “A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.”, and Cloudflare is for sure a service you don’t control, and arguably you’re locked into it if you can’t access your stuff without it. Some people think Coudflare goes against the ethos of self-hosting.
With that said, you’ll find several large lemmy instances (and many small ones) use cloudflare. While you’ll easily find people against its use, you’ll find many more people in the self-hosted community using it because it’s (typically) free and it works. If you want to use it, and you’re ok with the above, then go ahead.
There’s a third point which is: Things in CloudFlare are publicly accessible, so if you don’t put a service on front for authentication and the service you’re exposing has no authentication, a weak password or a security issue, you’re exposing your server directly to the internet and bad actors can easily find it.
Which is why some services that I don’t want to have complicated passwords are only exposed via Tailscale, so only people inside the VPN can access them.
In addition to the above, most of the percieved advantages of CF are non-existent on the free tier that most people use. Their “DDoS protection” just means they’ll drop your tunnel like a hot potato, and their “attack mitigation” on the free tier is a low-effort web app firewall (WAF) that you can replace with a much better and fully customizable self-hosted version.
They explicitly use free DDoS protection as a way to get you in the door, and upsell you on other things. Have you seen them “drop your tunnel like a hot potato”?
Now obviously if their network is at capacity they would prioritise paying customers, but I’ve never heard of there being an issue with DDoS protection for free users. But I have heard stories of sites enabling Cloudflare while being DDoSed and it resolving the problem.
Any stories you’ve heard about websites enabling CF to survive DDoS were not on the free tier, guaranteed.
Please re-read the description for the free tier. Here’s what “DDoS protection” means on free tier:
Customers are not charged for attack traffic ever, period. There’s no penalty for spikes due to attack traffic, requiring no chargeback by the customer.
Will they use some of their capacity to minimize the DDoS effects for their infrastructure? Sure, I mean they have to whether they like or not, since the DNS points at their servers. But will they keep the website going for Joe Freeloader? Don’t count on that. The terms are carefully worded to avoid promising anything of the sort.
They also say “Cloudflare DDoS protection secures websites and applications while ensuring the performance of legitimate traffic is not compromised.”, with a tick to indicate this is included in the Free tier.
You are honestly the first person I’ve heard complain about Cloudflare failing to protect against DDoS attacks. However, I have no doubt that not having Cloudflare, I would fare no better. So still seems worthwhile to me.
The first point is only when you use the tunnel function, right ?
Because I noticed, if use the tunnel function (hiding your private ip) the sites gets an Cloudflare certificate, but if just using it as DNS (without tunnel) the page has my certificate.
I use a VPS I have for many purposes and a setup of Netbird + Caddy to do what Cloudflare does (but without their redundancy and worldwide distribution of hardware of course) but self-hosted. Personally I’m very much against relying on a large corporation which doesn’t give a fuck about me as a customer for access to my stuff.
Oh… I like this. Anymore ideas and suggestions?
I’m unsure what you’re asking for? You could replace Netbird with any other WireGuard implementation and Caddy with any other reverse proxy. I just found those two to be very self hosting and FOSS friendly options.
As for what to use it for it allows me to run Jellyfin from home, while having Authentik be a forward authentication proxy in front of it so only people with an account can reach it while still allowing me to reach it from any device anywhere with Internet. It’s very nifty.
deleted by creator
I use and love zerotier. Just that using it on mobile is a bit of an effort with the VPN. Also, it doesn’t seem to support DNS like cloudflared does? Am I missing something in zerotier or is the only way you can access your servers is by IP address?
I setup AdGuard DNS on the network I host my services on and made Tailscale use it as a second DNS. This let’s me access services using domain names. I’m sure you can do something similar with zerotier but I’ve never used it.
Also, it doesn’t have to be AdGuard DNS. Any DNS will be fine.
https://tenekev.com/posts/internal-dns-for-your-tailscale-network/
You can always use regular DNS and simply point your domain’s records at hosts on your home’s local network and/or the mesh VPN addresses. I do that with Tailscale.
Never done that before. Interesting! Will try that out and see what happens.
Note that some SOHO router appliances block DNS responses with local addresses (“rebind protection”). You may have to explicitly allow-list your domain(s).
Nothing, go ahead.
Cloudflare has been controversial for dragging their feet when it was time to stop providing protection to nazi websites like The Daily Stormer, 8chan and Kiwi Farms. Also the Taliban, ISIS and so on More about this.
For this reason, a lot of fediverse servers do not use CloudFlare.
I dont use it, but video streaming is against their TOS. Other than that I just read good experience with them
Pretty sure that’s only if you use their proxy service on your domain. Regular, non-proxied, DNS should not have any restrictions like that.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
8 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #414 for this sub, first seen 9th Jan 2024, 07:05] [FAQ] [Full list] [Contact] [Source code]
deleted by creator
Eh. ISPs in the US are much the same.
This is disingenuous.
The full clause says…
You and your End Users (as such term is defined in the Privacy Policy) will retain all right, title and interest in and to any data, content, code, video, images or other materials of any type that you or your End Users transmit to or through the Services (collectively, “Customer Content”) in the form provided to Cloudflare. Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.
So to paraphrase, you retain your interest, but assign sufficient rights to cloudflare for them to provide the service you’re using. For example, they can’t give you a CDN if you don’t give them the right to transmit your data.
deleted by creator
Surely you have to acknowledge that it’s disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you’re trying to make.
You’re reading “bad faith” into the vagaries of a terms & conditions document. T&Cs will never say “we will never monetise this data”, that’s just not how T&Cs work, and it’s naive to conclude that the absence of such a statement means that cloudflare intends to monetise the data.
If you look at cloudlfares strategy here, they want to be the sweetheart of everyone who knows what a VPN is in order that they will be selected by those people for corporate projects. Monetising the data that flows through their network is antithetical to that objective.
Additionally I would venture that the data doesn’t really have any value, it would be impossible to use it to build data about an individuals browsing or buying habits.
deleted by creator
The first part of the sentence you quoted says “subject to the terms of this agreement”. The most salient part of the agreement is the sentence you omitted.
Your claim was:
You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none.
… and you omitted the sentence which describes the rights you have as the user, contradicting your assertion that users have none. If you don’t think that’s disingenuous then I don’t know what to tell you mate.
deleted by creator
Cloudflared is great.
