this post was submitted on 20 Nov 2023
2 points (100.0% liked)

Self-Hosted Main

517 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 2 years ago
MODERATORS
 

Regardless of whether or not you provide your own SSL certificates, cloudflare still uses their own between their servers and client browsers. So any SSL encrypted traffic is unencrypted at their end before being re-encrypted with your certificate. How can such an entity be trusted?

(page 2) 37 comments
sorted by: hot top controversial new old
[–] naxxfish@alien.top 1 points 1 year ago (2 children)

Because it's easier and cheaper than setting up your own SSL tunnel securely.

From a non hobbyists point of view, you're paying for them to handle the messy business of maintaining a secure endpoint on the Internet. The sheer amount of bot crap you get hitting your servers as a result of an open SSL port is crazy. Also you are paying for their services as a CDN, which can significantly improve latency and reduce bandwidth bills.

Most self hosters won't benefit from a CDN (the volume and global distribution of traffic is too small for it to make much of a difference) or a global internal transit network.

Of course you definitely can set up your own SSL terminating proxy (where you own the box/process that unencrypted traffic goes through), it's just a lot more money and effort to do well than most would be willing to dedicate to it. But if you're not ok with your traffic going through a third party maybe it's worth it.

Just the mechanics of setting up SSL termination is a faff. Not only do you need to set up SSL properly on your app servers, you also have to do the same on your terminating proxy - and keep the certs renewed, disable insecure configurations, patch your SSL implementation. For many, the convenience of this all being someone else's problem is worth it compared to the privacy implications.

load more comments (2 replies)
[–] vikarti_anatra@alien.top 1 points 1 year ago

They think it's not a problem for them. Because they think that:

  • they have nothing to hide
  • they don't think CF (or TLAs who have access) will use it against them. (Possible examples: Ukrainian sites, Russian sites who disagree with goverment on at least some things)
  • they think alternatives are worse - it's...rather difficult to make CF censor you.
  • they only use CF's DNS services and not other things
  • It's just easier this way

This reminds me of current situation with "AI": There is OpenAI/Anthropic with their APIs (requests are sent via HTTPS but OpenAI/Anthropic are not only need to have access to do their work - they also censor it). There are paid-for alternatives who either host proxies for OpenAI/Anthropic/others (like OpenRouter.ai) or host local models for others (hosting require significant resources which will be unusused if you don't query often). There are means to host locally at home if you can. Some people prefer not to use local hosting even when they can do so.

[–] t1nk3rz@alien.top 1 points 1 year ago (3 children)

It's not entirely true what you said. I use cloudflare -> my Proxyserver -> my machines behind the Proxyserver

My Proxyserver has my own certificates loaded and terminates the SSL/TLS connection from cloudflare

Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

[–] schklom@alien.top 1 points 1 year ago

Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver

This is false, connect to your website, check the certificate, it will be Cloudlfare's. I assume either you have not checked, or are a Business customer paying quite some money yearly to Cloudflare.

Cloudflare decrypts inbound traffic, then re-encrypts it before sending it to you, unless you pay a decent amount of money so that they serve your certificate.

load more comments (2 replies)
[–] GeekCornerReddit@alien.top 1 points 1 year ago

You realize your computer can have a backdoor put in place by the brand right? Pretty much same deal isn't it?

[–] I_EAT_THE_RICH@alien.top 1 points 1 year ago

Cloudflare is awesome and undervalued in my opinion. They provide dozens of services and charge extremely reasonable pricing.

[–] agrajag9@alien.top 1 points 1 year ago

Outsourcing of (some) risk

If Cloudflare loses the data and it negatively impacts our brand, we can sue the shit out of them.

[–] Mailstorm@alien.top 1 points 1 year ago (1 children)

I'm either reading this wrong or there's a disconnect in knowledge. If you have your own SSL cert and do the termination of that on your end, CF cannot do any MITM without an error on the user's end.

However, if your just setting up an a record or whatever to your server that isn't doing ssl termination, then yes they are mitm

[–] Darkassassin07@lemmy.ca 1 points 1 year ago* (last edited 1 year ago)

Cloudflares Web Application Firewall or 'WAF' is a reverse proxy that sits in front of your server issuing it's own certs valid for your domain (cloudflare is a CA, and has control over your DNS to get others to issue certs for them). They then provide caching alongside DDOS protection, geoblocking, various customizable firewall settings, as well as just masking your servers ip with their own. This is their primary service aside from just basic DNS/registrar services.

[–] daywreckerdiesel@alien.top 1 points 1 year ago

It sounds like you think the issue with a man-in-the-middle attack is the MITM part, not the attack.

[–] ms_83@alien.top 1 points 1 year ago (8 children)

Because it’s not always about the encryption. I use Cloudflare tunnels because they are a good way of exposing sites to the internet without exposing my IP or opening ports, which means I don’t have to worry as much about DDoS or other attacks and therefore I don’t need to spend as much effort defending against them.

Even Cloudflare decides to inspect my traffic (and seriously why would they care about a tiny hobbyist website) it’s not like it gives them full access to everything, there are other controls you can use depending what your site is for.

Honestly what I don’t understand is why some on this sub have such strong objections to Cloudflare. Like I get they are a terrible company in a lot of ways, but name a tech company that isn’t?

load more comments (8 replies)
[–] rad2018@alien.top 1 points 1 year ago

Also...shouldn't we talking more about self-hosting rather than privacy and efficiency issues? I think the topic is a moot point - either you feel that Cloudflare is 'trustworthy'...or you don't.

IMHO, it's sorta like using Google's Gmail for business purposes. Read the fine print - they can do whatever they want with your data, despite their privacy statements. Same goes with Cloudflare. You're using *their* services on *their servers.

They have to lookout for themselves and the risks involved.

[–] manawenuz@alien.top 1 points 1 year ago

It comes down to the same line of reasoning that most people are "OK" with using cloud, be it aws, google, oracle, microsoft etc .. Out of laziness and lack of expertise, basically sysadmins are dead. Otherwise it's always a bad idea to offload anything on a third-party specially without transparency (pinky promise)

Badger DAO lost 120M, to this pinky trust. https://www.theblock.co/post/126072/defi-protocol-badgerdao-exploited-for-120-million-in-front-end-attack

Same issue however exists wirh domain name registerers, etc, hence even such a thing as ens.domains are much more trustworthy, and it's much harder to exploit.

[–] saxobroko@alien.top 1 points 1 year ago (1 children)

Yes by default traffic is only encrypted between cloudflare and users, but you can set it to “full (strict)” and have it end to end encrypted

[–] Darkassassin07@lemmy.ca 1 points 1 year ago* (last edited 1 year ago)

That's not end to end encryption, it's two seprate ssl connections both terminated at cloudflare. One from client to cloudflare, one from cloudflare to your server. Cloudflare is still a MITM inspecting your traffic in that scenario.

They do however let you disable their proxy(WAF) service, acting as pure DNS so clients connect directly to your IP instead of theirs. But they can at any point toggle that back on and intercept your traffic, nothing really stopping them except morals and T&Cs, but that's not exactly bullet proof. T&Cs can be rewritten and corporations with Morals? Right.....

[–] danychouinard@alien.top 0 points 1 year ago

Yes. This means they can see your native encrypted self-signed traffic.

Which does not do much. Unless you expose unsecured content to the internet. Please don't.

load more comments
view more: ‹ prev next ›