Can you use one Access policy for multiple services across different tunnels? I have a bunch of different tunnels and would like to harmonise the access policy, but it asks me to specifically name the URL I am tunneling to, rather than “all”.
I use zero trust tunnel and i have Oauth by google email with the zero trust application. All works fine when accessing the URL i can auth myself and use it but when i try to launch from app it does not work. Anyone has a solution to this?
Great guide, but please don’t suggest people use direct HTTP on the connection between Cloudflare (or any proxy for that matter) and the origin (in this case, the home environment). Just because HTTPS is enabled on the Cloudflare portion of it doesn’t mean it isn’t important to use HTTPS between Cloudflare and your own servers. Of course it’s not end-to-end encrypted anyway since Cloudflare has to decrypt to know how to route traffic and do whatever else the service does (just like most reverse proxies of this type), but leaving the traffic as HTTP between Cloudflare and the origin is effectively lying to your users of those services that the site is using HTTPS. If in the unlikely scenario that the connection between Cloudflare and your servers is tampered with, if that traffic is all HTTP it’s fair game for the attacker to see. If you were to use HTTPS AND you configure Cloudflare with their Strict TLS settings for certificate verification, then if this were to happen the request would be blocked. Some CDNs won’t even let you downgrade like Cloudflare does.
It also makes it easy to migrate away from them if you maintain your own certificates since they’d be trusted by other vendors as well (particularly if you use certificates signed by public CAs - self-signing is a whole other ball game).
TL;DR - don’t just assume that because Cloudflare has a certificate that you don’t need one on your servers. It’s good practice to maintain your own for security, and also makes it easy to migrate away if necessary.
That’s by far the best explanation I have read about this setup. Thanks!
…aaaaaand saved. Thank you for such a a thorough guide!
Thank you, this was helpful.
Awesome explanation, thank you!
Any reason not to just use OpenVPN? It seems a bit simpler, without relying on a 3rd party system.
I host it on an arbitrary port number and not the default, and only open up my workplace’s IP since that’s really the only place I tend to VPN from.
OpenVPN is kinda a pita to setup due to all the certificates and all that, there’s lot of steps involved in setting them up, but once you have it going it’s solid.
This. I can’t understand why people that are not behind a firewall even use cloudflare tunnels. Also using the Proxy feature is not „private“. Many people thing that if you use your „real“ ip it’s danagerous or not safe, but that is not true. I would recommend everyone to just use direct dns to their IP and if behind a firewall you should consider using a vps with a selfhosted point to point vpn tunnel.
100% agree, but i’m shocked you didn’t get downvoted. Every time i’ve responded in this sub about privacy or relying on some outside service to host self-hosted services (like DNS) i get downvoted.
yeah honestly if you dont want to do a wireguard yourself tailscale would be your best best from security and privacy. cloudflare tunnels is not it. you can even selfhost the operator/coordinator service if you decide to not trust tailscale but they clearly state its wireguard and they can not see anything in your vpn tunnel
True, but also almost every piracy site I use also uses CloudFlare in some capacity (even private trackers). CloudFlare doesn’t seem to care too much about piracy, I doubt they will much more about people using their services to self host.
They need to do this to offer their services and they openly state this themselves
The two sources you linked are comments made by community members, not official Cloudflare employees though? Do you have any actual sources of statements made by Cloudflare?
Hello,
i am hosting vaultwarden, nextcloud, immich - via cloudflare tunnels - does that mean they can see all my data?
Everything has its place. I use a VPN direct to home for most things, but I have a CFT setup for the wife because she can’t be bothered to use a VPN. So the couple of things she accesses that I host I just setup a tunnel so all she has to do is open the app.
you omit this statement from the link that the employee mentions:
Using Cloudflare as a CDN and proxy definitely require trusting Cloudflare, but you could say the same thing about Akami, Fastly, AWS, GCP, etc when they host your content and also sometimes act as middlemen in the connection. Discussion on HN 83… If you don’t trust Cloudflare, you very well could simply use LetsEncrypt and only use Cloudflare as a DNS provider by setting zones to .
This is about Cloudflare Zero Trust which is not their proxy/cdn system. You can most definitely have fully end-to-end encrypted traffic through it, and Cloudflare has no means to decrypt it.
Also known as Clownflare, lol
ignoring the cloudflare component, im pretty sure you can do this with authentik
Yes. OP’s guide isn’t great in this regard.
- You set up the self-hosted service in the tunnel config in ZeroTrust. Here you can create a sub-domain and point it at the local LAN IP & port. Once you hit save, that sub-domain is accessible over the internet with no security other than anything implemented on your server.
- You can then go to the “Applications” section and add an app that is tied to that sub-domain. This is also where you configure access lists, OTP or other security, etc. THis is all optional.
- You can use a mix of both of the above as it is on a per-application basis. For example, you could leave Calibre-Web exposed on a sub-domain and rely on its built-in user auth but have a second sub-domain for OpenBooks that uses Cloudflare’s OTP with an email-based access list.