[thousand_nights]

Instead of using DDNS, I have been using Cloudflare tunnels to expose my home services to the internet. The setup is much simpler and it seems like it's more secure too

You specify a port and point it to a subdomain and it just immediately works, no maintenance necessary. The daemon only needs to be installed once with a simple terminal command

[noname120]

There are some limitations such as:

– TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).

– Other TCP protocols (including SSH) require every client to run the software too. So if you were thinking about bypassing the TLS termination restriction by creating a TCP tunnel instead of an HTTP(S) tunnel you can't.

– Max 100 MB uploads for HTTP(S).

– No media servers allowed.

Otherwise it's a really good service!

[vladvasiliu]

> – TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).

But on the flip side, this allows you to have a nice certificate on your outside connection without having to fiddle with letsencrypt or whathaveyou.

[KennyBlanken]

If someone finds LetsEncrypt challenging, they don't have sufficient network andsystem administrator skills to be running a private, public-facing web server. They should be running tailscale.

[vladvasiliu]

Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.

I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.

[kuschku]

> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.

That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.

[TheNewsIsHere]

Using CNAME delegation for the ACME challenge domain and directing that to a Route 53 zone is my preferred approach. Then (as long as you have CloudWatch configured) you get inherent auditing and very flexible privilege management.

[attentive]

there is also https://github.com/joohoi/acme-dns and LE clients like lego supporting it.

[skinner927]

You don’t need automated DNS fiddling for lets encrypt. Certbot can either hook into Apache or NGINX, or run its own standalone server for verification.

[gunapologist99]

Aside from sibling comment, you also need automated DNS fiddling if you want CloudFlare Strict TLS support, because if LE can only connect to CF proxy, it will never issue via HTTPS.

[jsheard]

You do need DNS fiddling if you want a wildcard cert, LE only accepts DNS challenges for those.

[PokestarFan]

Certbot has a Cloudflare extension so all you need to do is provide a credentials file and it will automatically apply everything. I have a monthly cronjob running that runs the cloudflare certbot in Docker.

[pnutjam]

I've had excellent controls using NearlyFreeSpeech.net for DNS (minor cost) and time4vps.com (free). Maybe very old registrars restrict DNS records..?

[janwillemb]

Parent did not say it was challenging.

I find fiddling with LE tedious because it has to be repeated too often.

[slt2021]

certbot and crontab needs to be setup just once, to solve cert problem

[Dalewyn]

HTTPS when used in the ubiquitous manner it is now always strikes me as unnecessary complexity and tedium, and reasonings like yours addressing them with even more complexity and tedium.

Whatever happened to KISS?

[wibblewobble125]

I’ve been using caddy for a year which does everything for you. Basically nginx/haproxy but with https built-in via LE, no fiddling about with cert files and brittle LE scripts, also supports subdomains equally easily.

[jgalt212]

so public server via http only then?

[immibis]

The point of TLS is to prevent your traffic getting MITMed. This benefit disappears if you have to let someone MITM your traffic to get TLS.

[LoganDark]

This depends. The point of TLS is to protect your application from hostile networks. Cloudflare hasn't proven hostile yet.

[coda_]

They do allow ssh via a web browser. It may be a "beta" feature, but it doesn't require the client to run anything.

[e12e]

Requires your client to run a web browser though? That's a lot different from just an ssh client?

[RockRobotRock]

Not a web browser, the client has to install cloudflared to connect. It's pretty much exactly the Tailscale feature, but clunkier.

https://developers.cloudflare.com/cloudflare-one/connections...

[mortos]

GP was saying the client would require a web browser. The server of course needs cloudflared.

That said, personally I don't really have any devices that can use SSH but not a browser.

[RockRobotRock]

My past comment is wrong but you do need to install cloudflared on the client if you want to SSH without a browser.

Read the docs, you can do it either way.

[nottorp]

> I don't really have any devices that can use SSH but not a browser.

No headless boxes?

[thousand_nights]

Some good points, thanks.

FWIW, I have been using it with Plex (just two users, me and my parents) and haven't gotten banned. The ToS are kind of unclear on whether this is allowed if I have to be honest.

[jsheard]

Video streaming in general is one of their red lines, you're not supposed to shove any kind of video through their CDN unless the origin is another Cloudflare product (e.g. CF Stream or R2).

[thousand_nights]

From the discussions I've read, it's not as clear cut, e.g.:

https://old.reddit.com/r/PleX/comments/152wfdh/can_i_use_a_c...

[jsheard]

It rarely is clear cut with Cloudflare, many of their policies are ambiguous so you never really know if you're stepping over the line until you get an email from sales asking you to either cut it out, start paying, or pay more. Others experience might give you a rough idea of what they'll tolerate, but since none of it is in writing they can change their minds on a whim.

[cj]

As I've painfully learned, Cloudflare's "free bandwidth" is only free until a point.

