[HN Gopher] Exposing a web service with Cloudflare Tunnel ___________________________________________________________________ Exposing a web service with Cloudflare Tunnel Author : geostyx Score : 307 points Date : 2022-02-08 13:15 UTC (9 hours ago) (HTM) web link (erisa.dev) (TXT) w3m dump (erisa.dev) | andrewnyr wrote: | Great write up here, helps supplement the docs perfectly. | mlangenberg wrote: | I'm using a Cloudflare tunnel to expose Home Assistant protected | by Google Auth and use it anywhere from my personal devices. | jck wrote: | Does the home assistant Android app allow you to login with | your public url? | aborsy wrote: | How does it compare with ZeroTier, Tailscale and Nebula? | Tajnymag wrote: | With Cloudflare Tunnel you don't need a VPN on the client. | anderspitman wrote: | You still need to run the cloudflared executable though. | Cloudflare Tunnel currently proxies everything over HTTP/2 | frames, but they've also started experimenting with QUIC[0]. | This means everything runs in userspace. Main advantage here | is it doesn't require admin privileges on the client and it | doesn't mess with your network configuration. | | If you use a VPN like OpenVPN or Tailscale (based on | WireGuard), it will require admin in order to configure the | network devices. The main advantage of WireGuard solutions is | it runs in the kernel and can potentially be much faster, or | at least more efficient. For tunneling often your upload | throughput and not performance is the bottleneck. | | [0]: https://blog.cloudflare.com/getting-cloudflare-tunnels- | to-co... | vngzs wrote: | Quick word of warning: I found it striking that even Cloudflare's | Teams product, which supports Tunnels as a feature, does not make | Tunnels private (e.g., by enforcing authentication, or | restricting who can reach an exposed tunnel to your organization) | by default. Anyone on the Internet with the Cloudflare Warp | client can reach a Tunnel configured with default settings, a | quirk that is not called out in their official documentation. | gajus wrote: | Debugging Cloudflare Tunnel is PITA. We are using it in | production, and have most random outages that leave us guessing | what triggered it. The errors are vague to say the least, and | there is not much in terms of existing community. Otherwise, it | is easy to setup and works great when it does. | chrisweekly wrote: | This looks pretty interesting to me. Self-hosting a webapp origin | server on hardware in my house, fronted by CloudFlare... hmm. | Food for thought. | jgalt212 wrote: | much cheaper than EC2 or Heroku. | warp wrote: | One of the limitations that wasn't immediately obvious to me is | that you're mapping a single domain with these tunnels. So you | cannot easily make *.example.com available via a cloudflare | tunnel. (and when I tried it it wasn't possible with ngrok | either, perhaps that changed) | | I ended up switching to a business connection with my ISP, so I | could get an extra fixed IPv4 address at my house and not need | any of these tunnels. Obviously that is not an option | everywhere. | caseysoftware wrote: | Yes, we made it easier a while back. Now you can map | customname.ngrok.io to your tunnel with a command line | switch. If you want to use a CNAME, it's a similar switch, a | dashboard entry, and an update to your DNS entries. I did it | on my own domain in a couple minutes, flushed the DNS | records, and had it routable in ~15 minutes. The full docs | are here: https://ngrok.com/docs#http-custom-domains | | Disclosure: I work at ngrok | cestith wrote: | The ingress example with multiple subdomains and a default | service seem to suggest one can host more than one subdomain. | It would require setting your tunnel DNS on the Cloudflare | side to point all of them to the tunnel. | stingraycharles wrote: | As a matter of fact, I have a 4-node kubernetes cluster running | at home which is exposed through a CloudFlare tunnel on the | internet. Works like a charm, and you don't have issues with | firewalls, NAT, and/or dynamic IPs. | cx0der wrote: | Yes, this is possible. I have exposed some tools hosted on | Raspberry Pi this way. | carride wrote: | Easy to expose ssh server too. Use the .ssh/config ProxyCommand | at the client. Cloudflare handles the authentication with the | default OTP emailed. | | They explain towards the end of this tutorial | https://developers.cloudflare.com/cloudflare-one/tutorials/s... | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | This is really cool too!! I use Tunnels with SSH a ton. I was | considering making a follow-up post going through the SSH setup | too, but I felt it was a bit redundant considering that docs | page existed. My post was because of the lack of a clear guide | for a simple HTTP webserver. | carride wrote: | Your tutorial is already more thorough than others. Ideal to | help anyone get their HTTP site accessible to the public. | schemescape wrote: | Does anyone know if you can use a Cloudflare tunnel on a single | subdomain without using Cloudflare on everything else? | | It seemed like I had to run everything on the domain through | Cloudflare when I looked into this in the past. That might be | fine in the end, but I just wanted to try tunnels out first | without committing to anything else. | | Edit: thanks, everyone! This was just going to be a tiny web site | for hobby purposes at first. | carride wrote: | You can have cloudflare handle your DNS, though nothing more. | Each DNS record has an extra setting to Proxy. For the tunneled | CNAME the proxy must be turned on. For anything else to be pass | though traditional DNS then set the Proxy setting off. | | *edit: Learned here in this discussion that moving NS servers | to Cloudflare is not even required. I'll need to test that. | ejcx wrote: | (I work at Cloudflare). You can sign up just a subdomain | (sub.foo.xyz) as an enterprise customer and then add an NS | records from your DNS provider to Cloudflare for that | subdomain. | | Tunnels also has a testing domain you can use. It should give | you a subdomain like xxx-xxx-xxx.trycloudflare.com for basic | "How do I get this thing working" testing. | [deleted] | judge2020 