Hey is there any alternatives to CloudFlare reverse proxies? I want to hide my server IP but not share everything with CF…
Removed by mod
I would like to access to my server only trough the proxy, like if I put my real IP I end up with nothing, but if I put the proxy IP it show me my server
Removed by mod
Simply to protect my home server from attacks, and serve the content only with the remote server in a datacenter
Removed by mod
You’re asking excellent and very relevant questions.
OP, take heed.
Most people are under the impression that their IP being public is somehow super dangerous, and that “hackers will attack me” if it ever gets out. So likely “all the attacks against my entire network.”
Edit: Secondary thought, they legitimately have unsecured endpoints on their IP, and are hoping no one will notice if they aren’t handing out their IP to others. Still incorrect though.
Some ISP don’t rotate IPs so it can end up pinpointing your house very precisely.
If I want to host my services to the internet, I need to open a port in my firewall nah? is that not a bit risky than only allow access from the address of the data center to use this open port?
Removed by mod
Well, if you use the CloudFlare WAF with login protection (available in the free tier), you’re pretty much safe since the connection doesn’t arrive at your server if you don’t authenticate in CF first (with Gmail, Microsoft, OTP, etc.) @[email protected]
Honestly, if it’s just a small, personal project, just use common sense and take some basic precautions (e.g. use a firewall, use NGINX instead of serving Wordpress directly, etc.).
Note that CloudFlare doesn’t protect you from everything either - it only provides some very specific services. A rudimentary level of caching images being the most common one a free account level would be able to use.
Setup a VPN on a VPS. Use traefik and authelia. Authelia will be your authentication portal and traefik will tunnel the traffic from the auth portal to configd locations within the VPN. Get your home network on that VPN.
Choose VPS provider based on geographic location.
Sucuri?
Akamai?
Kinda depends on what’s going on, price point, etc. is this for DDOS purposes?
You do not need a CDN, but you have users. So, is this for like, a Plex server, serving friends in a similar geographic region?
What’s the use case? That will greatly help us answer.
Step 1: get a cheap VPS, or even a free one (https://www.oracle.com/cloud/free/)
Step 2: If you’ve a static IP at home great, if you don’t get a dynamic DNS from https://freedns.afraid.org/ or https://www.duckdns.org/
Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:
server { listen 80; server_name example.org; # your real domain name you want people to use to access your website location / { proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS. proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; } }Step 4: Point your A record of example.org to your VPS.
Step 5: there’s a potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from and to get around this you can do the following on the home server nginx config:
http { (...) real_ip_header X-Real-IP; set_real_ip_from x.x.x.x; # Replace with the VPS IP address. }This will make sure only the VPS is allowed to override the real IP of the client.
Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.
Proceed to disable plain text / HTTP traffic. To do this simply remove the entire
server { listen 80section on both servers. You should replace them withserver { listen 443 ssl;so it listens only for HTTPs traffic.Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;
Step 8: set the home server’s firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.
Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change
proxy_passto the IP of the home server inside the tunnel likeproxy_pass http://10.0.0.2). This has two advantages: 1) you don’t need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network… however it also has two drawbacks: you’ll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn’t bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won’t gain much there in terms of security.Removed by mod
The chances someone is going to DDOS a residential IP is small as important as you think you are nobody cares about taking down someones plex server.
You aren’t wrong but the things you’re mentioned are always an issue, even if he was running the entire website on a VPS.
VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.
Yeah, but at the same time any VPS provider worth it will have some kind os firewalling in place and block a DDoS like that one. People usually don’t ever notice this but big providers actually have those measures in place and do block DDoS attacks without their customers ever noticing. If they didn’t hackers would just overrun a few IPs and take all the bandwidth the provider has and take their all their customers down that way.
I’m not saying anyone should actually rely only on the VPS provider ability to block such things but it’s still there.
The OP should obviously take a good read at nftables rate limiting options and fail2ban. This should be implemented both at the VPS and his home server to help mitigate potential DDoS attacks.
Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.
It doesn’t and it was never supposed to mitigate that as the OP only asked for a way to reverse proxy / hide is real IP.
Removed by mod
deleted by creator
I was looking into Tailscale, but it got me a little worried. I’m not very knowledgeable, so I hope someone can correct me
They don’t allow ssh, so you have to give your keys over them and they manage your ssh connection? That seems idiotic. Surely that can’t be correct?
I’m my use case, I was wanting to rsync to an off-site Synology from a Linux box. Synology also doesn’t allow ssh over their VPN service - frustrating.
Pretty much the only thing I use Tailscale for is remotely SSHing from my phone to my home NAS, and they definitely don’t manage my keys. They do have a “Tailscale SSH” feature I don’t use…
deleted by creator
You can always use something like SSHwifty It retains your logins through your browser’s session data and never on your server, but it will allow you to remote into your local system from anywhere on the WWW if you desire to do so. With Tailscale, once you are connected into your Tailnet, you can pretty much SSH into any of your devices as long as the subnet sharing flag is turned on I believe. I’ve never had any issues with mine not allowing any SSH connections.
But I need to configure something on the client side… I want people to access my server as they access their Instagram account
deleted by creator
Depends on why you want to hide your server ip, what’s your use case? Is it to protect against DDOS?
Cloudflare is evil, but is there any other party you would trust to share everything with?
Do you something like a vps would be more secure? Paying some dollars a month
I like that idea.
I’d suggest OVH or Digital Ocean.
If you think a DDoS attack is possible I’d suggest azure for that.
Removed by mod
a reverse proxy these days is pretty much just a requirement of any dynamic service. they often run on the same host as the software
Removed by mod
it’s possible, but that would seem… odd… for such a large and tech-savvy instance. there’s a lot of reasons why this isn’t a good idea, and very few technical reasons why it is
my guess is that it’s less about obscuring server location for privacy reasons as is the implications in this thread, and more about handling changes cleanly or something like that - in which case, sure it obscures the server location but more that it makes the server “location” (or hardware, etc) irrelevant and fungible
Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.
I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.
It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.
It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).
DDOS protection is going to depend on the VPS. But for most services you could spin up a pretty lean Debian vm running a proxy like nginx proxy manager and run that over the tunnel. Something like opnsense seems like overkill.
Tor.
So I need to have always the same exit node, need to connect to the server via an other IP and only this server know my ip
AFAIK tor websites (onion service) doesn’t require exit node, and no one knows your IP unless you are unlucky enough all nodes you connected are controlled by same entity.
But the speeds are much slower nah? And can I host “normal” website trough Tor?
Yes, speed would be much slower.
Yes, you can host a normal website through tor.
Do you want something that also has CDN like Cloudflare? Bunny.net is good, but way more expensive than a cheap VPS if you use a lot of traffic.
No I don’t need a CDN only a way to hide my IP to final users and that nobody can use my real IP to connect to my server
Literally cloudflare tunnel, sorry my dude.
If for personal access only, ZeroTier might solve your use case.
VPS with Wireguard
Perhaps NetBird, ZeroTier or Tailscale? If you want to make a service available publicly, check out Tailscale Funnel.
Very confused by the answers here. Anyway, check this list: https://github.com/anderspitman/awesome-tunneling
I personally used frp many years ago and it worked great.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation Plex Brand of media server package SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
12 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.
[Thread #803 for this sub, first seen 15th Jun 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]
I used boringproxy for years and I recomend you
