Cloudflare's dominance is a huge problem exactly for this reason. Having a single point of failure is a huge risk, and it's surprising that governments don't view this as being a matter of national security.
As a side note, and not to "well ackshully", but Cloudflare isn't a backbone provider. But your point still stands lol.
Not only because it's a single point of failure, but also because it's a single point of surveillance.
Cloudflare can read and even modify the communications everyone has with sites behind its HTTPS service. And it can monitor people's browsing through its DNS-over-HTTP service. And it can fingerprint people's browsers through any of its services that use JavaScript, such as its CAPTCHA-like thing.
I'm willing to move away from cloudflare if only I can expose servers without a global IP and needing to open port on the router side. Do anybody know how to do this?
Or maybe I should move to somewhere I can setup port-forwarding?
VPS has public IP and runs WireGuard "server"* and a reverse proxy (and fail2ban...). Reverse proxy points to my home computer over the WireGuard link. No open ports on my home router.
For private facing/LAN-only services I just don't have an entry in the VPS reverse proxy. DNS on the router points everything to my local server, so if at home I access everything directly. To access internal services remotely requires VPN (i.e., WireGuard to the VPS).
Works well; I have a tiny free tier VPS but even so, no complaints.
*Yes I know there are no wg clients or servers, only peers, but it plays a server-likr role.
Yes, but you can run multiple VPS, from different providers, simultaneously.
What I like is that while it does depend on an external provider, it doesn't depend on a specific external provider. Any VPS with a public IPv4 would work.
Tailscale is definitely the most frictionless solution. But you will then rely on tailscale instead of cloudflare, so not ideal. You can also host Headscale so you do not have to rely on them either.
I've never heard of headscale. Can you hook this up to a domain like you can with cloudflare tunnels? That was my main reason for using it. Being able to just hand my family member a domain to point to and see audiobooks
Yes you can, easiest is called tailscale funnel, you'll just get a url leading to whatever you have hosted. Slightly more complicated is either installing tailscale on family devices and use it as a VPN (so your service is safely shielded from the public internet ), or you can use a reverse proxy on a cheap/free tier VPS.
Tailscale is fine, problem is I have to keep my phone connected to the tail network, which drains the battery. I do have a tailscale subnet router running under my network so I can fix things remotely.
All three instances I have accounts on use CF. I was beginning to think it was my client I was using or they suddenly implemented the “Great Firewall of USA” and figured out a way to block Lemmy instances.
It is not just Europe the entire world should stop using American companies for everything. Amazon, Microsoft, and cloudflare. A big portion of the internet is US dependent. Russia and China seem to realize how big of an issue this is, Europe still too dependent.
Even though I don't host anything important, I'm still glad I found alternative ways to hosting my own stuff without the use of any of Cloudflare services.
I've noticed over time that the self-hosted communities have been suggesting Cloudflare Tunnels less and less since Trump and his gang took over America. Maybe this latest outage will push more people to not recommend Cloudflare again in the future.
I still remember when I first got into self-hosting and being mocked pretty hard for questioning the use of such a large centralized service like Cloudflare. I'm glad I persisted and kept learning in my own direction but that still was very demotivating at the time.
Currently I'm using DeSec.io for my Dynamic DNS and Caddy as my reverse proxy to automatically handle encryption certificates. It takes a little extra effort setting up a DeSec.io module with Caddy but since I got it working, it's been essentially zero maintenance.
I do want to write up a guide about how to setup Caddy + DeSec.io but I don't have the time at the moment. If you have any questions, feel free to ask. I can try to help where I can.
I'll leave you this previous post I made, you might find some additional information in there if you get stuck. lemmy.dbzer0.com/post/51117983
Also, someone suggested using a wildcard cert for the use of any sub-domain names. I chose to learn and use that because it helps obscure my services. If you have any interest in security, it might interest you. It terms of security, it's not the absolute way to protect yourself, but I think it helps when combined with other security measures. If you read the comments in the post, you should get some more insight about it.
My self-hosting strategy is wildly alternative and not one I speak much about publicly. I'm the only person connecting to my own domain so as long as I continue to practice shutting the fuck up, I can get away with using multiple layers of obscurity rather than fiddling with third party solutions.
I check my logs daily and the only activity I ever see is my own. Since I am not hosting anything critical or sensitive, I have the opportunity to experiment this way without much risk to myself.
The way I'm set up, I am not concerned with DDOS attacks because it would fail to get past the Dynamic DNS. If I were hosting a social media platform or something more public, then I would need to take stronger measures to protect myself and that data.
TabbsTheBat (they/them)
in reply to themachinestops • • •katy ✨
in reply to themachinestops • • •like this
falseprophet and Azathoth like this.
Marshezezz
in reply to katy ✨ • • •TehPers
in reply to katy ✨ • • •Cloudflare's dominance is a huge problem exactly for this reason. Having a single point of failure is a huge risk, and it's surprising that governments don't view this as being a matter of national security.
As a side note, and not to "well ackshully", but Cloudflare isn't a backbone provider. But your point still stands lol.
like this
IAmLamp, falseprophet and Azathoth like this.
reksas
in reply to TehPers • • •mistermodal
in reply to TehPers • • •who
in reply to katy ✨ • • •Not only because it's a single point of failure, but also because it's a single point of surveillance.
Cloudflare can read and even modify the communications everyone has with sites behind its HTTPS service. And it can monitor people's browsing through its DNS-over-HTTP service. And it can fingerprint people's browsers through any of its services that use JavaScript, such as its CAPTCHA-like thing.
Virku
in reply to themachinestops • • •themachinestops
in reply to Virku • • •Virku
in reply to themachinestops • • •Fijxu
in reply to themachinestops • • •Flax
in reply to themachinestops • • •like this
HeerlijkeDrop likes this.
