For a self-hosted application with a valid SSL certificate and support for OAuth, what are the benefits that Cloudflare Access provides? From what I can tell, it also filters traffic to possibly block attacks? Can it even be used with a self-hosted app if you aren’t also running Cloudflare Tunnel? Is there a better alternative (that also integrates with major OAuth providers like Google, Github, etc) for self-hosters? Thanks for the help in understanding how this works.
I can expose things like HASS and my Unifi controller to the public internet, but stick it behind Cloudflare Access (and Office 365) for protection.
I can essentially unlock my door anywhere in the country, as O365 has conditional access setup to block international logins and I’ve got MFA set up on it.
My port forwarding is only enabled for Cloudflare IP’s, as is Nginx (for extra piece of mind) and I’ve got CF client certificates installed as well.
It mitigates the need for me to configure and use a VPN (although I’ve got one of those configured as well) - which I’ve noticed can be disabled on some networks (I always had trouble using VPN’s on T-Mobile in North America when I was there in 2018)
which I’ve noticed can be disabled on some networks
I’ve found a few networks where my normal VPN connection won’t work. Typically they just block all outgoing ports except common ones like 80,443,22,53,etc. I’ve got a few of those setup so I can try alternates. 22 usually works.
Maybe try OCserv for your VPN it is using https as a fallback and never failed me.
Remember that cloudflare will see your traffic, Even with an ssl certificate.
Right, so I’m trying to determine if that is worse or if exposing a service without Cloudflare (and being more at risk from someone trying to break into my service because of not having the monitoring/protection Cloudflare provides) is worse.
Don’t forget that Cloudflare offers no protection against traffic from within Cloudflare. There were several incidents in the past where Cloudflares services where used to break into other clients services (hijacking).
Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?
You can look online. Basically Cloudflares blocking features exclude Cloudflares own IP ranges. Someone used their own services (in their own IP range) to attack services and since the request came from a Cloudflare IP it was not blocked or filtered. Pretty embarassing if you ask me. But this is normal in the cloud.
There’s not much reasons of exposing any of your local services to internet. Use vpn to have access to your local resources. This is best you can come up with for your home lab
Question : what if I need to access my home computer from a work laptop and I’m not allowed to install things such as the WireGuard VPN client. Do I use native say Windows VPN?
Assuming it’s a Linux server at home and you can use SSH on your work computer, there’s a couple ways to do this.
- Install a web based terminal client
- Setup Cloudflare tunnels on your home server and use the the SSH proxy. I do this with a simple helper in
~/.ssh/config
:
Match host "*.cf"
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname $(echo %h | sed 's/\.cf$/.homelab.nz/')
ForwardAgent yes