Hacker News new | ask | show | jobs
by noname120 694 days ago
There are some limitations such as:

– TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).

– Other TCP protocols (including SSH) require every client to run the software too. So if you were thinking about bypassing the TLS termination restriction by creating a TCP tunnel instead of an HTTP(S) tunnel you can't.

– Max 100 MB uploads for HTTP(S).

– No media servers allowed.

Otherwise it's a really good service!
4 comments
vladvasiliu 694 days ago
> – TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).

But on the flip side, this allows you to have a nice certificate on your outside connection without having to fiddle with letsencrypt or whathaveyou.

link
KennyBlanken 694 days ago
If someone finds LetsEncrypt challenging, they don't have sufficient network andsystem administrator skills to be running a private, public-facing web server. They should be running tailscale.
link
vladvasiliu 694 days ago
Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.

I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.

link
kuschku 694 days ago
> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.

That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.

link
TheNewsIsHere 694 days ago
Using CNAME delegation for the ACME challenge domain and directing that to a Route 53 zone is my preferred approach. Then (as long as you have CloudWatch configured) you get inherent auditing and very flexible privilege management.
link
cj 693 days ago
That wouldn't work for this use case though would it? AWS doesn't allow downloading the certificate (I could be wrong)? Typically certificates can only be used with other AWS services. E.g. you can't download the certificate and serve it from a home server.
link
attentive 694 days ago
there is also https://github.com/joohoi/acme-dns and LE clients like lego supporting it.
link
skinner927 694 days ago
You don’t need automated DNS fiddling for lets encrypt. Certbot can either hook into Apache or NGINX, or run its own standalone server for verification.
link
gunapologist99 694 days ago
Aside from sibling comment, you also need automated DNS fiddling if you want CloudFlare Strict TLS support, because if LE can only connect to CF proxy, it will never issue via HTTPS.
link
jsheard 694 days ago
You don't necessarily need to do that, Cloudflare can generate you a long-lived certificate to install on your origin server which isn't publicly trusted but is trusted by their proxies, so it works with Strict TLS. YMMV with other CDNs though, you might need to fall back to using LE with a DNS challenge in some cases.

https://developers.cloudflare.com/ssl/origin-configuration/o...

link
Arrowmaster 694 days ago
Not true. I have a CF rule that matches . well-known/acme-challenge and sets SSL off. The main setting is on full strict but the rule disables the auto redirect to https and the strict checking so an acme client behind a CF tunnel can bootstrap a cert with the HTTP-01 method.
link
jsheard 694 days ago
You do need DNS fiddling if you want a wildcard cert, LE only accepts DNS challenges for those.
link
PokestarFan 694 days ago
Certbot has a Cloudflare extension so all you need to do is provide a credentials file and it will automatically apply everything. I have a monthly cronjob running that runs the cloudflare certbot in Docker.
link
pnutjam 694 days ago
I've had excellent controls using NearlyFreeSpeech.net for DNS (minor cost) and time4vps.com (free). Maybe very old registrars restrict DNS records..?
link
janwillemb 694 days ago
Parent did not say it was challenging.

I find fiddling with LE tedious because it has to be repeated too often.

link
slt2021 694 days ago
certbot and crontab needs to be setup just once, to solve cert problem
link
Dalewyn 694 days ago
HTTPS when used in the ubiquitous manner it is now always strikes me as unnecessary complexity and tedium, and reasonings like yours addressing them with even more complexity and tedium.