Blaze (he/him)
in reply to themachinestops • • •Had to get that account back as piefed.zip, piefed.social and lemmy.zip cannot be accessed.
Cool to see other people still able to access the Threadiverse
db0
in reply to Blaze (he/him) • • •Blaze (he/him)
in reply to db0 • • •Thank you as always for your service!
Edit: surprisingly anarchist.nexus/ seems to use CF
db0
in reply to Blaze (he/him) • • •Blaze (he/him)
in reply to db0 • • •Sergio
in reply to Blaze (he/him) • • •OpenStars
in reply to Blaze (he/him) • • •Blaze (he/him)
in reply to OpenStars • • •BastingChemina
in reply to Blaze (he/him) • • •Anarch157a
in reply to themachinestops • • •like this
IAmLamp likes this.
we are all
in reply to Anarch157a • • •Rozaŭtuno
in reply to Anarch157a • • •yxp
in reply to themachinestops • • •I'm willing to move away from cloudflare if only I can expose servers without a global IP and needing to open port on the router side. Do anybody know how to do this?
Or maybe I should move to somewhere I can setup port-forwarding?
B0rax
in reply to yxp • • •Pangolin | Secure Access Platform
pangolin.netyxp
in reply to B0rax • • •qjkxbmwvz
in reply to yxp • • •VPS+VPN, this is what I do.
VPS has public IP and runs WireGuard "server"* and a reverse proxy (and fail2ban...). Reverse proxy points to my home computer over the WireGuard link. No open ports on my home router.
For private facing/LAN-only services I just don't have an entry in the VPS reverse proxy. DNS on the router points everything to my local server, so if at home I access everything directly. To access internal services remotely requires VPN (i.e., WireGuard to the VPS).
Works well; I have a tiny free tier VPS but even so, no complaints.
*Yes I know there are no wg clients or servers, only peers, but it plays a server-likr role.
yxp
in reply to qjkxbmwvz • • •qjkxbmwvz
in reply to yxp • • •Yes, but you can run multiple VPS, from different providers, simultaneously.
What I like is that while it does depend on an external provider, it doesn't depend on a specific external provider. Any VPS with a public IPv4 would work.
yxp
in reply to qjkxbmwvz • • •qjkxbmwvz
in reply to yxp • • •CodingCarpenter
in reply to yxp • • •fristislurper
in reply to CodingCarpenter • • •Redirecting
headscale.netCodingCarpenter
in reply to fristislurper • • •fristislurper
in reply to CodingCarpenter • • •Tailscale Funnel examples · Tailscale Docs
Tailscaleyxp
in reply to CodingCarpenter • • •killabeezio
in reply to yxp • • •kbal
in reply to themachinestops • • •themachinestops
in reply to kbal • • •like this
kbal and falseprophet like this.
ramble81
in reply to themachinestops • • •nimble
in reply to kbal • • •like this
kbal likes this.
yxp
in reply to kbal • • •like this
kbal likes this.
schnurrito
in reply to kbal • • •like this
kbal likes this.
thingsiplay
in reply to themachinestops • • •Nico198X
in reply to themachinestops • • •themachinestops
in reply to Nico198X • • •Nico198X
in reply to themachinestops • • •DJ Spacewhale
in reply to themachinestops • • •confusedpuppy
in reply to themachinestops • • •Even though I don't host anything important, I'm still glad I found alternative ways to hosting my own stuff without the use of any of Cloudflare services.
I've noticed over time that the self-hosted communities have been suggesting Cloudflare Tunnels less and less since Trump and his gang took over America. Maybe this latest outage will push more people to not recommend Cloudflare again in the future.
I still remember when I first got into self-hosting and being mocked pretty hard for questioning the use of such a large centralized service like Cloudflare. I'm glad I persisted and kept learning in my own direction but that still was very demotivating at the time.
like this
HeerlijkeDrop likes this.
coaxil
in reply to confusedpuppy • • •confusedpuppy
in reply to coaxil • • •Caddyas my reverse proxy to automatically handle encryption certificates. It takes a little extra effort setting up a DeSec.io module with Caddy but since I got it working, it's been essentially zero maintenance.coaxil
in reply to confusedpuppy • • •confusedpuppy
in reply to coaxil • • •I do want to write up a guide about how to setup Caddy + DeSec.io but I don't have the time at the moment. If you have any questions, feel free to ask. I can try to help where I can.
I'll leave you this previous post I made, you might find some additional information in there if you get stuck.
lemmy.dbzer0.com/post/51117983
Also, someone suggested using a wildcard cert for the use of any sub-domain names. I chose to learn and use that because it helps obscure my services. If you have any interest in security, it might interest you. It terms of security, it's not the absolute way to protect yourself, but I think it helps when combined with other security measures. If you read the comments in the post, you should get some more insight about it.
themachinestops
in reply to confusedpuppy • • •confusedpuppy
in reply to themachinestops • • •True.
My self-hosting strategy is wildly alternative and not one I speak much about publicly. I'm the only person connecting to my own domain so as long as I continue to practice shutting the fuck up, I can get away with using multiple layers of obscurity rather than fiddling with third party solutions.
I check my logs daily and the only activity I ever see is my own. Since I am not hosting anything critical or sensitive, I have the opportunity to experiment this way without much risk to myself.
The way I'm set up, I am not concerned with DDOS attacks because it would fail to get past the Dynamic DNS. If I were hosting a social media platform or something more public, then I would need to take stronger measures to protect myself and that data.
HeerlijkeDrop
in reply to themachinestops • • •Lime Buzz (fae/she)
in reply to themachinestops • • •Ahhhh, feels so good to be proven correct.
Stop using centralised services, especially botnet like ones that protect fascist harassers.