Homelab Proxying With Cloudflare Tunnel
Traditionally, I’ve exposed my homelab directly to the internet.
I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.
The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.
While I haven’t run into any issues, I know others who have, so I’m still wary.
There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis’ project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.
I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.
I’ll spare you the set up details, as the documentation is excellent. If you want to take a look at my configuration in Kubernetes, my cloudflared deployment YAML is available here.
I had a few issues after first set up. I initially had cloudflared proxying to http://ingress-nginx-controller:80, which caused Authelia redirection to fail. I fixed this by proxying to https://ingress-nginx-controller:443 and setting noTLSVerify: true.
The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from my.domain or *.my.domain failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.
The infrastructure now looks like:
I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!
Do you proxy your homelab via a tunnel? Why/why not? Let me know via email: blog <at> hu <dot> md, or via Twitter.
Looking for something related to read? Check out Nicholas Whittaker’s post: Live previewing Hugo sites with Cloudflare Tunnel.
On the web
Moving my personal infrastructure to Kubernetes
Sun Apr 20 2025 by Stan's blogInitial Thoughts of the Framework 13
Sat Apr 19 2025 by Kev QuirkRe: What's in a Name?
Wed Apr 16 2025 by Joel's Log FilesVisualizing Chess Bitboards
Sun Apr 13 2025 by Andrew Healey's BlogIntroducing laravel-tfa-confirmation
Sun Feb 2 2025 by stefanzweifel.dev
Generated by openring