Comment on How I accidentally slowed down my nextcloud instance for months
rufus@discuss.tchncs.de 7 months ago
Why do so many people tunnel their data through cloudflare anyways? No port forwarding possible? Or afraid of DDoS attacks? Or am I missing something?
They think the free CF tier offers DDoS protection, which (a) will never happen to their server and (b) if it ever happened would consist of CF disconnecting their tunnel and black-holing their IP and domain until it blows over.
They also think CDN helps when your services are behind authentication.
Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy for them so they never stop to think too much about it.
Thanks.
Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy
You should never put all your eggs in one basket. Using one company for all three of these essentially gives them full control of your domain.
It’s a best practice to use separate companies for registrar and website/proxy. If there’s ever some sort of dispute about the contents of the site, you can change the DNS to point to a different host. That’s not always possible when the same company handles both.
Simple reason: at home I don’t have a static IPv4 address and I can’t do port forwarding
What about ddns?
Thx, that is a good reason to do it. I’m eventually going to lose my static IPv4 address, too. But I’m preparing to move some to a VPS instead and in the process set up the firewall and the reverse proxy to the Nextcloud and so on on my homeserver there.
I don’t have a static IP but host services off my paid domain. I use duckdns and point host records to the duckdns address. I have to use CloudFlare to manage my DNS records for this to work.
I do the same but I just use a script that runs periodically to update CloudFlare with my current IP with their native API.
Ah. Makes sense. I don’t think you have to specifically use cloudflare in that case. But I remember CNAME records can’t be used for everything… there are some limitations. I know I had issues with dyndns and a domain at some point. I just can’t remember the details. I know it didn’t work with every registrar / DNS provider. But some of them offer some magic to make some things work. I believe back then we ended up transferring that domain to some other hoster. And my domains are with a company that offers an API. I can just have a small script that changes around entries and do dyndns that way. But obviously you remember that records have a certain time to live and you want to set it correctly for your use-case.
Get a $15/year VPS and run your own tunnel using Wireguard.
Is there a better way to expose my services when being a cgnat?
Cloudflare, Pagekite, a cheap VPS with a reverse proxy. Maybe IPv6-only access if your CGNat does that, ngrok, a VPN… There are quite some tools and services available. And which one is right for you might depend on the exact situation and what you’re hosting. I’m not an expert on this. I have an internet connection without a NAT, and additionally a really tiny VPS with a mailserver, a small website and wireguard. I just use that to tunnel through NAT if i need to. But that means I haven’t compared all the other services since I don’t need them (yet.)
Because it makes them “feel” more secure.
chiisana@lemmy.chiisana.net 7 months ago
Security.
Cloudflare handles a very large amount of traffic and sees many different types of attacks (thinks CSRF, injections, etc.). It is unlikely that you or me will be individually targeted, but drive-bys are a thing, and thanks to the amount of traffic they monitor, the WAF will more likely block out anything and patch before I’m able to update my apps on 0 days.
Also, while WAF is a paid feature, other free features, such as free DDOS attack protection, help prevent other attacks.
It’s a trade off, sure; they’re technically MITM’ing your traffic, but frankly, I don’t care. Much like no one cares to target/attack me individually, they aren’t going to look at my content individually.
Additionally, it also makes accessing things much easier. Also, it is much more likely I’d find a SME using Cloudflare than some janky custom self hosted tunnel setup. So from a using homelab as a learning for professional experience point of view, it is much more applicable as well.
lemmyvore@feddit.nl 7 months ago
If they don’t care to attack you why would they DDoS you. 😄
The things CF fans make up about “security” are hilarious.
If you ever got hit with a DDoS while on the free tier they’d just disconnect you.
lud@lemm.ee 7 months ago
I can’t find anything that supports that statement. What is your source?
lemmyvore@feddit.nl 7 months ago
Up to a certain volume they serve a page that runs some JavaScript heuristics to figure out if the client making the request is legit or not.
Past a certain volume your service is cut off completely.
The cutoff point depends on the load on their free tier network, which is shared by all freeloaders. Could be someone else under attack and you’d still get cut off.
CloudFlare is a CDN first of all, and it makes its money from paying customers. The free tier and the registrar and the DNS and the reverse proxy and basic DoS heuristics etc. are just there to generate word of mouth and free advertising. Nobody was talking about CF a few years ago when they didn’t offer these free services, now every selfhoster and their dog will recommend them.
rufus@discuss.tchncs.de 7 months ago
Thx for explaining. I’m not sure if I’m willing to do the same trade-offs. Supposedly their WAF is very good and quite some people use it. Probably for a good reason… It just comes at a hefty price. I’m doing selfhosting to emancipate myself, stay independent and in control. I’m not sure if becoming dependant on a single large company and terminating my encryption on their servers that do arbitrary magic and whatever with my packets is something that aligns with my ethics.
chiisana@lemmy.chiisana.net 7 months ago
It’d be a challenge to keep up — 0 days aren’t going to be added to self hosted solution faster than they could be detected and deployed on a massively leveraged system. Economy of scales at full display.
rufus@discuss.tchncs.de 7 months ago
I mean theoretically… I guess? It depends a bit. Some Linux distributions are crazy fast with patching stuff. And some stable channels have a really good track record of open vulnerabilities. Nowadays that’s not the only way of distributing software, vulnerability might depend on your docker container setup etc.
Are there actual numbers what Cloudflare adds on top? What 0-days they focus on? I mean do they have someone sitting there, reading Lemmy CVEs and then immediately getting to action to write a regex that handles that?
possiblylinux127@lemmy.zip 7 months ago
I just use a VPS with caching and basic https stripping protection
atzanteol@sh.itjust.works 7 months ago
Nobody is going to go through the effort to ddos a personal site. 😂
Moonrise2473@feddit.it 7 months ago
Tell this to the Russian bots that are hammering my personal site for some reason.
It’s way easier to make a rule “no Russia” or even “only my country”
atzanteol@sh.itjust.works 7 months ago
That’s not a ddos. Not even close. Your ISP would be getting involved if it were.
You don’t even need to do a distributed dos against a home system since your bandwidth is so easy to overcome. A single EC2 instance could flood your standard home network.
EncryptKeeper@lemmy.world 7 months ago
Getting brute forced by bots isn’t a DOS attack.