I am running this docker image: https://github.com/nextcloud/docker with a cloudflare tunnel, meaning the webserver would see all the traffic coming from a single ip in 172.16.0.0/12 .

The documentation says:

The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from X-Real-IP if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default

So I thought that this is a not a problem, as other docker images can also automagically figure out the real IP address from traffic coming from cloudflare tunnels.

In the beginning it worked fine, then it was SLOW. Like 2 full minutes to load new feeds on news, waiting ages to complete a sync, and so on. I rebooted the server on those instances, and then it worked fine for a day.

So because at the time i was running it on unraid, i blamed the lag on that OS + my weird array of HDDs with decades of usage on them. Migrated to debian on a nvme array and… same lag!

Wasted hours trying to use caddy+fpm instead of apache and it’s the same, worked fine for a day, then it was slow again.

Then I wondered: what if the program is “smart” and throttles it by itself without any warning to the admin if it thinks that an ip address is sending too many requests?

Modified the docker compose like this:

  nextcloud:
    image: nextcloud

became

  nextcloud:
    build: .

and I created a Dockerfile with

FROM nextcloud
RUN apt update -y && apt upgrade -y
RUN apt install -y libbz2-dev
RUN docker-php-ext-install bz2
RUN a2enmod rewrite remoteip
COPY remoteip.conf /etc/apache2/conf-enabled/remoteip.conf

with this as the content of remoteip.conf

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 10.0.0.0/8
RemoteIPTrustedProxy 172.16.0.0/12
RemoteIPTrustedProxy 192.168.0.0/16
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

and now because nextcloud is seeing all the different ip addresses it doesn’t throttle the connections anymore!

40 points
*

Why do so many people tunnel their personal data through cloudflare anyways? No port forwarding possible? Or afraid of DDoS attacks? Or am I missing something?

permalink
report
reply
39 points

Security.

Cloudflare handles a very large amount of traffic and sees many different types of attacks (thinks CSRF, injections, etc.). It is unlikely that you or me will be individually targeted, but drive-bys are a thing, and thanks to the amount of traffic they monitor, the WAF will more likely block out anything and patch before I’m able to update my apps on 0 days.

Also, while WAF is a paid feature, other free features, such as free DDOS attack protection, help prevent other attacks.

It’s a trade off, sure; they’re technically MITM’ing your traffic, but frankly, I don’t care. Much like no one cares to target/attack me individually, they aren’t going to look at my content individually.

Additionally, it also makes accessing things much easier. Also, it is much more likely I’d find a SME using Cloudflare than some janky custom self hosted tunnel setup. So from a using homelab as a learning for professional experience point of view, it is much more applicable as well.

permalink
report
parent
reply
16 points
*

Thx for explaining. I’m not sure if I’m willing to do the same trade-offs. Supposedly their WAF is very good and quite some people use it. Probably for a good reason… It just comes at a hefty price. I’m doing selfhosting to emancipate myself, stay independent and in control. I’m not sure if becoming dependant on a single large company and terminating my encryption on their servers that do arbitrary magic and whatever with my packets is something that aligns with my goals. (Or ethics, since I think the internet is to connect people on a level playing field. And that’s no longer the case once many people transfer control to a single entity.) But I don’t see a way around that. Afaik you have to choose between one or the other. Are there competitors to cloudflare that handle things differently? Maybe provide people with the WAF and databases to run on their own hardware, let them stay in control and just offer to tunnel their encrypted data with a configurable firewall?

Edit: Just found modsecurity.org while looking that up. But I guess a good and quick database of bad actors’ IPs is another thing that would be needed for an alternative solution.

permalink
report
parent
reply
6 points

It’d be a challenge to keep up — 0 days aren’t going to be added to self hosted solution faster than they could be detected and deployed on a massively leveraged system. Economy of scales at full display.

permalink
report
parent
reply
6 points

I just use a VPS with caching and basic https stripping protection

permalink
report
parent
reply
2 points

If they don’t care to attack you why would they DDoS you. 😄

The things CF fans make up about “security” are hilarious.

If you ever got hit with a DDoS while on the free tier they’d just disconnect you.

permalink
report
parent
reply
6 points
*

If you ever got hit with a DDoS while on the free tier they’d just disconnect you.

I can’t find anything that supports that statement. What is your source?

