I exposed my Homelab through Cloudflare Tunnels (opens in new tab)

(ebourgess.dev)

9 pointsebourgess2mo ago8 comments

8 comments

> The classic approach [Internet -> Router -> Server] is a recipe for disaster

I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?

The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?

I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?

grim_io2mo ago

I also expose some of my homelab through the cloudflare tunnel.

Every IP, except a choice few, are banned before any request reaches my router.

I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.

palata2mo ago

> I don't need to worry about filtering using my limited bandwidth and resources

But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.

1 more reply

ebourgessOP2mo ago

My main issue is that I didn't want to expose the ports to the internet. The only port now exposed on my server is the SSH port only. Everything else is just handled through the connection between the cloudflared daemon and cloudflare itself.

j / k navigate · click thread line to collapse

8 comments

palata2mo ago

> The classic approach [Internet -> Router -> Server] is a recipe for disaster

I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?

The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?

I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?

grim_io2mo ago

I also expose some of my homelab through the cloudflare tunnel.

Every IP, except a choice few, are banned before any request reaches my router.

I don't need to worry about filtering using my limited bandwidth and resources, cloudflare firewall does it for me.

palata2mo ago

> I don't need to worry about filtering using my limited bandwidth and resources

But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.

1 more reply

ebourgessOP2mo ago

j / k navigate · click thread line to collapse