• Cloudflare

    From poindexter FORTRAN@VERT/REALITY to All on Wed Apr 21 07:26:00 2021
    I found an interesting article on Reddit about a home lab user using the home/free tier of Cloudflare for their network.

    On top of the usual DDOS stuff, they handle SSL and proxying to HTTP/HTTPS
    for your facing services, provide DNS for your domain, allow access to their CDN, and you get to hide your home IP in the process.

    There's a lot of analytics, I'm just starting to play with that now.

    The original poster is using pfsense to talk to Cloudflare's API, it sounds like you could do some interesting things with it.

    Definitely worth checking into, I'd started setting up a reverse proxy on my network, mostly to handle LetsEncrypt renewals, but this would render that moot as well as add some other features.


    ... The neuroanatomy of fear and faith share common afferent pathways.
    --- MultiMail/DOS v0.52
    ■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org
  • From lynx769@VERT/BTTMLSS to poindexter FORTRAN on Wed Apr 21 17:17:00 2021
    The original poster is using pfsense to talk to Cloudflare's API, it sound like you could do some interesting things with it.

    I've got a small container which checks every 5 minutes if my home IP has changed and calls Cloudflare's API to update the wildcard A record for my domain.

    I'm hosting a half dozen services running behind nginx-ingress and let's encrypt cert issuer on a kubernetes cluster. The cluster is running small RancherOS VMs on Proxmox.

    With the wildcard, I just spin up a new service and have a valid certificate issued automatically and be in business. The only downside is that Cloudflare can't proxy wildcard records so I lose the proxy benefit though.

    Lachlan

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net
  • From Nelgin@VERT/EOTLBBS to lynx769 on Thu Apr 22 01:36:20 2021
    lynx769 wrote:
    The original poster is using pfsense to talk to Cloudflare's API, it sound
    like you could do some interesting things with it.

    I've got a small container which checks every 5 minutes if my home IP has changed and calls Cloudflare's API to update the wildcard A record for my domain.

    I have nsupdate running on my router which runs openwrt. It will automatically update my DNS without having to check every so often. It's nice and quick.

    ---
    ■ Synchronet ■ End Of The Line BBS - endofthelinebbs.com
  • From Arelor@VERT/PALANT to poindexter FORTRAN on Thu Apr 22 05:41:46 2021
    Re: Cloudflare
    By: poindexter FORTRAN to All on Wed Apr 21 2021 07:26 am

    I found an interesting article on Reddit about a home lab user using the home/free tier of Cloudflare for their network.

    On top of the usual DDOS stuff, they handle SSL and proxying to HTTP/HTTPS for your facing services, provide DNS for your domain, allow access to their CDN, and you get to hide your home IP in the process.

    There's a lot of analytics, I'm just starting to play with that now.

    The original poster is using pfsense to talk to Cloudflare's API, it sounds like you could do some interesting things with it.

    Definitely worth checking into, I'd started setting up a reverse proxy on my network, mostly to handle LetsEncrypt renewals, but this would render that moot as well as add some other features.


    ... The neuroanatomy of fear and faith share common afferent pathways.

    Cloudflare is a Google-class threat to privacy and freedom of the Internet.

    Their SSL management is very meh if you use them only as an SSL accelerator. They break the asumption that the SSL/TLS connection is performed to the website's hosting location. If you use them as an accelerator they get to see all the supposedly encrypted traffic and your users won't know it unless they pay a lot of attention.

    Anti-DDOS is nice. It is too bad that in order to have your own DDOS protection nowadays you need the infrastructure to route DOS connections to /dev/null, which is kind fo expensive.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    ■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From poindexter FORTRAN@VERT/REALITY to lynx769 on Thu Apr 22 06:15:00 2021
    lynx769 wrote to poindexter FORTRAN <=-

    With the wildcard, I just spin up a new service and have a valid certificate issued automatically and be in business. The only downside
    is that Cloudflare can't proxy wildcard records so I lose the proxy benefit though.

    I'm new to the cert game. I assumed that LetsEncrypt couldn't do wildcards.
    If they did, I could replace all of the standalone LE instances with the reverse proxy server I want to build. But, then I wouldn't need the proxy server, as it's going to be there to allow my internal hosts to renew their
    LE certificates. :)

    What are you using as a reverse proxy? I am planning on using nginx, only because I've recently used it at work to proxy some servers behind a single IP.


    ... Mary being complete the job bazooka.
    --- MultiMail/DOS v0.52
    ■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org
  • From poindexter FORTRAN@VERT/REALITY to Nelgin on Thu Apr 22 06:21:00 2021
    Nelgin wrote to lynx769 <=-

    I have nsupdate running on my router which runs openwrt. It will automatically update my DNS without having to check every so often.
    It's nice and quick.

    I've got dynamic DNS, and I use a static A address on my provider for my
    base host name, then CNAME everything off of it. I haven't had my IP address change unless I hard reset my router.


    ... ONE OUT OF FIVE DENTISTS RECOMMEND GUM.
    --- MultiMail/DOS v0.52
    ■ Synchronet ■ realitycheckBBS -- http://realitycheckBBS.org