I love CF tunnels I use it to “expose” some internal services that are gated with google auth and other zero trust protections. I don’t have to worry about exposing ports or using a vpn.
I'm sorry, I don't get the point. Perhaps I'm missing something.
If I open a single port to my home server, then anybody can send any traffic to my server on that port. The attack surface is exactly the process running on my home server, listening on that port.
If I use the cloudflare tunnel, anybody using my web service connects to some cloudflare server which transparantly forwards, through the tunnel, everything to the process running at home. The attack surface is ... exactly the process running on my home server, receiving everything coming into the tunnel, effectively listening on the port opened on the cloudflare server.
Where is the difference? Any security issue in the process running on my server that can be exploited by sending traffic to it is attackable in either case.
Does cloudflare filter the traffic in any way? How does it know what's good and what's bad traffic?
The missing part of this recipe is to make it so that when your internet exposed app gets compromised the attacker doesn’t have easy access to your home network.
The big - really big - downside for me is the CF termsofservice which suggest that any data pushed through their service is perpetually licensed to them:
> 2. LICENSE GRANT TO CLOUDFLARE
> By submitting, posting, or publishing your content, suggestions, enhancement requests, recommendations, feedback, information, data, or comments (“Content”) to any Website or Online Service, you are granting Cloudflare a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, exploit, display, perform, reproduce, distribute, and prepare derivative works of your Content.
I do this for my services at home, and added Zero Trust auth for some services. Also created a Python script that adds my compose containers automatically fo cloudflare/Zero Trust based on annotations.
I've been using this for years. There's even a kubernetes deployment to directly point your tunnel to your local kubetnetes network.
Cloudflare's free tier is very generous.
I've never experienced any issues with this solution.
I use CF tunnels all the time at work and for my side projects but I've always found the web ui for remotely managed tunnels a bit hard to use. I recently asked Claude to help me build a TUI so I can easily create and manage them:
16 comments
[ 2.7 ms ] story [ 44.4 ms ] threadhttps://aazar.me/posts/reincarnating-a-raspberry-pi
If I open a single port to my home server, then anybody can send any traffic to my server on that port. The attack surface is exactly the process running on my home server, listening on that port.
If I use the cloudflare tunnel, anybody using my web service connects to some cloudflare server which transparantly forwards, through the tunnel, everything to the process running at home. The attack surface is ... exactly the process running on my home server, receiving everything coming into the tunnel, effectively listening on the port opened on the cloudflare server.
Where is the difference? Any security issue in the process running on my server that can be exploited by sending traffic to it is attackable in either case.
Does cloudflare filter the traffic in any way? How does it know what's good and what's bad traffic?
> 2. LICENSE GRANT TO CLOUDFLARE
> By submitting, posting, or publishing your content, suggestions, enhancement requests, recommendations, feedback, information, data, or comments (“Content”) to any Website or Online Service, you are granting Cloudflare a perpetual, irrevocable, worldwide, non-exclusive, royalty-free right and license (with the right to sublicense) to use, incorporate, exploit, display, perform, reproduce, distribute, and prepare derivative works of your Content.
https://www.cloudflare.com/en-gb/website-terms/
I was worried about this and had to expose my Plex on the internet protected by oauth2-proxy.
https://github.com/justingosan/tunnelman
Just yesterday I added support for adding a traefik reverse proxy that has (just) basic auth (for now) for a little bit of added protection