wrote: | Unless you want to pay for the business plan with a CNAME | Setup[0], you do need to use their DNS offering, even if the | rest of your site's DNS records are 'unproxied'. If you just | want to try tunnels at all, with a non-descript hostname, | Tunnel gives out subdomains that end in trycloudflare.com[1]. | | If you're referring to the TOS issue that is often discussed | here, it depends on what that subdomain is, since Cloudflare | doesn't just want to be pushing binary data for free. If the | subdomain is some website that is primarily used in the | browser, CF will generally be fine leaving it up even if you | push TBs a day, but if it's just a file host CF has been known | to flag that for abuse and disable proxying for the domain[2]. | As for why they bother with a free plan with such cryptic | rules, their S1 explains it[3]. | | 0: https://support.cloudflare.com/hc/en- | us/articles/36002034883... | | 1: https://developers.cloudflare.com/cloudflare- | one/connections... | | 2: https://community.cloudflare.com/t/the-way-you-handle- | bandwi... | | 3: https://l.judge.sh/85EH | | (I am not a CF employee nor your lawyer) | watchdogtimer wrote: | Is it possible to run a mail server behind a Cloudflare tunnel? | Our ISP uses CGNAT, making it impossible to port forward. | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | No, this is not possible. Cloudflare Tunnel focuses mainly on | HTTP traffic but also supports SSH, VNC and generic TCP only in | situations where the client also uses the cloudflared client to | proxy it back to their localhost. Hosting a mail server with | these restrictions is not possible I'm afraid. | napkin wrote: | If you have $3-5/month to spare on a VPS, a similar but self | hosted solution can be achieved- Tunnel/VPN and reverse proxy- | using Wireguard and Caddy. | | Caddy in particular is extremely easy to configure, with the | bonus that HTTPS/Lets Encrypt has never been free'er. Wireguard | configuration is also gloriously minimal but admittedly, | potentially tricky to get right the first time. | | It's just good to consider alternatives to Cloudfare's network | dominance, if you can afford it. | LoveGracePeace wrote: | Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has | DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my | local services. | aborsy wrote: | Why not having clients and local services meet on a Wireguard | concentrator on VPs? Thus no need for Apache reverse proxy. | | Problem is, 3.5$/month has only 500MB RAM which is very | little to run Apache + other services. | LoveGracePeace wrote: | There's lots of ways to work it. I prefer retaining control | over the service plane for ultimate flexibility and so I | can easily switch public access point (the VPS) if needed. | This also reduces the need for more powerful cloud | hardware, more cloud costs, etc. On Apache, I've run Apache | for decades for static web, reverse proxy, etc., I have no | plans to change that. | gtsteve wrote: | I recently used the same Cloudflare Tunnel project to put an | internal hosted service behind Cloudflare access. | | I chose this over Wireguard because it integrates with our SSO | system and users don't have to configure a firewall client. In | fact, most users don't know we even did anything special to | secure the service. | | Secondly, I can set up wireguard, but then I would be | responsible for maintenance, keeping the instance up and | patched etc. You may save money by using Wireguard, but you pay | for it in time, which is the only thing you cannot buy. | podge wrote: | Yep, I've done this with nginx and SSH tunnels, it works well. | LibertyBeta wrote: | Do you have any guides on the same level as simplicity as this | one? It seems while we always bring up wireguard, its a big | topic with few good places to get hand hold on. | Spivak wrote: | I can't share the code since it's internal but here's the | broad strokes. | | * Start with a "gateway" managing your WireGuard "PKI". | Basically a group of Wireguard servers with an API that have | synced configs. /proxies - Your frontend | servers. /endpoints - Your backend servers. | /gateways - WireGuard servers that your frontend and backend | can reach. | | * Gateway authenticates your proxies and endpoints and they | both hit a /config endpoint to pull something that can be | shoved into wg-quick. AllowedIPs restricts what the proxy is | allowed to reach. | | * Proxies handle user-auth like any web service and then act | as a reverse proxy to the endpoints using the Wireguard | internal address. | | Nothing at all fancy except that in a normal deployment your | frontend and backend would be live in the same datacenter and | so you don't need any WireGuard BS. | | This provides a model where our devs can hit a public | endpoint that reverse proxies to their laptops. | amiga-workbench wrote: | I've just done the same thing at work. I've got a little Dell | Optiplex running bookstack here, and a AWS Graviton2 box | running a wireguard server and reverse proxying web traffic | over it. | sickill wrote: | Upvoted you for your username :) | xfer wrote: | ipv4 costs will keep increasing, so if you want cheap vpses | ipv6 will be the only option and this will allow you to use | cloudflare network to serve the v4 users. | sascha_sl wrote: | The real beauty of cloudflared is that you can just throw it | into a sidecar for your k8s pod / docker-compose container set | and configure the entire thing in one place. | sickill wrote: | That's a good point, sounds convenient. | ziml77 wrote: | I just started using Cloudflare Tunnel this weekend to expose a | service hosted at home. I love that I don't have to open any | ports up, that my home IP isn't exposed, and that I don't need to | worry about maintaining my own reverse proxy to host multiple | sites on the standard ports. | | I know there's other ways to do this, but Tunnel made it | extremely easy. | throw14082020 wrote: | I've just spent a few hours trying to use Cloudflare Tunnels to | connect to my machine through SSH after reading this post. | Unfortunately, I then found that SSH keys are not supported: | https://github.com/cloudflare/cloudflared/issues/319 