Whatever happened to KISS?

link
darkwater 694 days ago
It happened that the last S changed from "stupid" to "secure". If I use HTTPS I can safely enough connect to my home services through an open cafe Wifi, for example
link
wibblewobble125 692 days ago
I’ve been using caddy for a year which does everything for you. Basically nginx/haproxy but with https built-in via LE, no fiddling about with cert files and brittle LE scripts, also supports subdomains equally easily.
link
jgalt212 694 days ago
so public server via http only then?
link
immibis 693 days ago
The point of TLS is to prevent your traffic getting MITMed. This benefit disappears if you have to let someone MITM your traffic to get TLS.
link
LoganDark 693 days ago
This depends. The point of TLS is to protect your application from hostile networks. Cloudflare hasn't proven hostile yet.
link
coda_ 694 days ago
They do allow ssh via a web browser. It may be a "beta" feature, but it doesn't require the client to run anything.
link
e12e 694 days ago
Requires your client to run a web browser though? That's a lot different from just an ssh client?
link
RockRobotRock 694 days ago
Not a web browser, the client has to install cloudflared to connect. It's pretty much exactly the Tailscale feature, but clunkier.

https://developers.cloudflare.com/cloudflare-one/connections...

link
mortos 693 days ago
GP was saying the client would require a web browser. The server of course needs cloudflared.

That said, personally I don't really have any devices that can use SSH but not a browser.

link
RockRobotRock 693 days ago
My past comment is wrong but you do need to install cloudflared on the client if you want to SSH without a browser.

Read the docs, you can do it either way.

link
tarasglek 693 days ago
I found it easier to use ssh over websocat over cloudflared. Then you just need websocat again on clientside and can use regular ssh client with it
link
nottorp 693 days ago
> I don't really have any devices that can use SSH but not a browser.

No headless boxes?

link
mortos 680 days ago
Just seeing this. Yeah, you're technically right. But I never sit at my headless boxes. I SSH to them and then from there could SSH Jump if I really needed to use SSH out of those boxes.

Also I wouldn't use Cloudflare Tunnels so this is a moot point.

link
thousand_nights 694 days ago
Some good points, thanks.

FWIW, I have been using it with Plex (just two users, me and my parents) and haven't gotten banned. The ToS are kind of unclear on whether this is allowed if I have to be honest.

link
jsheard 694 days ago
Video streaming in general is one of their red lines, you're not supposed to shove any kind of video through their CDN unless the origin is another Cloudflare product (e.g. CF Stream or R2).
link
thousand_nights 694 days ago
From the discussions I've read, it's not as clear cut, e.g.:

https://old.reddit.com/r/PleX/comments/152wfdh/can_i_use_a_c...

link
jsheard 694 days ago
It rarely is clear cut with Cloudflare, many of their policies are ambiguous so you never really know if you're stepping over the line until you get an email from sales asking you to either cut it out, start paying, or pay more. Others experience might give you a rough idea of what they'll tolerate, but since none of it is in writing they can change their minds on a whim.
link
cj 693 days ago
As I've painfully learned, Cloudflare's "free bandwidth" is only free until a point.

Cloudflare threatened to terminate our $15k enterprise license last week for serving 76 TB of API JSON files last month (90% cache hits).

I moved half of the traffic to a new domain with a Business license to see what they say...

link
jgrahamc 693 days ago
My email is jgc@cloudflare.com. You can email me about this.
link
password4321 694 days ago
Just don't show up on some motivated salesperson's prospects report.

https://news.ycombinator.com/item?id=40481808#40482405

link
12345hn6789 694 days ago
FWIW that thread looks to be a casino being black listed after trying to negotiate down cloud flares enterprise plan.
link
gunapologist99 694 days ago
Agreed with sibling, but TBH if you're just using it for personal streaming, it's not likely to trip any bandwidth alerts on a free account, and CF will probably be happy that you're using it for personal stuff (because you'll probably take it with you to your day job too)
link
DreamFlasher 694 days ago
At which point is the MITM happening? What I mean is: browser → Cloudflare server → cloudflared on my server → web service. Is TLS only from browser to Cloudflare server, or is it browser to cloudflared?
link
RockRobotRock 694 days ago
>Is TLS only from browser to Cloudflare server, or is it browser to cloudflared?

It's encrypted between the browser and Cloudflare, but you can also create a cert and encrypt between Cloudflare and your origin server. (but that isn't mandatory)

link