> The classic approach [Internet -> Router -> Server] is a recipe for disaster
I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?
The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?
I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?
> I don't need to worry about filtering using my limited bandwidth and resources
But your router is exposed to the Internet anyway, isn't it? Even if you keep all ports closed, random IPs on the Internet can send packages to your router.
They can't, but does it matter? They can connect the domain name to your server (through the tunnel).
> or infer what services I run
Why not? The port is open on Cloudflare's side, it's exactly the same.
The one thing you get from Cloudflare is that probably Cloudflare has a list of blocked IPs and they will prevent them from reaching your server. Though I'm sure there are public lists of "bad IPs" and it shouldn't be too hard to have a firewall that uses them. And anyway in your case you have a list of allowed IPs, so it's not a concern at all.
It is not immediate public information what person is behind my domain.
By having cloudflare as the mitm proxy in between my domain and my server, that link between the two is also not immediately apparent to the public.
Then, all the filtering and access control happens outside of my network, and only the absolutely valid traffic that I want to deal with hits my own network.
My main issue is that I didn't want to expose the ports to the internet. The only port now exposed on my server is the SSH port only. Everything else is just handled through the connection between the cloudflared daemon and cloudflare itself.
I never really get that. If my router gets updates and the only thing I do to it is forward one port to the server, I don't really see how wrong it can go?
The Cloudflare tunnel doesn't change the fact that there is a server exposed to the Internet. And adding a reverse proxy in front of the server does not necessarily make it more secure, does it?
I mean, if I cannot update my router and open a single port properly, should I trust myself to setup a reverse proxy?