Cloudflare threatened to terminate our $15k enterprise license last week for serving 76 TB of API JSON files last month (90% cache hits).

I moved half of the traffic to a new domain with a Business license to see what they say...

[password4321]

Just don't show up on some motivated salesperson's prospects report.

https://news.ycombinator.com/item?id=40481808#40482405

[12345hn6789]

FWIW that thread looks to be a casino being black listed after trying to negotiate down cloud flares enterprise plan.

[gunapologist99]

Agreed with sibling, but TBH if you're just using it for personal streaming, it's not likely to trip any bandwidth alerts on a free account, and CF will probably be happy that you're using it for personal stuff (because you'll probably take it with you to your day job too)

[DreamFlasher]

At which point is the MITM happening? What I mean is: browser → Cloudflare server → cloudflared on my server → web service. Is TLS only from browser to Cloudflare server, or is it browser to cloudflared?

[RockRobotRock]

>Is TLS only from browser to Cloudflare server, or is it browser to cloudflared?

It's encrypted between the browser and Cloudflare, but you can also create a cert and encrypt between Cloudflare and your origin server. (but that isn't mandatory)

[scosman]

I do the same with tailscale, which has a nice friendly UI for setting everything up.

I setup some Cloudflare DNS records to the tail scale 100.x IPs to make them easy to remember.

[jthoward64]

I use tailscale's DNS feature and run my own DNS server. That way I can have a subset of my services available on the internet via CF tunnels and when I connect to tailscale I get all of them directly, and I can use the same domain names

[password4321]

Some ISP DNS servers will not return internal IPs, Verizon FiOS and 172.x specifically.

[kazinator]

How can you claim it's simpler in the light of the revelations in noname120's comment?

Dynamic DNS is literally one little service you run to "phone home" to the dynamic DNS provider. This service is bundled in consumer routers; just find it in the WebUI, put in the credentials and turn it on.

You know what could be simple: a periodic job that figures out your public IP address, and if it has changed, generates a hosts file entry for it, and e-mails it to you. If all you care about is just you having access to home while you are roaming about, that could do it. It also occurs to me that it makes a good backup strategy in case something goes wrong with DDNS while you are traveling.

[KennyBlanken]

Consumer firewalls, the largest names in open source firewalls, and at least one webserver/reverse proxy that I know of.

There also dozens of existing DDNS daemons out there already with far more developer, testing, and user eyeballs on them.

The firewall solution is preferred because the firewall knows when the external interface changes IP addresses, so there's no system or network overhead from having an agent repeatedly testing if the IP has changed, nor any downtime between when the IP changes and when the next check happens.

[tracker1]

Assuming you can add a custom URL, you can still do this through the firewall instead of an event to check the public IP. I like using my own, custom domain for this use case. I've also used and put a couple of domains up on freedns.afriad.org for others to be able to use.

That said, the only hole in my firewall/router is a port for Wireguard.

[1vuio0pswjnm7]

"Instead of DDNS, I have been using Cloudflare tunnels to expose my home services to the internet."

Will this work if the "home services" include authoritative DNS.

[pas]

only HTTPS

(last time I checked was last year though)

[1vuio0pswjnm7]

Thank you.

Perhaps DoH proxy is possible.

[2Gkashmiri]

Do you get a cloudflare free subdomain or you need to supply your own ?

[starttoaster]

You need to have a domain that you manage DNS for in Cloudflare. Look up what a "registrar" is, a common one people go through would be Namecheap. Get a domain, and then look up how to set up a DNS zone in Cloudflare from an external registrar. If you plan on working in tech, this is one of those things you'll absolutely need experience with doing. Good luck!

Though it occurs to me their may just be a language barrier and you may have a domain that you manage your DNS in Cloudflare already. If that's the case, a subdomain is just an A record under your domain's DNS settings for anything other than the root domain. So, if your domain is "example.com", the A record could be like "service" with an IP of "192.168.1.10", and your subdomain would then be served on "service.example.com" for example. Subdomains are free, if you have a domain in the first place.

If you're asking if you would already need the subdomain configured in your DNS settings in Cloudflare, then yes, most likely. Though there are tools that create those for you, like external-dns in kubernetes.

[nhumrich]

You can buy domains directly through cloudflare

[RockRobotRock]

This is a small thing, but I think you should decouple providers in case shit hits the fan with one of them.

Let Cloudflare do DNS, let your registrar be a registrar.

[threecheese]

Is this a real risk these days? I am interested (given I do use Cloudflare’s registrar and DNS (integrates nicely with IaC).

[Spunkie]

A mini horror story related to this just last year.

When I deleted the cloudflare DNS for one of my domains I also completely lost access to the cloudflare registrar for that domain.

Even though they should not be coupled at all and the UI makes it very much appear like they are decoupled.

I imagine this is a bug that's been fixed by now but it was still super panic inducing in the moment.

So ya keep those DNS and domains separate if possible.

[RockRobotRock]

Not sure, honestly.