From what I understand you can do a bunch of things when under attack like requiring captchas.

permalink
report
parent
reply
-13 points

Nobody is going to go through the effort to ddos a personal site. 😂

permalink
report
parent
reply
8 points

Tell this to the Russian bots that are hammering my personal site for some reason.

It’s way easier to make a rule “no Russia” or even “only my country”

permalink
report
parent
reply
25 points

They think the free CF tier offers DDoS protection, which (a) will never happen to their server and (b) if it ever happened would consist of CF disconnecting their tunnel and black-holing their IP and domain until it blows over.

They also think CDN helps when your services are behind authentication.

Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy for them so they never stop to think too much about it.

permalink
report
parent
reply
13 points
*

Thanks. I read a lot of people recommending cloudflare. I believe a substantial amount of that group is on the free tier and not exactly making informed choices. Being a registrar, DNS provider and offering tunneling / port forwarding or some mechanism to traverse your home NAT are valid use-cases.

permalink
report
parent
reply
3 points

Some of them just find it convenient that CF is registrar, DNS provider and sets up reverse proxy

You should never put all your eggs in one basket. Using one company for all three of these essentially gives them full control of your domain.

It’s a best practice to use separate companies for registrar and website/proxy. If there’s ever some sort of dispute about the contents of the site, you can change the DNS to point to a different host. That’s not always possible when the same company handles both.

permalink
report
parent
reply
17 points

Simple reason: at home I don’t have a static IPv4 address and I can’t do port forwarding

permalink
report
parent
reply
3 points
*

What about ddns?

Edit: never mind reread your comment and saw the port forwrding caveat. Sorry pal.

permalink
report
parent
reply
2 points
*

Thx, that is a good reason to do it. I’m eventually going to lose my static IPv4 address, too. But I’m preparing to move some of my services to a VPS instead and in the process set up the firewall and the reverse proxy to the Nextcloud on my homeserver and so on there (on that VPS.)

permalink
report
parent
reply
4 points

I don’t have a static IP but host services off my paid domain. I use duckdns and point host records to the duckdns address. I have to use CloudFlare to manage my DNS records for this to work.

https://developers.cloudflare.com/dns/cname-flattening/

permalink
report
parent
reply
0 points

Get a $15/year VPS and run your own tunnel using Wireguard.

permalink
report
parent
reply
5 points
*

Is there a better way to expose my services when behind an ISP cgnat?

permalink
report
parent
reply
3 points
*

Cloudflare, Pagekite, a cheap VPS with a reverse proxy. Maybe IPv6-only access if your CGNat does that, ngrok, serveo, rathole, sish, a VPN… I also found portmap-io, webhook relay, packetriot and countless other smaller companies. There are quite some tools and services available. And which one is right for you might depend on the exact situation and what you’re hosting. I’m not an expert on this. I have an internet connection without a NAT, and additionally a really tiny VPS with a mailserver, a small website and wireguard. I just use that to tunnel through NAT if i need to. But that means I haven’t compared all the other services since I don’t need them (yet.) I’ve learned a bit about Cloudflare from this discussion.

permalink
report
parent
reply
3 points

Because it makes them “feel” more secure.

permalink
report
parent
reply
20 points
*

I just don’t see the point of using cloudflared. Its easy to use but it just gives all your data to cloudflare in return for very little.

permalink
report
reply
-6 points

You can easily set SSL with a self signed certificate, they get nothing

permalink
report
parent
reply
25 points

Afaik, they decrypt and recrypt all traffic.

permalink
report
parent
reply
10 points

Interesting - I didn’t bother to set the X-Real-IP headers until now and this might speed up my instance too. Thanks!

Then I wondered: what if the program is “smart” and throttles it by itself without any warning to the admin if it thinks that an ip address is sending too many requests?

The word you’re looking for is “Rate Limit(ing)” and according to the documentation you could also disable it completely.

But I guess the cleanest and most secure solution would be to just set the headers on the reverse proxy.

permalink
report
reply
9 points

Good job debugging it. Where’d you get that list of IPs?

permalink
report
reply
3 points

It’s the list of IPs that belong to cloudflare.

I think that because I’m using tunnels it’s not necessary to have all of them, just the docker ip address space

permalink
report
parent
reply
7 points
*

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

7 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #484 for this sub, first seen 4th Feb 2024, 22:45] [FAQ] [Full list] [Contact] [Source code]

permalink
report
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5K

    Monthly active users

  • 3.6K

    Posts

  • 81K

    Comments