• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: October 23rd, 2023

help-circle
  • What recent thread about trust Cloudflare?

    Tunnel needs a client software, it’s higher risk, larger attack surface than normal http reverse proxy.

    The Cloudflare tunnel feature is part of its zero-trust product. It make sense if you are capable of audit the client source code. If you trust the client as you trust nginx reverse proxy software, tunnel is safer.

    Regular free Cloudflare proxy include basic WAF, it is more useful than selfhosted VPS reverse proxy or fail2ban. These commercial services learn attack patterns much earlier.

    My homelab exposed services all have real HTTPS certs behind Cloudflare. My service is configured trust Cloudflare origin only so attackers cannot bypass WAF. This is also the same setup my workplace setup to protect multi-million transactions.

    If the tunnel is used not for security reason, but bypass CGNAT, it’s at least not worse than selfhosted reverse proxy.