Homelab Proxying With Cloudflare Tunnel
Traditionally, I’ve exposed my homelab directly to the internet.
I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.
The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.
While I haven’t run into any issues, I know others who have, so I’m still wary.
There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis’ project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.
I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.
I’ll spare you the set up details, as the documentation is excellent. If you want to take a look at my configuration in Kubernetes, my cloudflared
deployment YAML is available here.
I had a few issues after first set up. I initially had cloudflared
proxying to http://ingress-nginx-controller:80
, which caused Authelia redirection to fail. I fixed this by proxying to https://ingress-nginx-controller:443
and setting noTLSVerify: true
.
The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from my.domain
or *.my.domain
failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.
The infrastructure now looks like:
I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!
Do you proxy your homelab via a tunnel? Why/why not? Let me know via email: blog <at> hu <dot> md
, or via Twitter.
Looking for something related to read? Check out Nicholas Whittaker’s post: Live previewing Hugo sites with Cloudflare Tunnel.
On the web
Week Notes W50
Sat Dec 14 2024 by Joel's Log FilesWhy I Think Nextcloud Is Shit
Sat Dec 14 2024 by Kev QuirkOSC-52
Wed Nov 27 2024 by nerdypepper's μblogOn Founding the Swiss Laravel Association
Fri Nov 15 2024 by stefanzweifel.devCompiling Lisp to Bytecode and Running It
Tue Oct 15 2024 by Andrew Healey's Blog
Generated by openring