Self-Hosted Main

A lot of people in this thread have never been ddosed and it shows. You don't need to host a super popular thing to get ddosed.

When you host game servers there are gonna be salty 16 years old that go to a free stresser and hit you with 1gbps.

And you might think "well yeah but it's not like cloudflare's free plan protects that much".

It does, believe me. I've done tests with people who have access to botnets and without cloudflare with 1gbps our connection was dead. With cloudflare it didn't go down and reported more than 50gbps on the cloudflare dashboard.

Also another thing is that a lot of these people are 16 year old script kiddies, and not seeing your IP directly discourages them.

Thats not what a MITM is

A MITM is a Man-in-the-Middle Attack, someone whom you dont trust or dont know has hijacked your network connection to either read, remove or modify data from your network packets and then proxy-send it to your initial intended target

Cloudflare is a proxy server, a person you TRUST and designated to passthrough first to scan and check for network security before it redirects and pass your packets through to your intended target, like a gatekeeper

What, you gonna call all your gatekeepers, your bouncers, your proxy servers a MITM?

If you want then to cache your content to reduce the load of your servers, they have to decrypt the traffic. This is how a reverse proxy works.

And, well, you have to trust them before contract their services. The same way people trust vpns to route their traffic. If I was from some 3 letter agency and want to spy on potential illegal content, I would tap into a vpn server.

Yes, you’re right that there’s a certain amount of trust you need to have in CF… but what are you trusting it to do? And if they fail, what are the consequences?

Honest question - even if you are sending your Vaultwarden traffic over CF, and they are watching or attacking, you have to trust that the e2e encryption of Vaultwarden is what’s keeping you safe, right? Not the SSL certs. Does the auth mechanism rely on the SSL certs not to be compromised? I would hope not.

For me, it’s about trade offs.

https://www.troyhunt.com/cloudflare-ssl-and-unhealthy-security-absolutism/

https://serverfault.com/questions/662946/does-cloudflare-know-the-decrypted-content-when-using-a-https-connection

These two data sources kinda sum it up for me - “If you are concerned that cloudflare can read your data - don't use cloudflare.”

But I do want to be sure that any e2e encrypted app doesn’t rely on SSL for its “end-to-end”.

What is it you're afraid cloudflare is doing? This is a company trusted by tons of corporations who have legit secrets to protect. Why would they care about intercepting your traffic? To what end?

Cyber attacks are goal-oriented and based on attack cost, basically how much effort for how much reward. Is your selfhost traffic super valuable? So valuable that someone would hack cloudflare to get it?

In reality, other than commodity malware that your security suite should easily pick up, there isn't much threat in my opinion.

Yeah. I believe Cloudflare basically has its heart in the right place but it is is still a dangerous central choke point.

CF is not using „their own“! The certificates the client see must be provided and authorized by the provider of the service. Or put in other words: CF is acting as the hosting provider to the outside, to the clients.

The rest of journey is „inside“ the domain of the provider of the service. It is totally normal that traffic has some journey to go and often it never touches the premises of the provider or even a server owned by the provider.

The important thing that all the part which from a customer‘s view is „internal to the provider of the service“ (behind the CF address) is responsibility of the provider of the service, no matter what 3rd party services they use.

My take is: Any data worth your while shouldn’t just rely on HTTPs anyway. You should have more layers of encryption. That’s how majority of the companies do it.

And for people who do not even know this, are better off using CF as MITM.

It's all a matter of trust.
There are many reasons to selfhosting. Paranoia is just one of them.

Half of the people don't remotely understand the issue. The other half is aware that what's in behind isn't trustworthy anyways if it's "in da cloud" and just went all YOLO-mode.

People go out of their way to de-Google their phones but them are ok with this situation.

I don't think this venn-diagram is a circle.

Cloudflare’s default setup is to proxy your traffic but that’s easily disabled with a click of the admin’s mouse. Of course disabling their proxy service exposes the origin IP’s, server certs, etc. but the point is that you use Cloudflare services the way you want to; it’s not a Boolean “cloudflare or no Cloudflare”.

Do you want to be blown off the internet by DDoS? How much bandwidth do you have/can you pay for?

Beyond what everyone else has said here about it being practically an industry standard now with insane levels of trust, it also foists a lot of the responsibility for security/uptime onto an external company with a good track record. That's great in the eyes of product management and likely the legal department too.

You could say the same about any cloud provider. "AWS can read all my data! The horror!"

The sites I expose to Cloudflare were already being publicly hosted for my friends. Anything actually private or sensitive I run via private DNS and Wireguard internally.

Don’t forget, for selfhosters, the value proposition of free is always pretty strong. I have tiers of data and not everything needs to be super private at all times.

OP, what you're describing is not the "big scary MITM" attack vector. It's how TLS/Reverse proxies work. Whether you are using Cloudflare or hosting your own reverse proxy somewhere with full control, it's still terminating TLS at the endpoint and passing back traffic in the clear to the backend.

Some people like Cloudflare for whatever reasons, and that's okay. I host my own reverse proxy out on a VPS and it works just fine.

You'll find that not all of the seflhosted community is super-focused on privacy as say r/privacy is.

Because it's everyones MITM. I trust them with security because it's the only thing they focus on, I focus on making my stuff stop randomly shutting down. If absolutely everyone is using it, I don't care too much if an issue appears- nobody cares about my tiny little thing when Discord goes through Cloudflare

You need them if you really want to be secure from DDOS... well with knowledge of HTTP2 DOS is enought... :-)

I mean, we trust Root Certification Authorities, which are basically self-proclamed-as-trusted entities. At least CF became widespread and is community-trusted :)

People go out of their way to de-Google their phones but them are ok with this situation.

people selfhost for many different reasons. you may self host so you can degoogle, but I selfhost so I can put Kubernetes/mqtt/zigbee/flask etc etc etc on my resume

Mostly they know how cf work but when asking simplicity cf do it

In regard to enterprises, they don’t give a rats ass about any potential intellectual property theft. That risk has been written off. What matters is compliance and security.

Not having DDOS protection in place can potentially have legal consequences and can be very costly. DDOS protection is either investing millions of dollars in equipment or offloading that responsibility to a company like Cloudflare.