so I cannot | disable Password authentication. | carride wrote: | Yes, I use SSH keys, not password authentication, as well as | PAM 2FA which is my normal SSH configuration. So the traffic is | e2ee from my client to my server. Perhaps that issue refers to | using personal SSH keys instead of the ~/.cloudflared/cert.pem | which is used to encrypt the tunnel | mdoms wrote: | I'm a little confused about hostname routing. You set up a config | file with hostname values like either of the two below: | ingress: - hostname: myapp1.examples.com | service: http://localhost:8080 - hostname: | myapp2.example.com service: http://localhost:8081 | - service: http_status:404 ingress: - service: | http://localhost:80 | | Then later you explicitly route to a subdomain for the simple | case (the second one above): $ cloudflared tunnel | route dns mytunnel test.example.com | | Now you're on a subdomain, how would I handle this routing case | for the more complex case from above? | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | The `clouflared tunnel route dns` command creates thee DNS | record mapping the tunnel to the domain. The tunnels config | maps the hostname to the local service, and you can have | multiple of those for each service. So for the example above, | you would create a DNS record for each domain pointing to the | same one tunnel, and that tunnel will route based on the | ingress rules. | e12e wrote: | Nice little write-up. Appreciate the hints on setting up a | systemd service. That said, with the service being a system | service, I'd probably prefer moving the credentials file: | | > credentials-file: /home/ubuntu/.cloudflared/ed5bfe1 (...) | | To either /root, or (more likely) /etc/cloudflared/ and making it | readable to root, or a system user especially for cloudflared. | | I like to think that my services will run regardless of the state | of my /home filesystem. | willejs wrote: | You can also put authentication in front of cloudflare argo | tunnels, so you can securely expose internally hosted | applications to the internet. A zero trust or BeyondCorp model is | usally way easier than VPNs etc. It is a really nice alternative | to hosting Buzzfeed SSO or Pomerium too. | allisdust wrote: | One place where this would shine is running compute intensive | tasks (especially the ones that involve GPU) that are usually | queued. Instead of throwing too much money to the cloud | providers, setup this tunnel on your unused/even new machine and | throw tasks at it. | jck wrote: | I've been running caddy (with the cloudflare addon) to serve | local services on a https url. | | I then set my local dns(Adguard home) to redirect my url to it's | lan url. Additionally, I run cloudflare tunnel to expose these | services on the internet. | | This allows me to use the url for internal services both at home | or through the internet while having proper auth through | cloudflare access when accessed over the internet. It was been | working great for me so far | qxmat wrote: | This appears to be similar to Azure AD Application Proxy. If it | is they're one step ahead of MS because their App Proxy Connector | clobbers MSAL auth tokens and they can't be bothered to fix the | issue a year later. | maxcan wrote: | Some issues (and solutions) that I ran into: | https://www.maxcantor.com/blog/2021-10-15-ngrok-to-cloudflar... | piaste wrote: | It's not obvious to me from the blogpost where TLS termination | happens in this scenario. | | I would want it to happen on my local machine, so that (a) | Cloudflare can't read my plaintext traffic, and (b) I can manage | subdomain certificates more easily via Caddy. | | Is that possible with the cheapo free tunnels or does Cloudflare | want to handle the domain and TLS certificates, too? | anderspitman wrote: | Cloudflare Tunnel doesn't offer an end-to-end encryption | option. If this is a must for you, either my own boringproxy or | remotemoe[0] both offer this. I'm sure at least a couple others | on the list[1] do as well but you'd have to check them | individually. If you find any that do please consider opening | an issue so I can add that information to the list. | | [0]: https://github.com/fasmide/remotemoe | | [1]: https://github.com/anderspitman/awesome-tunneling | pedrogpimenta wrote: | You can do both or even no TLS if you want. It's easy to choose | so on the domain preferences (it's only per domain, AFAIK) | judge2020 wrote: | All this changes is how CF connects to the server. Like the | rest of CF, outside of using Spectrum Enterprise (which enables | TCP 443 tunneling), CF removes TLS at their servers and | inspects the traffic so all of its caching/firewall/etc | features can be applied. It does add it back when talking to a | tunnel, so it's non plaintext on the wire. | piaste wrote: | Thank you. Yes, I assumed that the tunnel was encrypted, but | I was interested in using Cloudflare only as an _untrusted_ | reverse proxy / bastion server in front of my personal | homeserver, no traffic inspection or caching or anything | else. | | Your comment and u/pedrogpimenta's give very different | answers, I guess I'll need to verify for myself. | stavros wrote: | I do this for our services, it works great and we can easily put | SSO in front of them with CF Access. I publish a Docker container | that you can use as a sidecar for your Compose deployments: | | https://gitlab.com/stavros/docker-cloudflared | | I use this with Harbormaster | (https://gitlab.com/stavros/harbormaster) so I can expose | containerized stuff without ever forwarding any ports outside of | Docker. | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | I maintain my own Docker image too for personal use | (https://github.com/Erisa/cloudflared-docker) but I've never | ran into a situation where needing everything as an environment | variable was required or even desired. I really love the idea | of that though, and I love that image! | stavros wrote: | Yeah, I did it that way because Harbormaster promotes | configuration being passed as env vars, so I needed the image | to support that. That way, you can deploy cloudflared to a | server without touching it beforehand, just