Reverse Proxy Advice - Specifically Cloudflare

Whiffle

Whiffle

Whiffle

Associate
Joined
27 Jul 2009
Posts
386
Hi there.

I am running Openmediavault on my home server and run a number of services on docker, including Home Assistant.

From all I have read, the recommended way to connect, outside of your home network, seems to be Cloudflare as reverse proxy, as you can avoid opening ports on your server.

There is also Docker container (cloudflared) that I can use to connect my server to Cloudflare.

I sort of get the theory behind all this but am just trying to understand everything before I go ahead and set this up.

If I expose my HA docker to the internet in this way, is the only thing stopping others using it the username and password?
 
Last edited:
Thanks for confirming that.

The reason I ask is that I have a number of other Home Assistant add-ons, runing as containers, (nodered and zigbee2mqtt) that I would like to access from outside my home network. Neither of these has any password protection on it, so I shall need to try and see if I can set that up beforehand. I shall also look into ip restriction as a belts and braces approach.

What is the benefit, therefore, of using Cloudflare to begin with (as opposed to simple port forwarding)?

Am I correct in thinking that as Cloudflare is security service, it has the ability to screen out well-known malicious attacks before they hit my server?
 
Last edited:
Whiffle said:
Thanks for confirming that.

The reason I ask is that I have a number of other Home Assistant containers running (nodered and zigbee2mqtt) that I would like to access from outside my home network. Neither of these has any password protection on it, so I shall need to try and see if I can set that up beforehand. I shall also look into ip restriction as a belts and braces approach.

What is the benefit, therefore, of using Cloudflare to begin with (as opposed to simple port forwarding)?

Am I correct in thinking that as Cloudflare is security service, it has the ability to screen out well-known malicious attacks before they hit my server?
Click to expand...
Primary reason is to protect your home IP address from exposure - so you can firewall that down so only the cloudflare egress servers are permitted to connect. You'll still need port forwarding to allow cloudflare in (disclaimer I don't know what cloudflared does - maybe it works around this?)
Then yes, there's a web application firewall which should protect you from most attacks.

What you can also look at, rather than opening up to the net, is implementing some kind of VPN (I use wireguard).
 
If you install cloudflared in Docker using your token, you can then set up the reverse proxy under the Zero Trust dashboard. @Sinbad2000 yes, using this you don't open any ports externally. The cloudflared tool punches *out* (connects to Cloudflare as an outgoing connection, and communicates with them that way) so you don't need to specifically allow or open incoming ports. Since firewalls will allow incoming connections/replies to outbound connections and traffic, we can keep our ports closed and still communicate with (allow traffic from) Cloudflare.

Once the daemon is running, you need to go to the Cloudflare Zero Trust dashboard to define 'apps' (essentially the authentication stuff) and routing (the reverse proxy entries themselves, which will auto-create the DNS entries you need). It's splayed out over three different pages on CF, but it's easy enough once you get the swing of it.

Importantly, in answer to your question OP, you can set up authentication to be restricted to IP and email address. I have it set to only allow UK IP addresses (because I use a lot of VPNs/WAN IPs - else you could specify just one IP), but to also require a 6 digit code sent to one of two specified email addresses (both mine!). You can see one of my pages HERE. It will only accept my own email, nobody else can get a code to receive access. Once you have a code, it will automatically load the page without authentication for 24 hours. Quick, easy and secure.

To answer your other question (in basic terms), Cloudflare is a security service yes - and content delivery network. They stand in front of your own service/page/whatever and catch attacks. By proxying content through Cloudflare you also hide the IP of your server. You can configure rules (eg block x, y and z countries), but they also independently stop DDoS and bots and such. In addition, they cache content from your pages/links/services (if you proxy the DNS entry) so that it's served faster to people due to Cloudflare having servers around the world. Note that they only proxy/forward/cache content on 80 and 443 - so if you set a service to be proxied and it runs on other ports, it won't work. Using cloudflared allows *all* your services to run on 443 with TLS, so you're set.

Here's a guide to setting up tunnels/authentication on Cloudflare for you.

 
Last edited:
If you are connecting (from outside the network) from a static IP you can just open whatever ports you need but restrict incoming connections to ONLY the IP address of the device you want to connect from. Along with a decently strong password (assuming the connection is secure, TLS/HTTPS/etc) then that should be safe enough. I've been doing this for years to get remote access to my CCTV system and never had any issues.

If you cannot get a static IP for the device you are connecting from then yes reverse proxy is the way to go.
 
Last edited:
Rainmaker said:
If you install cloudflared in Docker using your token, you can then set up the reverse proxy under the Zero Trust dashboard. @Sinbad2000 yes, using this you don't open any ports externally. The cloudflared tool punches *out* (connects to Cloudflare as an outgoing connection, and communicates with them that way) so you don't need to specifically allow or open incoming ports. Since firewalls will allow incoming connections/replies to outbound connections and traffic, we can keep our ports closed and still communicate with (allow traffic from) Cloudflare.

Once the daemon is running, you need to go to the Cloudflare Zero Trust dashboard to define 'apps' (essentially the authentication stuff) and routing (the reverse proxy entries themselves, which will auto-create the DNS entries you need). It's splayed out over three different pages on CF, but it's easy enough once you get the swing of it.

Importantly, in answer to your question OP, you can set up authentication to be restricted to IP and email address. I have it set to only allow UK IP addresses (because I use a lot of VPNs/WAN IPs - else you could specify just one IP), but to also require a 6 digit code sent to one of two specified email addresses (both mine!). You can see one of my pages HERE. It will only accept my own email, nobody else can get a code to receive access. Once you have a code, it will automatically load the page without authentication for 24 hours. Quick, easy and secure.

To answer your other question (in basic terms), Cloudflare is a security service yes - and content delivery network. They stand in front of your own service/page/whatever and catch attacks. By proxying content through Cloudflare you also hide the IP of your server. You can configure rules (eg block x, y and z countries), but they also independently stop DDoS and bots and such. In addition, they cache content from your pages/links/services (if you proxy the DNS entry) so that it's served faster to people due to Cloudflare having servers around the world. Note that they only proxy/forward/cache content on 80 and 443 - so if you set a service to be proxied and it runs on other ports, it won't work. Using cloudflared allows *all* your services to run on 443 with TLS, so you're set.

Here's a guide to setting up tunnels/authentication on Cloudflare for you.

Click to expand...
Hell I didn't even think of the cloudflare zero trust stuff!
I need to read up on it. Good info - thank you
 
The big point is that nobody can discover those services by port scanning you, since there's nothing there. Somebody would have to know the DNS domain you were using in order to get anywhere, and there are other security rules you can layer on top to lock things down further.

Since it's a reverse proxy that means it works behind CGNAT which means that it will also work from a 4G/5G connection if you have one as a backup to your primary, so everything remains accessible.
 
You must log in or register to reply here.
Back
Top Bottom