Comment by 4star3star

Comment by 4star3star 11 hours ago

I like what I'm seeing, though I'm not sure I have a use case. On a VPS, I'll typically run a cloudflared container and configure a Cloudflare tunnel to that VPS. Then, I can expose any port and point it to a subdomain I configure in the CF dashboard. This gives https for free. I can expose services in containers or anything else running on the VPS.

I'll concede there's probably a little more hands on work doing things this way, but I do like having a good grip on how things are working rather than leaning on a convenient tool. Maybe you could convince me Sidekick has more advantages?

skinner927 8 hours ago

I must be an old simpleton, but why get cloudflare involved? You can get https for free with nginx and letsencrypt.

Reply View 3 replies

mightymoud 8 hours ago

It's a tunnel. So VPS can only be reached through cloudflare. It's not only for https, but more for security and lockdown

Reply View | 2 replies
- mediumsmart 7 hours ago
  
  excellent and if cloudflare thinks your IP is iranian its going to get a really secure lockdown.
  
  Reply View | 1 reply
  
  nine_k 6 hours ago
  
  More seriously, it also helps when you're a target of a DDoS.
  It's always a balancing act between outsourcing your heavy lifting, and having to trust that party and depend on them.
  
  Reply View | 0 replies

hu3 8 hours ago

Nice setup.

But isn't this a little too tied to Cloudflare?

Caddy as a reverse proxy on that VPS would also give us free HTTPS. The downside is less security because no CF tunneling.

Reply View 1 reply

aborsy 7 hours ago

You could put Authentik in front. It does Cloudflare stuff on VPS.

Reply View | 0 replies

SahAssar 7 hours ago

Are you also making sure that nothing on the VPS is actually listening on outside ports? A classic mistake is to setup something similar to what you are describing but not validating that the services are not listening on 0.0.0.0.

I'd also not want to have cloudflare as an extra company to trust, point of failure and configuration to manage.

Reply View 0 replies

mightymoud 8 hours ago

Interesting setup....

How do you run the containers on your VPS tho? You could still use Sidekick for that!

I think your setup is one step up in security from Sidekick nonetheless. A lot more work it seems too

Reply View 0 replies

tacone 8 hours ago

Interesting! How do you connect via ssh? Do you just leave the port open or is there any trick you'd like to share?

Reply View 1 reply

[removed] 2 hours ago

[deleted]

Reply View | 0 replies

vineyardmike 7 hours ago

I do this for “internal” apps but with Tailscale.

Reply View 0 replies

renewiltord 5 hours ago

This is pretty cool. I did not know I could do this. Currently, I have:

1. nginx + letsencrypt

2. forward based on host + path to the appropriate local docker

3. run each thing in the docker container

4. put Cloudflare in front in proxy DNS mode and with caching enabled

Your thing is obviously better! Thank you.

Reply View 2 replies

jmpavlec 5 hours ago

I used to run it the cloudflared way as the other user described but the tunnel often went offline without explanation for short periods of time and the latency was so so in my testing. I run it more similar to you now and haven't had any stability problems since dropping the cloudflared setup. I use cloudflared for a less critical app on my own hardware and that also goes up and down from time to time.

Reply View | 1 reply
- renewiltord 5 hours ago
  
  Oh thank you for that experience. This way has been entirely fire and forget (except for application layer issues) so I wouldn't want to change things then. The infra layer is pretty simple this way. I lost a 10 year server to bitrot (Hetzner wanted to sunset it and I had such a bespoke config I forgot how to admin it over the 10 years) so I'm trying to keep things simple so it will survive decades.
  
  Reply View | 0 replies