[4star3star]

I like what I'm seeing, though I'm not sure I have a use case. On a VPS, I'll typically run a cloudflared container and configure a Cloudflare tunnel to that VPS. Then, I can expose any port and point it to a subdomain I configure in the CF dashboard. This gives https for free. I can expose services in containers or anything else running on the VPS.

I'll concede there's probably a little more hands on work doing things this way, but I do like having a good grip on how things are working rather than leaning on a convenient tool. Maybe you could convince me Sidekick has more advantages?

[skinner927]

I must be an old simpleton, but why get cloudflare involved? You can get https for free with nginx and letsencrypt.

[mightymoud]

It's a tunnel. So VPS can only be reached through cloudflare. It's not only for https, but more for security and lockdown

[mediumsmart]

excellent and if cloudflare thinks your IP is iranian its going to get a really secure lockdown.

[nine_k]

More seriously, it also helps when you're a target of a DDoS.

It's always a balancing act between outsourcing your heavy lifting, and having to trust that party and depend on them.

[newaccount74]

I've been running my business on VPS from Linode and Hetzner for the last 13 years and have never had an issue with DoS.

I think the benefits of Cloudflares DoS protection are vastly oversold and absolutely unnecessary for 99% of businesses.

(I think the false positives where some users randomly get captchas are actually bad for business)

[BigJ1211]

The problem with that mindset is that by the time you do get hit, it'll be too late to act and remedy the issue easily.

Even though I agree with you in spirit. The chances that you will need it are slim.

[worik]

> You can get https for free with... [any webserver] and letsencrypt.

[SahAssar]

Are you also making sure that nothing on the VPS is actually listening on outside ports? A classic mistake is to setup something similar to what you are describing but not validating that the services are not listening on 0.0.0.0.

I'd also not want to have cloudflare as an extra company to trust, point of failure and configuration to manage.

[hu3]

Nice setup.

But isn't this a little too tied to Cloudflare?

Caddy as a reverse proxy on that VPS would also give us free HTTPS. The downside is less security because no CF tunneling.

[eikenberry]

Are there other services that provide the similar offering as Cloudflare that could be switched to in case they changed policy (eg. removed the free teir)? I.E. is there any mitigation to Cloudflare lock-in?

[aborsy]

You could put Authentik in front. It does Cloudflare stuff on VPS.

[renewiltord]

This is pretty cool. I did not know I could do this. Currently, I have:

1. nginx + letsencrypt

2. forward based on host + path to the appropriate local docker

3. run each thing in the docker container

4. put Cloudflare in front in proxy DNS mode and with caching enabled

Your thing is obviously better! Thank you.

[jmpavlec]

I used to run it the cloudflared way as the other user described but the tunnel often went offline without explanation for short periods of time and the latency was so so in my testing. I run it more similar to you now and haven't had any stability problems since dropping the cloudflared setup. I use cloudflared for a less critical app on my own hardware and that also goes up and down from time to time.

[renewiltord]

Oh thank you for that experience. This way has been entirely fire and forget (except for application layer issues) so I wouldn't want to change things then. The infra layer is pretty simple this way. I lost a 10 year server to bitrot (Hetzner wanted to sunset it and I had such a bespoke config I forgot how to admin it over the 10 years) so I'm trying to keep things simple so it will survive decades.

[mightymoud]

Interesting setup....

How do you run the containers on your VPS tho? You could still use Sidekick for that!

I think your setup is one step up in security from Sidekick nonetheless. A lot more work it seems too

[vineyardmike]

I do this for “internal” apps but with Tailscale.

[tacone]

Interesting! How do you connect via ssh? Do you just leave the port open or is there any trick you'd like to share?