by adding the | vars to the repo that describes what you want deployed. | skrebbel wrote: | A word of warning wrt hard-relying your service on Cloudflare. | They have hidden undocumented limits. When we hit those, they | dropped ~10% of our traffic without warning and they did not | respond to our support requests with anything other than | platitudes, despite us being on their business plan. After | ghosting us for 2 weeks they tried to upsell us to the Enterprise | plan for more leeway on said undocumented limits (all the while | not providing any insights as to what limits we were hitting, nor | how). | | I don't think they were malicious, I suspect growing pains, but | it very much didn't match their stellar reputation. | | After that experience we made sure not to rely on them for | anything that we couldn't instantly turn off or switch away from. | I'd run a blog behind cloudflare without worries but not sure | anymore about nontrivial high-traffic applications. | jgrahamc wrote: | The sounds weird. Please email me (jgc@cloudflare) and tell me | what happened. | stavros wrote: | I come to HN for the articles, but I stay for the customer | support. | davewritescode wrote: | I use this to expose services running in Kubernetes clusters and | have Cloudflare tunnel pointing at my Kube gateways. | | It makes a ton of things like cluster failover much simpler than | they otherwise would be. | stingraycharles wrote: | Yup, and you can even have multiple tunnels that are load | balanced, so that you don't even have to fail over. | | We have a single API service which is exposed to the internet, | and put the CloudFlare tunnel as a sidecar inside the same | pods. This way, it's actually CloudFlare which handles the load | balancing, which is surprisingly effective. | blinkingled wrote: | Could you elaborate on the setup a bit - for cluster fail over | do you mean that since cloudflare is your frontend ingress you | can easily point it to another cluster or is there more to it? | ErisaDev wrote: | Not the person replying to (but I am the author of the blog | post being promoted here) | | I believe they _may_ be referring to the feature of being | able to run a single "tunnel" on multiple hosts, using the | same credentials and ID. When you do this, not only will | Cloudflare automatically serve from the geographically | nearest server if it can, but when one client goes offline | (When the tunnel is disconnected, not application error | sadly) it will automatically ignore that connection and serve | from the others, providing some basic degree of failover with | no extra payment or much configuration. | | I believe you can also easily integrate Tunnels with the paid | CF Load Balancer: | https://developers.cloudflare.com/cloudflare- | one/connections... | davewritescode wrote: | We integrate the tunnels with CFs load balancer service which | basically lets us route traffic to one or more kubernetes | clusters. Right now it's just for failover where we can | repoint a zone from one cluster to another but we're also | looking to route traffic geographically. | | One of the great things about cloudflare tunnels is that even | without load balancer we can send requests to multiple | clusters if we want to. | | Makes it really easy to replicate stateless services like | ingress gateways. | EGreg wrote: | How does this compare to ngrok and can we combine them to host | sites from our own servers behind a dynamic IP given by our ISP? | Could be great for developers showing off their sites for | instance. | lappet wrote: | A little off topic, but does anyone know the best way to run | software on an unused Android phone? For some reason this seems | harder than it used to be. My goal is to run Home assistant on | it, and I am struggling with issues on Termux right now. There | must be a better way. | anderspitman wrote: | Good luck, it's a hot mess. I spent considerable time last year | porting boringproxy to run on Android. There are countless | hoops to jump through for running server software, including: | | * You have to run it as a foreground service so the user knows | it's running. Not a problem in theory but annoying to | implement. | | * DNS name resolution doesn't work by default (with Golang at | least) because android doesn't use resolve.conf. I solved this | by setting DNS servers manually to 1.1.1.1, 8.8.8.8, etc. | | * You have to do weird hacks in order to run native | applications such as Golang programs. | | * Android has endless optimizations for battery life that are | trying to shut down/throttle your program. One example I would | see huge performance differences as soon as I turned the screen | off. | | Overall I consider Android to be a very hostile environment for | native applications, and networked apps in particular. iOS is | even worse from what I can tell. We need a mobile OS that | respects the user's control over their device. I'm fine with | sane defaults, but it should be easy to switch them off. I'm | hopeful for the Pinephone, but we have a long way to go. | lappet wrote: | sigh, thanks for the response. I think I may move onto | RaspberryPi instead. Boringproxy looks like an interesting | tool. | anderspitman wrote: | Honestly for technical users the RPi should be preferred | IMO. The reason I want to get Android working is to bring | self-hosting to the masses. Turning an old Android phone | into a personal cloud by installing a couple apps and | putting it in a corner would be huge. | | Android is such a pain we might have to settle for shipping | custom SD cards for RPi's though. | lappet wrote: | > an old Android phone into a personal cloud by | installing a couple apps and putting it in a corner would | be huge. | | That's not a bad idea. It does seem like things have to | be absolutely app driven. I wonder how backups would work | with that? Multiple phones? | anderspitman wrote: | The ideal thing would be if you have multiple phones and | can store one offsite at a friend's house. But that | requires more complicated software and assumes people | have multiple old Android phones laying around. I think | more likely you'd pay a cloud service to handle backups | for you. You just need to provide them with a read-only | key then they can access the same way you do. | SkeuomorphicBee wrote: | There is no mention of prices on that page, does anyone know how | much it costs? Is it included on their free tier, or it is a | "free" added service for customers who already pay for other | services? If so, I'm curious what would be the cost of the | minimum package to get this working. | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | As noted by other commenters, Cloudflare Tunnel is completely | free forever and does not cost anything. This was not always | the case in the past where it was previously tied with the Argo | Smart Routing product that cost money. The announcement of it | becoming free is here: https://blog.cloudflare.com/tunnel-for- | everyone/ | | I didn't mention price in the post because it was free, however | from the comments I am thinking perhaps that is an important | point to make. I wiill keep this in mind if I make similar | posts in the future :) | judge2020 wrote: | Available on the free plan at no extra charge | https://blog.cloudflare.com/tunnel-for-everyone/ | [deleted] | twox2 wrote: | My go to is ngrok. | anderspitman wrote: | I maintain a list[0] of solutions to this problem. Cloudflare | Tunnel is what I currently recommend to most people. IMO it's the | easiest way to expose services publicly on the internet. For | example a website or shared Plex server. | | Main downsides to Cloudflare Tunnel are no e2ee (Cloudflare | decrypts all your traffic) and technically anything other than | basic HTML websites (ie media streaming) is against their free | ToS, though I haven't heard of that being enforced in practice. | | If you're the only one ever using your services then I'd | recommend Tailscale instead, which sets up a VPN using WireGuard | along with slick auto p2p setup (NAT traversal, relays, etc). | | [0]: https://github.com/anderspitman/awesome-tunneling | judge2020 wrote: | > though I haven't heard of that being enforced in practice. | | It happened here[0], and the reasoning for why they allow some | free tier content is in their S-1[1]. Typically, even if you | blatant file sharing or video streaming application in | violation of 2.8, Cloudflare doesn't necessarily care as long | as it's not too bandwidth intensive (eg. I wouldn't recommend | having a dozen people streaming Plex from the outside | internet). | | 0: https://community.cloudflare.com/t/the-way-you-handle- | bandwi... | | 1: https://l.judge.sh/85EH | anderspitman wrote: | Thanks for this. The thread is confusing because the user is | quite upset and hostile and didn't seem to understand | Cloudflare very well, but in the end this does indeed seem | like a case of the site being shut down due to non-HTML ToS | violation. | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | I love that list! I also use Tailscale for a lot of my personal | private services as well as Cloudflare Tunnel, I think they're | both really great :) | | The concern about Cloudflare decrypting the traffic is valid, I | just personally feel for a lot of public websites that's often | fine especially if the hoster might have been using Cloudflare | already anyway. If an individual doesn't want to use Cloudflare | for their setup then that's fine and there are lots of cool | pieces of tech they can consider! | joelbondurant1 wrote: | phw wrote: | Consider adding Tor onion services to that list. The idea is | that you run a Tor daemon that starts an onion service which | can expose any TCP-based service. Communication is facilitated | via another node, which makes it possible to host onion | services behind NAT. | freediver wrote: | This still feels too cumbersome even for a technical person. | | An "easy" solution would be something that gets your local | content online in one click or less. | anderspitman wrote: | In my biased opinion, the "easiest" solution currently is my | own boringproxy, which I mention at the top of the list. Once | you have the client daemon running on each of your devices | (static executable with minimal CLI params and no config | file), adding and removing tunnels is just a few clicks in | the web UI. | | It also has basic e2ee. The TLS certs never leave the client | devices by default. | | Even so I agree with you that this is still too much. I think | a non-technical person should be able to write some content, | go through a quick OAuth2 flow to point a domain name at that | content, and have it just work. I'm currently working on | building something more like that. | freediver wrote: | If I wanted my grandma to host a folder from her Mac so I | can access it from the web, what solution feels best? | anderspitman wrote: | What's the goal? Does your grandma want to start a blog | and you're talking about hosting the HTML from that | folder, or do you want to be able to access the folder to | read/write files, or something else? | freediver wrote: | The goal is to host a html page and/or share a file. | anderspitman wrote: | I think our thread got too deep and it won't let me | reply. Feel free to contact me directly through | https://apitman.com or post on https://forum.indiebits.io | if you want to talk more. | | But to answer your question, you'll need to run a CLI | daemon on your grandma's computer. Something like ngrok | static files would probably be the easiest: | | https://ngrok.com/docs#http-file-urls | | But since you're already setting up one daemon in that | case, I'd use Cloudflare Tunnel and also run a basic | webserver or WebDAV server alongside it to give you more | control over how the files are hosted. | | Also pretty sure you have to pay for custom domains with | ngrok. | anderspitman wrote: | I'm not aware of a good solution to this currently, but | it's a space I'm very interested in. The main problem is | that the devices most people use these days (phones and | laptops) are constantly being connected and disconnected | from networks. So even if you solve the software problem | and make a nice GUI program for your grandma to use which | automatically handles TLS certs and tunneling, if she | closes her laptop her blog goes