this post was submitted on 22 Nov 2023
2 points (100.0% liked)

Self-Hosted Main

515 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

In response to the discussion on a recent thread about whether to trust Cloudflare, as some people are not very comfortable with it terminates HTTPS (MITM).

There is this thing called Fast Reverse Proxy (FRP) https://github.com/fatedier/frp

It's open source, very lightweight and I have used it in multiple instances. Frankly there doesn't seem to be a lot of people know/use it here. The idea is you deploy this on a VPS with public IP, and have your server at home connect to it. It is pretty much like your own Cloudflare tunnel, only you have much more control over it (ports, TCP/UDP/HTTP, auth, etc).

I use it on the cheapest VPS ($5) I can find close to where I live. It acts as a simple TCP reverse proxy to my server, where Nginx Proxy Manager handles the actual HTTPS. (You can let FRP handle HTTPS but then you need to think about if you trust the VPS and also keep the certs updated there, so nah.)

It's developed by a Chinese dude as it is pretty much a necessity for selfhosters (mostly minecraft servers) in China, since Public IP is scarce there and most people live behind CGNATs.

top 26 comments
sorted by: hot top controversial new old
[–] Karyo_Ten@alien.top 1 points 11 months ago

Use a reputable self-hosted VPN, for example https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/ (Trail of Bits is one of the top auditor/security company)

[–] garibaldi3489@alien.top 1 points 11 months ago

This type of tool is interesting, and provides some of the functionality that Cloudflare Tunnel does, but with frp, a vulnerability in your app (or its login screen) could be more easily exploited since you don't have the traffic protection features that Cloudflare provides, right? Maybe combining this with fail2ban (or is there another similar self-hosted tool) would not only act as a proxy but also help protect your app to a degree like Cloudflare does?

[–] Pi_ofthe_Beholder@alien.top 1 points 11 months ago

This is just the kind of tool to get me back to this

[–] HTTP_404_NotFound@alien.top 1 points 11 months ago

Personally, when I used to route my home services through a VPS- I used a simple VPN tunnel from my VPS to my home network, which my home router would establish (dynamic IP).

From there, my firewall dictated what was actually allowed to enter through the tunnel... and the reverse proxy, did its thing.

[–] WiseCookie69@alien.top 1 points 11 months ago

I use a SSH tunnel. Doesn't need more then a barebones VPS running with OpenSSH.

[–] sarkyscouser@alien.top 1 points 11 months ago

I'm assuming the benefit over say Caddy + Authelia is that you don't need to open any local ports such as 80 and 443?

[–] p_235615@alien.top 1 points 11 months ago

Why do you really need this ?

Why not just set up a VPS and deploy the NginxProxyManager to it together with a wireguard tunnel to your home system.

You really dont need 2 proxies...

Or if you want to keep the NPM localy on your home server, then you just setup wireguard on VPS with NAT and port forward to your tunnel.

[–] garibaldi3489@alien.top 1 points 11 months ago

With Cloudflare Tunnels, if you disable TLS decryption, use Full or Full (strict), and verify that the certificate in your browser is yours and not Cloudflare's certificate, wouldn't that mean that the SSL is unbroken from your server to the browser? Or can these options not be used with Cloudflare Tunnels?

[–] PsychotherapistSam@alien.top 1 points 11 months ago

Frp is a pretty cool tool, I mostly use Tailscale with a Reverse Proxy on a VPS for my remote access, but I tunnel my Minecraft Servers using frp, since it's lower latency and more stable than Tailscale. For Websites I couldn't notice a difference, and Tailscale + Caddy worked easier for me than frp

[–] Cybasura@alien.top 1 points 11 months ago

Interesting, so is this like a uPNP in this case?

