[judge2020]

The point is that it's connected via NAT, so you don't have to worry about port scanners hitting your origin IP and seeing any info about your web server (potentially exposing it to DDOS), and it's overall easier when you don't have to touch your inbound firewall.

[qeternity]

I understand that. That doesn't mean you don't have to worry about security.

Most stacks would crumble under a relatively small L7 ddos that Cloudflare would not likely mitigate.

[lowwave]

well a decent hosting provider such as hetzner provide that service to all their customers. https://www.hetzner.com/unternehmen/ddos-schutz

Being using them for many years, way better and cheaper than AWS.

[janto]

https://www.cloudflare.com/learning/ddos/glossary/web-applic...

[ylk]

https://www.cloudflare.com/plans/#overview

The WAF is $20/month and as far as I know you don't get it automatically for free by using Cloudflare Tunnel, though feel free to correct me. There was the case of them enabling mitigations for the log4j vulnerabilities for anyone on Cloudflare, but that was an exception.

[janto]

Yes, WAF is one of the features you get if you're not on their free app service plan. I think having the option of simply upgrading and turning it on if it becomes necessary, makes the free offering quite attractive.

I haven't used CF in anger, so can't vouch for it more than that.

[qeternity]

We are die hard Cloudflare customers, I am speaking from experience. They are phenomenal, but they aren’t magic.

[janto]

What do you then mean by a "relatively small L7 ddos that Cloudflare would not likely mitigate"? It seems to me that their WAF would mitigate that and I can worry even less about threats.

[brightball]

Could an origin server run a port scanner through the tunnel and hide the origin of the scan?

[rank0]

Well sure the scan would appear to come from cloudflare. But it’d be pretty easy for cloudflare to then identify the tunnel user as the source of the scans.