You can (and I do) terminate TLS locally and have your data encrypted through the tunnel. Use Traefik/Caddy for easy automated certs with containers or whatever flow you prefer to automate acme certs provisioning locally. You’ll have to configure your tunnel to hit a local DNS so it can route the domain to your local IP instead of the public records on the tunnel.
Comment on Cloudflare Tunnel?
hendrik@palaver.p3x.de 3 weeks ago
Cloudflare is very popular, there should be plenty people around with experience. And Cloudflare is convenient and fairly easy to use. I wouldn’t call them “secure” though. I mean that depends on your definition of the word… But they terminate the encryption for you and handle certificates, so it’s practically a man-in-the-middle, as they process your data transfers in cleartext. But as far as I know their track-record is fine. I have some ethical issues because they centralize the internet and some of their stuff borders on snake-oil… But it’s a common solution if you can’t open ports in your home internet connections, or you need a web application firewall as a service.
3abas@lemmy.world 3 weeks ago
hendrik@palaver.p3x.de 3 weeks ago
I’m fairly sure what you mean is, traffic is decrypted in the middle and the re-encrypted before it gets sent your way. Otherwise they couldn’t do proxying or threat detection/mitigation for you.
3abas@lemmy.world 3 weeks ago
You’re right, sorry, that was a heavy brain fart. The data needs to be decrypted on cloudflare’s end before being proxied and send to your services.
WhosMansIsThis@lemmy.world 3 weeks ago
100% agree. That’s why I don’t exactly love the idea of using them more…
hendrik@palaver.p3x.de 3 weeks ago
Seems some people here advocate for a VPS, and I do it as well. I pay roughly 7€ a month for a small(ish) server with 4 cpu cores, 8GB of RAM and 256 GB of storage. That allows me to host a few services there, for example some websites and matrix chat, which I don’t want to go down if there’s an issue at home. And it allows me to do the reverse proxying there, so I have the entire chain under my control. But there’s many ways to do it, and several other tunneling solutions (boringproxy.io, nohost.me, pagekite, ngrok, …) that I heard of.
And a lot of home internet connections allow port-forwarding. Notbsure what your provider does, but I can simply open ports in my router and make them accessible from the outside, no VPS or Cloudflare needed.