down. | | I think the way to do this may be to ship services as | Android apps. Imagine something like self-hosted Google | Drive that you install as an app on an old Android phone. | After install you go through a quick OAuth2 flow to | connect it to a subdomain and open a tunnel, and now you | have 64-128GB of e2ee cloud storage. Just plug the phone | in and leave it in a corner. | | This concept can be applied to Nextcloud, Jellyfin, Plex, | your grandma's blog, etc. | freediver wrote: | If persistence is not key, what is the easiest way to do | this? Like if I am on a phone with grandma and want to | see a local HTML page from her Mac, what do my simplest | instructions for her look like? | ohyeshedid wrote: | Out of curiosity, what kind of content are you looking | for in that HTML doc? | eli wrote: | iCloud Drive has file sharing built right into the OS | babagabooj wrote: | ghostly_s wrote: | This isn't required for a shared Plex server, they proxy | external connections via their servers automatically. | anderspitman wrote: | Good to know, thanks. I used Plex as an example since more | people know what it is, but in practice I would use Jellyfin | for media streaming, since it's open source and doesn't use | dark patterns. But you also need to manage tunneling | yourself... | zachlatta wrote: | They limit the bitrate to 4mbps through their relay servers | though, which prevents HD streaming. | kordlessagain wrote: | I would rather use ngrok for these things: https://ngrok.com/ | | The reason why is because Alan is awesome. | inconshreveable wrote: | Thanks Kord! Founder of ngrok here, just a quick note of | correction for others in this thread: ngrok is absolutely | intended for production use cases. There are many customers | both hobbyist and enterprise running thousands of production | workloads over ngrok's service (including ourselves! we dogfood | ngrok for our ingress). We're excited to be sharing more about | that with the HN community really soon. | anderspitman wrote: | As much as it pains me to say it, Cloudflare seems well | positioned to eat ngrok's lunch. AFAIK they offer everything | ngrok does plus auto TLS certs, CDN, domain name | registration, and tons of other features. They also have way | more edge servers for terminating tunnels close to the origin | devices. And they can afford to do all this for free as a | loss leader product. It's the AWS bundling effect. Oh and the | client source code is available. | | I don't want to see Cloudflare completely take over this | space, but Cloudflare Tunnel is tough to compete with. | | One knob ngrok could still turn is adding auto TLS certs | which are managed on the client side. Then you can offer e2ee | which is something Cloudflare will probably never do. | TIPSIO wrote: | Mind elaborating the service trade-offs? | deweller wrote: | ngrok is easy to use. Is there any advantage of using | Cloudflare Tunnel over ngrok? | cyberpip wrote: | Cloudflare tunnels also create multiple connections to | Cloudflare for increased reliability. See | https://blog.cloudflare.com/argo-tunnels-that-live-forever/ | andrewnyr wrote: | ngrok is meant for temporary quick test environments, | Cloudflare Tunnel is more of a long-term solution. Although | there is https://try.cloudflare.com/ which is designed to be | just as quick and easier as ngrok. | mugsie wrote: | out of interest - why? They seem to be targeted at different | use cases - ngrok for dev work (looking at pricing and the | limits on the free tier), and argo tunnels for permanent | services | [deleted] | pedrogpimenta wrote: | why? | wink wrote: | > No port forward headache, no complex configuration. | | That's on page 10 of 12 on the print preview... It has another | service running though, I find that adds a lot of complexity to | the setup, but as usual, this has pros and cons. | | Don't get me wrong, it's a good tutorial but I'm not sure I find | port forwarding more complex - but I would argue that that | strengths of this setup are different. | qeternity wrote: | > But what if you could host a web service with no ports exposed? | Well, you can! Cloudflare Tunnel makes a persistent outbound | connection (a tunnel!) between your server and Cloudflare's | nearest datacenter. All the traffic to your domain flows through | this outgoing tunnel and connects to your server through the | protection of Cloudflare. This also has the benefit of being | seamlessly encrypted, so you don't have to worry about a thing | when it comes to the security of your web service. | | Well, a port is exposed, it's just exposed on Cloudflare's | reverse proxies. And I think this is probably a dramatic | overstatement of the security that Cloudflare provides... | [deleted] | h4waii wrote: | No no, it's _encrypted_ so you can just completely ignore the | security of your web service. | | * Broken auth? Doesn't matter, encrypted. | | * IDOR? Encryption takes care of it! | | * Blind SQL or something from the 90s? | EEENNNNCCCRRYYPPPTTIIOOONN! | sascha_sl wrote: | To be fair, this feature is part of Cloudflare's ZeroTrust | offering, so you're meant to put a policy in front of it and | forget it. This is great for getting extremely old legacy | services that previously relied on VPN network trust onto an | actual SSO provider instead. | johnhenry wrote: | > ... you can just completely ignore the security of your web | service | | Be weary of such absolute statements -- especially when it | comes to security. | gmadsen wrote: | you are replying to a sarcastic comment that agrees with | you.. | diarrhea wrote: | They probably use military-grade hashes too. So you know it | is very secure indeed. | judge2020 wrote: | The point is that it's connected via NAT, so you don't have to | worry about port scanners hitting your origin IP and seeing any | info about your web server (potentially exposing it to DDOS), | and it's overall easier when you don't have to touch your | inbound firewall. | qeternity wrote: | I understand that. That doesn't mean you don't have to worry | about security. | | Most stacks would crumble under a relatively small L7 ddos | that Cloudflare would not likely mitigate. | lowwave wrote: | well a decent hosting provider such as hetzner provide that | service to all their customers. | https://www.hetzner.com/unternehmen/ddos-schutz | | Being using them for many years, way better and cheaper | than AWS. | janto wrote: | https://www.cloudflare.com/learning/ddos/glossary/web- | applic... | qeternity wrote: | We are die hard Cloudflare customers, I am speaking from | experience. They are phenomenal, but they aren't magic. | ylk wrote: | https://www.cloudflare.com/plans/#overview | | The WAF is $20/month and as far as I know you don't get | it automatically for free by using Cloudflare Tunnel, | though feel free to correct me. There was the case of | them enabling mitigations for the log4j vulnerabilities | for anyone on Cloudflare, but that was an exception. | brightball wrote: | Could an origin server run a port scanner through the tunnel | and hide the origin of the scan? | rank0 wrote: | Well sure the scan would appear to come from cloudflare. | But it'd be pretty easy for cloudflare to then identify the | tunnel user as the source of the scans. | rank0 wrote: | Well their WAF and dos protection are pretty nice. | | An easy secure setup would be to spin up a guest VM and isolate | it in its own subnet. | | Disable routing between your guest and the rest of your lan and | you can sleep easy at night so long as your app doesn't serve | any crazy dynamic content. | superkuh wrote: | "Walking around covered in body armor and allowing the | military to drive me to work in a tank" is nice protection | but it's also very restrictive. I don't think the argument | against this is so much that Cloudflare doesn't provide nice | features as that those features are entirely unneeded for | 99.99% of people hosting from home. The downsides of heavy | protection are vastly increased complexity and dependence on | a non-'dumb pipe' non-ISP corporation which kind of defeats | the point of hosting from home. | | You really can just host your webserver from home network and | forward the port using your consumer grade router and | consumer home connection most of the time and nothing bad | happens. But this kind of tunneling would be great for when | you have a bad ISP that blocks port 80 instead of just saying | servers aren't allowed. | rank0 wrote: | Lmao your response made me chuckle. You're entirely right! | Probably nothing bad will happen. Especially if you | partition your network like I mentioned in my OP. | | I would get worried about somehow enabling access to | defects in my router by opening some inbound ports. I | realize that's a little paranoid...but recently I have been | playing around with https://github.com/threat9/routersploit | and routinely find defects in consumer routers. | | Here's my other beef with cloudflare: Once I gotta pay | 200+/mo for their security services or whatever, I could | just rent out a private rack in a colocation and throw some | old beefy lga-2011 xeon hosts. Now I don't need anything on | my LAN exposed and I have dedicated IPs, physical security, | and backup generators...etc. | Karrot_Kream wrote: | > Here's my other beef with cloudflare: Once I gotta pay | 200+/mo for their security services or whatever, I could | just rent out a private rack in a colocation and throw | some old beefy lga-2011 xeon hosts. Now I don't need | anything on my LAN exposed and I have dedicated IPs, | physical security, and backup generators...etc. | | Yeah but now you need to source the hardware for the | rack, make sure it stays up and there's no hardware | failures, etc, etc. Even simpler is to grab a Linode | dedicated box which comes with v4 and v6 IPs and you get | all the benefits for only $30 / mo instead. | username_my1 wrote: | and the fact that all your data will flow through cloudflare | and they decide how to use it. | amluto wrote: | If only there was a straightforward way to manage the credentials | used by cloudflared for tunnels, bind them to specific websites, | and revoke them. | | In principle, there is no reason at all to use TLS inside the | tunnel -- the tunnel itself is authenticated and encrypted. | Unfortunately, cloudflare tunnels feel a bit like a cute 20% | project that was never quite finished and is barely integrated | with the rest of cloudflare's offering. | | Hey jgc et all, if you're reading this, maybe the cloudflare | console UI could have a pane for managing tunnels. And the pane | for managing website origin servers could let you choose between | the traditional cloudflare-initiated connection and a tunnel, and | the tunnel mode could give some controls for how the origin | server is protected, whether connections load balance across | multiple tunnels, etc. And maybe even really open-source the | tunnel client for real, because it would be quite nice to have | the actual origin server connect via a plugin instead of a | separate daemon. | | In other words, the hard part of this offering is done. Do the | boring bits so it can be even better than the primary offering. | jgrahamc wrote: | Feel free to email me jgc@cloudflare with complaints, ideas, | etc. | | The team that works on Tunnel just pinged me with the internal | ticket where they are working on the management UI you are | looking for. So... soon! | amluto wrote: | Will do! | reilly3000 wrote: | I just set up a Cloudflare Tunnel this weekend to my homelab. I | was able to connect it up with a container within minutes. I also | was able to set up their zero trust offering and had route based | RBAC against two domains w/ Google OAuth2 login. I have my | reservations about CloudFlare with regard to centralizing the | web, but this tunnel is fantastic and saved me quite a bit of | trouble with messing with my RouterOs config and nginx. | api wrote: | > I have my reservations about CloudFlare with regard to | centralizing the web, but this tunnel is fantastic | | Superior UI/UX offered by centralized systems is why everything | is being centralized. | | People will trade everything including privacy and security for | ease of use. The market has shown this time and time again. | anderspitman wrote: | Not to mention Cloudflare Tunnel is a loss leader. Basically | any new entrant has