Just getting started with self hosting. I was wondering if anyone had experience with Cloudflare Tunnels for exposing their services to the internet. I like the simplicity and security it offers but don’t love the idea of using Cloudflare. Like, I’m self hosting for a reason lol. Any tips would be greatly appreciated!
For context, I’m running all of my services in a very small k8s cluster and my priorities are mostly security then maintainability. Thanks yall!
I run a jellyfin server. I have gigabit fiber in ohio, USA. Some of my users found it basically unusable when they were geographicly far away, like Hawaii and Thailand. I switched to using cloudflare tunnel as an experiment and the difference was dramatic. They are now able to stream reliably almost as if they were geographically nearby. The fact of the matter is, the cloud flare CDN that’s traffic passes through using the tunnel is infinitely better connected to the rest of the world than whatever home ISP you have.
That being said, cloudflare plays man in the middle to all your traffic, so I wouldn’t use it for anything that’s particularly secret. But for standard web pages it’s amazing. I run my vaultwarden server directly on my home ip address and not through cloudflare tunnel.
Warning: Cloudflare Tunnel ToS explicitly prohibits hugh-bandwidth activities on it, naming media streaming in particular. Some people take the chance anyway until Cloudflare might suddenly terminate your connection, it’s merely a low-stakes risk to using it.
Also worth mentioning: Cloudflare has historically had some involvement with DMCA detection and take down, so if your running a media server with them able to MitM your traffic, they’re almost certainly able to detect and scan if they so chose. They’re a big company so they may not do any relevant scanning on your Tunnel, or you may have only completely Public Commons content on your server, but something you should be aware of.
Related: I was doing something similar also from Ohio not that long ago. It turned out that most of the ISPs in Ohio have horrible reputations in the global network routing, so they are given low-priority and poor interconnects to other Internet routing companies. It affected both my incoming and outgoing network speeds and reliability. Cloudflare speed tests were the only ones giving any good values, I constantly had disconnects and timeouts for everything else. But when I put a VPN (that had a decent interconnect) on my router with an exit node in D.C. or Chicago, suddenly all my speeds went back to normal values matching Cloudflare results.
TL;DR your ISP having a poor reputation with their gobal interconnects is very likely to blame for the poor speed issues without Cloudflare Tunnel, and literally any tunneling solution would probably resolve it.
Vaultwarden isn’t actually susceptible to man-in-the-middle attacks, since the passwords are encrypted and decrypted on the end device. But some relevant metadata do go over the connection so it’d better have TLS.