I read a comment on here some time ago where the person said they were using cloudflared to expose some of their self-hosted stuff to the Internet so they can access it remotely.
I am currently using it to expose my RSS feed reader, and it works out fine. I also like the simplicity of Cloudflare’s other offerings.
Any thoughts on why cloudflared is not a good idea? What alternatives would you suggest? How easy/difficult are they to setup?
You must log in or register to comment.
I think concerns come in two flavours:
- Privacy/security: Cloudflare terminates HTTPS, which means they decrypt your data on their side (e.g. browser to cloudflare section) then re-encrypt for the second part (cloudflare to server). They can therefore read your traffic, including passwords. Depending on your threat model, this might be a concern or it might not. A counterpoint is that Cloudflare helps protect your service from bad actors, so it could be seen to increase security.
- Cloudflare is centralised. The sidebar of this community states “A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.”, and Cloudflare is for sure a service you don’t control, and arguably you’re locked into it if you can’t access your stuff without it. Some people think Coudflare goes against the ethos of self-hosting.
With that said, you’ll find several large lemmy instances (and many small ones) use cloudflare. While you’ll easily find people against its use, you’ll find many more people in the self-hosted community using it because it’s (typically) free and it works. If you want to use it, and you’re ok with the above, then go ahead.
There’s a third point which is: Things in CloudFlare are publicly accessible, so if you don’t put a service on front for authentication and the service you’re exposing has no authentication, a weak password or a security issue, you’re exposing your server directly to the internet and bad actors can easily find it.
Which is why some services that I don’t want to have complicated passwords are only exposed via Tailscale, so only people inside the VPN can access them.
In addition to the above, most of the percieved advantages of CF are non-existent on the free tier that most people use. Their “DDoS protection” just means they’ll drop your tunnel like a hot potato, and their “attack mitigation” on the free tier is a low-effort web app firewall (WAF) that you can replace with a much better and fully customizable self-hosted version.
Cloudflare has been controversial for dragging their feet when it was time to stop providing protection to nazi websites like The Daily Stormer, 8chan and Kiwi Farms. Also the Taliban, ISIS and so on More about this.
For this reason, a lot of fediverse servers do not use CloudFlare.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
8 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #414 for this sub, first seen 9th Jan 2024, 07:05] [FAQ] [Full list] [Contact] [Source code]
I use a VPS I have for many purposes and a setup of Netbird + Caddy to do what Cloudflare does (but without their redundancy and worldwide distribution of hardware of course) but self-hosted. Personally I’m very much against relying on a large corporation which doesn’t give a fuck about me as a customer for access to my stuff.
Oh… I like this. Anymore ideas and suggestions?
I’m unsure what you’re asking for? You could replace Netbird with any other WireGuard implementation and Caddy with any other reverse proxy. I just found those two to be very self hosting and FOSS friendly options.
As for what to use it for it allows me to run Jellyfin from home, while having Authentik be a forward authentication proxy in front of it so only people with an account can reach it while still allowing me to reach it from any device anywhere with Internet. It’s very nifty.
Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none. They pinky promise not to fuck you over, but they also promise to legally burry you for any infringement at their discretion.
For me, this is a non-starter.
This is disingenuous.
The full clause says…
You and your End Users (as such term is defined in the Privacy Policy) will retain all right, title and interest in and to any data, content, code, video, images or other materials of any type that you or your End Users transmit to or through the Services (collectively, “Customer Content”) in the form provided to Cloudflare. Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.
So to paraphrase, you retain your interest, but assign sufficient rights to cloudflare for them to provide the service you’re using. For example, they can’t give you a CDN if you don’t give them the right to transmit your data.
Disagree. “Necessary to provide the service” means whatever they want it to mean. If they deem it necessary to monetize your data so they can offer you their service “for free”, that is well within their right to do. The fact that you " retain all rights" just means you can use your data too without asking Cloudflare for permission.
Surely you have to acknowledge that it’s disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you’re trying to make.
You’re reading “bad faith” into the vagaries of a terms & conditions document. T&Cs will never say “we will never monetise this data”, that’s just not how T&Cs work, and it’s naive to conclude that the absence of such a statement means that cloudflare intends to monetise the data.
If you look at cloudlfares strategy here, they want to be the sweetheart of everyone who knows what a VPN is in order that they will be selected by those people for corporate projects. Monetising the data that flows through their network is antithetical to that objective.
Additionally I would venture that the data doesn’t really have any value, it would be impossible to use it to build data about an individuals browsing or buying habits.
Surely you have to acknowledge that it’s disingenuous to copy the last sentence of the clause and omit the first sentence that says the exact opposite of the point you’re trying to make.
No it doesn’t. The first sentence does not state anything that is not already clarified by law. Hence, it adds zero value to the actual meaning of the paragraph.
You are a person. Your basic human rights are guaranteed to you by law. Given that, you hereby grant me the right to enter your house and shave your head at my discretion and however often I wish, if I deem it necessary to provide to a free service that I don’t classify further in this agreement.
Same thing, you can say if I redact the first two sentences from the quote I’m being disingenuous, but really I’m just trying to get one over on you by making you feel like you have some control in this when in actually you do not.
The first part of the sentence you quoted says “subject to the terms of this agreement”. The most salient part of the agreement is the sentence you omitted.
Your claim was:
You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none.
… and you omitted the sentence which describes the rights you have as the user, contradicting your assertion that users have none. If you don’t think that’s disingenuous then I don’t know what to tell you mate.
deleted by creator
Nothing, go ahead.
Cloudflared is great.