to either get funding or justify charging | money for tunnel traffic. | | Cloudflare Tunnel has gotten good enough there aren't a lot | of ways to be better left. A couple would be offering e2ee | and a less stringent ToS (technically anything other than | normal HTML websites is not permitted, though I'm not aware | of this ever being enforced, yet). | NicoJuicy wrote: | Cloudflare already has the bandwidth. I suppose tunnel | doesn't cost much ( or even anything) compared to the rest | since they pay for the size of the pipe. | | When someone uses the tunnel, they never have to go outside | of cloudflare. Since the traffic ( i suspect) would stay | very local. | | Perhaps it could be even cheaper in the end for them. | anderspitman wrote: | Good point, but they do still have to pay development | costs for Cloudflare Tunnel. | NicoJuicy wrote: | That's why i explicitly mentioned the cost of the | bandwidth. | | I wasn't talking about the development/maintenance. | hombre_fatal wrote: | Getting ddosed by a $5 botnet, which gets cheaper every day, | tends to change people's minds about Cloudflare. | | Your users don't really care about decentralized utopia when | your service doesn't work. | api wrote: | The only decentralization that's going to work is actual | decentralization where there's not really anything to DDOS, | or rather the entire system is itself a botnet. | moontear wrote: | Help me understand what you mean: my service ok particular | wouldn't be ddosed because nobody cares. | | I guess bots are hitting CF IPs at large and therefore | services might be disrupted? | sascha_sl wrote: | It's unfortunate the only mature open source alternative[1] | went on a path to seriously expensive subscriptions, 5x of a | tailscale personal subscription. | | [1]: https://inlets.dev/ | anderspitman wrote: | There are lots of other open source options[0]. Whether you | would consider any mature is a bit more subjective. | | [0]: https://github.com/anderspitman/awesome-tunneling | sascha_sl wrote: | I did go through this list a few months ago and found most | options lacking. But Cloudflare tunnel was still bound to | having an Argo subscription back then. (To be fair, their | pricing page is still very confusing on this) | anderspitman wrote: | If you wouldn't mind opening an issue (or posting on | forum.indiebits.io) and sharing anything you learned | that's not already in the list it would be very helpful. | I don't have time to try them all in depth. | blaise-pabon wrote: | Ummm... you haven't used Inlets, have you? But seriously, | folks who use Inlets have typically tried a bunch of the | obvious solutions and end up there when all else has failed | them. | | First of all, it's not "a" tunnel. It's however many you | need to access the applications on your private network... | which could be your laptop. It's not for everyone, but if | you're running lots of apps on, say, your laptop and you | want to have TLS everywhere, none of the comparably priced | options come close. | sbaildon wrote: | Another one for the alternatives list is Kilo[1] | | It's a wireguard based kubernetes network overlay. I use it to | access private services in my homelab cluster from my laptop, | phone, etc. | | [1] https://kilo.squat.ai | bob1029 wrote: | I am keeping an eye on this offering. In a B2B setting, this is a | compelling way to expose certain sensitive services to the public | web without forcing our customers to make complex/problematic | firewall changes. Not everyone is sitting on a fat stack of | public IPv4s they can just point at their infra. Many of the | businesses we work with can't even accurately describe their own | technology circumstances. | | Reducing the conversation to "Can that server ping google?" would | make my life 1000% easier. | [deleted] | zackbloom wrote: | Cloudflare Tunnel will spin up a free tunnel for you even without | a Cloudflare account. If you run `brew install | cloudflare/cloudflare/cloudflared` and then `cloudflared tunnel | --url http://localhost:8080` you will get a URL you can use to | reach that local port from the Internet. | | I use it to share in-progress work with co-workers, test | webhooks, etc. | | Edit: fixed command thanks to comment below :) | hoherd wrote: | Nice alternative to ngrok! I didn't realize this was possible | without a cloudflare account. | | FWIW the brew install command is `brew install | cloudflare/cloudflare/cloudflared` (via | https://developers.cloudflare.com/cloudflare- | one/connections...) | fossuser wrote: | This is great, I've always found information about how to do this | kind of thing to be pretty confusing and not well described. | Thanks for adding some more helpful material to the web. | | I wrote up a guide [0] for using Nginx on a standard digital | ocean droplet, but had I known about cloudflared at the time I | think I would have tried that (tailscale was also something I | thought about). | | There was another recent article about cloudflared I remember | seeing (maybe not on HN?), there's not very much good stuff like | this about self-hosting. A lot people online just say "use X" | without explaining anything helpful. | | [0]: https://zalberico.com/essay/2020/06/06/urbit-on-the- | cloud.ht... | ErisaDev wrote: | Hi, I'm the author of the blog post being promoted here. | | Thank you for your kind words! | | > I've always found information about how to do this kind of | thing to be pretty confusing and not well described. | | This is the main reason I made this post, there is a lot of | documentation but most of it is quite dense and doesn't walk | through a simple use-case. When I've recommended Tunnel to my | friends I usually have to baby them through the process because | of the lack of clear information. This post was made so I have | something to point to when I recommend people to use Tunnel for | their-usecase. I didn't expect it to blow up this much! | fossuser wrote: | Thanks! Yeah it's great - this kind of thing is super helpful | and will be helping random people searching the web for years | to come :) ___________________________________________________________________ (page generated 2022-02-08 23:01 UTC)