I use cloudflare tunnels so my home IP is not attached to any DNS record, plus I have *.<my domain> route to a Traefik instance and I handle all routing there. When I add a new service on a new subdomain, there’s no new dns records announced, it just quietly stops returning a 404 error.
If I wanted to, I could run _everything_ through Authelia first, so you wouldn’t even see the 404 until you log into an account, but that hasn’t seemed necessary.
i like to invert the model:
1. host all services on the residential IP.
2. restrict all clients to a VPN.
because self-hosting for me is more about the sovereignty/autonomy: privacy concerns can weaken that, but inserting a VPN in between you and the other self-hosters weakens that _more_ (arguably). whereas not much is lost by adding a VPN between me and my Google searches.
'course the other thing you can do is to ask a friend to tunnel your traffic. i was pretty reluctant to do that at first, due to uptime concerns, but if you know other self hosters who've been at it for a while then they'll be as invested in keeping that box online as you will. your anonymity pool will be smaller than with a commercial VPN, if that's what you care about, on the other hand if your VPN "provider" gets a call asking to unmask you, you're more sure to learn about that.
Doesn’t Tailscale solve this problem directly?
I no longer need to expose a public service or even manage certs because anywhere I am I connect to my tailnet and have transparent access to my entire network
Honestly I don't personally see a problem with exposing your IP. You want to participate in the global routing network known as the internet? Then you will be associated with an identity. TLS allows wildcard subdomains as well allowing privacy.
I think the only real takeaway is that you will always have a trace once you've worked with TLS and registered a domain name. I have a domain from four or so years ago I used for random web apps and such, all of that got logged on crt.sh. If someone knew I owned xyz domain, they now know all of the subdomains I was proxying apps on.
"Using a CF Tunnel implies that all SSL encrypted connections will be decrypted by Cloudflare, the connections data exists on their servers in plain text and then is re-encrypted for the transport to the user."
https://www.reddit.com/r/selfhosted/comments/133rr6n/about_c...
Is that true? Then third party doctrine would apply and you have to trust them more right?
I don’t believe any proxy could route traffic dynamically the way cf tunnels (and traefik for that matter) do without being able to read the unencrypted http requests. That’s a trade off I’m making and aware of, because I don’t want to use a VPN to access my services. (Another big trade off is cf only tunnels HTTP traffic, so I can’t use SSH keys to reach my self hosted gitea repos. Honestly that’s a bigger motivator to me to find another solution)
It’s a great product, but unfortunately they terminate the TLS and scan the traffic. It’s same as hosting the data on google or Microsoft (except you pay for hardware also). It should not be considered self hosted.
Is there a reverse proxy where the client makes a TLS connection to the proxy, proves their identity, if successful is allowed by proxy to initiate a new TLS connection to the server at home with the certificate of that server?
>If I wanted to, I could run _everything_ through Authelia first, so you wouldn’t even see the 404 until you log into an account
I'm actually considering this right at the moment. The idea of enforced 2FA just feels a lot safer to me
I do it the good old fashioned way, with a reverse ssh tunnel from VPS to home. An added benefit is that SSL is terminated only at the very end, so the VPS provider is just a dumb pipe.
The problem is, since the reverse proxy and authentication system face the internet, you are responsible for maintaining its security.
Software has vulnerabilities. Like nginx proxy manager had vulnerabilities and the developer didn’t patch some.
With a cloud based proxy, a third party handles authentication. But then, they shouldn’t access data.
For purely personal stuff which I only access from my devices, I use SSL client certificates in front of normal auth. The rest of services are mostly public anyway.
I have a similar setup with Tailscale and Nginx Proxy Manager.