Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network
philanthropicoctopus@thelemmy.club 21 hours ago Thank you. I’ve bought a domain. I’d like to go with this option. Just researching how to do it on cloud flare
mic_check_one_two@lemmy.dbzer0.com 18 hours ago
On Cloudflare, you’ll want to set a record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this…
So for instance, maybe you have a
peepee.example.comsubdomain, apoopoo.example.comsubdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP.Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.
You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe
peepee.example.comforwards to192.168.1.100:42069on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.
You’ll probably want to use a wildcard certificate, (basically
*.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standardexample.comandwww.example.comfirst, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services.
Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.
The way traffic flows when it is all set up is along these lines:
peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server.peepee.example.comcan be found at {your IPv4 WAN address}”.http://peepee.example.com/.”peepee.example.comsubdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.”https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.”192.168.1.100:42069.But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. And any vulnerabilities in the service will still be accessible via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers.
Thank you so much for such a detailed reply. I’m going to print this off and go through it point by point.
I didn’t realize how overwhelming this would be, the amount of information is incredible.
I was trying to use the cloud flare ai assistant to set up WARP access to my phone but then I realized its basically another VPN which defeats the whole point on me using the domain because I wanted to be able to use my traditional VPN to stay protected.
I also wanted to be able to log into my server android apps like immich and Joplin but can’t do that with authentication as its not a webpage.
I’ll print this off and anything I don’t understand (most of it at this stage haha) I’ll spend some time studying it.
I got a good laugh at peepee poopoo
Thanks again
Speaking from experience, it was quite overwhelming to me at first as well. It took me a handful of tries to wrap my head around Cloudflare Tunnels/Zero Trust. I persisted tho, and succeeded. It doesn’t help much that Cloudflare keeps rearranging their site, making it difficult to find necessary information. I will say, that when I migrated to a new server recently, it was a snap and everything clicked in place. There was no need to set up anything on their side. As I remember, it was a matter of a one liner code sequence they provided, to install the necessary components on my server. Jack’s a doughnut, Bob’s your uncle.
mic_check_one_two@lemmy.dbzer0.com 18 hours ago
I actually just updated it slightly, and may continue to do so if I think of things. So you may simply want to check back here instead of printing it.