Homelab Proxying With Cloudflare Tunnel
Traditionally, I’ve exposed my homelab directly to the internet.
I point a DNS record to my home IP, updating it with cloudflare-ddns as I don’t have a static IP, nor do I wish to pay for one.
The downside of this, is that you need to expose a server to the internet, exposing your IP, and you need to harden said server adequately.
While I haven’t run into any issues, I know others who have, so I’m still wary.
There are a few neat solutions to avoid exposing your IP, the most common is putting a VPS in front of your home server, and proxying requests down over a VPN like Wireguard. Alex Ellis' project inlets is a great way to automate this. You can plug in your DigitalOcean (or other provider) API keys, and it will provision a server for you.
I do use inlets for some smaller projects, but Cloudflare Tunnel is more robust, and not self-hosted, which takes out a lot of work. I don’t need to worry about issues with the VPS, or other infrastructure. It also has a very compelling free tier.
I had a few issues after first set up. I initially had
cloudflared proxying to
http://ingress-nginx-controller:80, which caused Authelia redirection to fail. I fixed this by proxying to
https://ingress-nginx-controller:443 and setting
The next issue I hit was that Cloudflare DNS doesn’t seem to let you proxy directly to a tunnel from either the root domain, or a wildcard domain. Requests from
*.my.domain failed. The fix here was to set up a load balancer, which would then route traffic to my tunnel.
The infrastructure now looks like:
I no longer expose my IP, and have removed most open ports into my network. All in all, a neat solution!
Do you proxy your homelab via a tunnel? Why/why not? Let me know via email:
blog <at> hu <dot> md, or via Twitter.
On the web
- Kev Quirk
- Andrew Healey's Blog
Generated by openring