[–] lucaprinaorg@alien.top 1 points 11 months ago

from Colin Percival empire we present "spiped":

https://github.com/Tarsnap/spiped

https://www.daemonology.net/blog/2012-08-30-protecting-sshd-using-spiped.html

https://www.daemonology.net/blog/2011-07-04-spiped-secure-pipe-daemon.html

yes, it's true and it's not black magic...if you understand the simple technology behind...and yes it's a magic bullet

enjoy

[–] Old-Satisfaction-564@alien.top 1 points 11 months ago

It does the same as haproxy but haproxy is better

[–] sevlonbhoi1@alien.top 1 points 11 months ago

I run an oracle free vps with caddy reverse proxy to route traffic to my home server over wireguard/tailscale. Been running this setup from last 4-5 years with zero issues.

[–] Tivin-i@alien.top 1 points 11 months ago

Well, pretty much any type of tunneling software such as Tailscale or Wireguard will achieve the same, you just need to change a bit where your components are located.

What I personally do is have swag proxy on the VPS with crowdsec and authelia, this redirects the traffic to the internal wireguard/tailscale mesh network to the specific service requested.

If you are the only user of the services, create a tailscale or a netmaker; Not sure about tailscale but in Netmaker (wireguard based) you can choose to have your VPS as the relay host.

[–] OhMyForm@alien.top 1 points 11 months ago

I just use a vpn

[–] lilolalu@alien.top 1 points 11 months ago

I think a lot of proxy servers have that functionality, HAproxy definitely has... With nginx you need the "plus" Version to proxy tcp.

[–] ItsAddles@alien.top 1 points 11 months ago

I use tailscale and nginxproxymanager to do this. It was like 4 command

[–] NekoLuka@alien.top 1 points 11 months ago

I use this for all my services that need to be accessible from the outside world... For my private services I use tailscale + headscale

[–] mikhatanu@alien.top 1 points 11 months ago

Isn't cloudflare tunnel a reverse proxy too?

[–] sinofool@alien.top 1 points 11 months ago

What recent thread about trust Cloudflare?

Tunnel needs a client software, it's higher risk, larger attack surface than normal http reverse proxy.

The Cloudflare tunnel feature is part of its zero-trust product. It make sense if you are capable of audit the client source code. If you trust the client as you trust nginx reverse proxy software, tunnel is safer.

Regular free Cloudflare proxy include basic WAF, it is more useful than selfhosted VPS reverse proxy or fail2ban. These commercial services learn attack patterns much earlier.

My homelab exposed services all have real HTTPS certs behind Cloudflare. My service is configured trust Cloudflare origin only so attackers cannot bypass WAF. This is also the same setup my workplace setup to protect multi-million transactions.

If the tunnel is used not for security reason, but bypass CGNAT, it's at least not worse than selfhosted reverse proxy.

[–] HearthCore@alien.top 1 points 11 months ago

So a VPN and a reverse proxy, any can be combined this way

[–] Tripanafenix@alien.top 1 points 11 months ago

My choice was Caddy v2 and wg_easy as well as a Python script which updates the IP if changed automatically. My own dyndns if you will

[–] Zach78954@alien.top 1 points 11 months ago

I use this and cloudflare. For my normal self hosted app’s cloudflare works great but for stuff that needs a lot of data (Plex) or custom ports I route I through FRP.

[–] geekywarrior@alien.top 1 points 11 months ago

Have you seen this list? Lots of services like this.

https://github.com/anderspitman/awesome-tunneling

[–] chonkat2@alien.top 1 points 11 months ago

tailscale, anyone?

[–] murdaBot@alien.top 1 points 11 months ago

Throughput on these "cheap" VPS providers is atrocious. I have 1Gbe into my home and none of the VPS providers can break more than a few hundred mbps, except for Cloudflare. The other issue is consistency, speeds fluctuate all over the map with these cheap VPS providers - even the big one like Vultr, Linode, and Hetzner aren't much better.

Also, WAF is now free with Cloudflare, so using a solution like this really doesn't make much sense, unless you're serving non-http content.