Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I have never used it, so take this with a grain of salt, but last I read, with the free tier, you could not secure traffic between yourself and Cloudflare with your own certs which implies they can decrypt and read that traffic. What, if anything, they do with that capability I do not know. I just do not trust my hosted assets to be secured with certs/keys I do not control.
There are other things CF can do (bot detection, DDoS protection, etc), but if you just want to avoid exposing your home IP, a cheap VPS running Nginx can work the same way as a CF tunnel. Setup Wireguard on the VPS and have your backend servers in Nginx connect to your home assets via that. If the VPS is the "server" side of the WG tunnel, you don't have to open any local ports in your router at all. I've been doing that, originally with OpenVPN, since before CF tunnels were ever offered as a service.
Edit: You don't even need WG, really. If you setup a persistent SSH tunnel and forward / bind a port to your VPS, you can tunnel the traffic over that.
I'm using my own LetsEncrypt certs for TLS with cloudflare free. I too wonder how I'm the product in this scenario.
I always assumed it was a loss leader play: the more selfhost type people are using cloudflare at home, the more likely they are to recommend and implement it at work, on a paid tier.
Are you using their proxy or just DNS ?
If you have the little orange cloud (proxy) on your DNS entry, go to your public facing webpage and examine the cert. Chances are it's not what you think it is.
it is exactly what I think it is. you can use your own certs
Typically on their free accounts they use your cert for communication between them and you, and use cert they issue for communication between them and everyone else.
User -> CF cert -> CF -> your cert -> your server.
That's why I suggested examining the cert on your external facing page.
Regardless, one way or the other, they need to be able to decrypt your data in order to apply their services (WAF, etc).
Unless, again, you're just using DNS (grey cloud).