Homelab Proxying With Cloudflare Tunnel
Traditionally, I’ve exposed my homelab directly to the internet.
I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.
The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.
While I haven’t run into any issues, I know others who have, so I’m still wary.
There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis’ project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.
I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.
I’ll spare you the set up details, as the documentation is excellent. If you want to take a look at my configuration in Kubernetes, my cloudflared
deployment YAML is available here.
I had a few issues after first set up. I initially had cloudflared
proxying to http://ingress-nginx-controller:80
, which caused Authelia redirection to fail. I fixed this by proxying to https://ingress-nginx-controller:443
and setting noTLSVerify: true
.
The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from my.domain
or *.my.domain
failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.
The infrastructure now looks like:
I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!
Do you proxy your homelab via a tunnel? Why/why not? Let me know via email: blog <at> hu <dot> md
, or via Twitter.
Looking for something related to read? Check out Nicholas Whittaker’s post: Live previewing Hugo sites with Cloudflare Tunnel.
On the web
An old computer for a kid
Mon Oct 14 2024 by Joel's Log FilesWhy Have Multiple Blogs?
Fri Oct 11 2024 by Kev QuirkGoing Buildless
Sun Sep 8 2024 by Max BöckGenerating Mazes
Thu Aug 8 2024 by Andrew Healey's BlogDeployer: Build and Cache Frontend Assets once using GitHub Actions
Sat Aug 3 2024 by stefanzweifel.dev
Generated by openring