this post was submitted on 07 Sep 2023
14 points (88.9% liked)

Selfhosted

39980 readers
786 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone, just a quick question.

I've been selfhosting a number different web applications throughout the years. For most of them I would use Cloudflare Tunnels to expose them to the internet. I usually had one tunnel set up for my root domain and either a wildcard or multiple specific CNAME records pointing to the same tunnel. The tunnel would then terminate in a Docker container which shares a network with a Traefik instance, which then routes the traffic through a seperate network to the different application containers.

I was just wondering what your opinions on this are, considering this approach over a seperate tunnel for every application. This would eliminate the need for a shared network for Traefik, although I don't consider this much of an issue.

Any opinion, input or recommendation is welcome! I'd love to hear about your setups, if you're running something similar.

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 year ago (1 children)

I host my own tunnels on a vps, and i indeed use one tunnel for every app. There are only 3, so no big deal, but I wanted to make sure to expose only what I want to be exposed, as I have some more services running in my local network only.

[–] [email protected] 2 points 1 year ago (1 children)

I thought about something like that as well, but never tried it out (yet). Do you use WireGuard tunnels for that? Or something else?

Ideally I'd not expose most of the services to the public internet at all, since only me and some relatives need access to most of them. I have briefly looked into Tailscale or similar services for that, but again, haven't tried that out yet, as that would (presumably) require changing quite a few things on both the server(s) and all of the clients...

After all, I'm just cosplaying as a sysadmin for the most part, so what do I know ;)

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I use reverse ssh tunnels, technically running on my home server. For each service i want to expose on the internet, i have a systemd-unit which handles a said reverse tunnel to the vps. Basically, the port running the service locally gets tunneled to a port on the vps, that happens via ssh, so reasonably secure (login as root disabled, login with password disabled, with a special user with little to no rights running the systemd service locally and remotely to log in via ssh). On the remote vps, there is a reverse proxy running, nginx, which works like the service would be running on the remote vps, really. There are some services actually running there, a mail server for example. The config files aren't really different, everything nginx handles gets passed to a localhost port. A nginx instance is also running on the local home server to serve all the local services and the global ones locally, and the dns on my main router resolves the adresses of the global services to the local ones. SSL-Certificates are acquired by the remote vps and copied to the local home server, so that the end users don't have any difference in their ux regardless if they are in the local network or somewhere outside.

Edit: I mostly use this approach because my ISP uses dualStack lite and I could not access anything local from outside with any other technique. But I like it, it is really basic.

[–] [email protected] 4 points 1 year ago (1 children)

I use cloudflare tunnel for each of my apps. Because it's just so easy to setup in like 10 secinds. But there's no need to have a different domain for each app. Subdomains of one main domain is fine.

[–] [email protected] 2 points 1 year ago

I do use one domain with several subdomains (or simply a wildcard), that's what I meant by the CNAME record(s). But I see that wasn't completely clear from the post.

The setup time is not really a factor, more just the overhead of one tunnel and one Traefik instance vs multiple tunnels without Traefik. I might just do some basic "benchmarking" if you can call it that to see the CPU and (more realistically) memory impact.

[–] [email protected] 3 points 1 year ago

I’ve just started using cloudflare and self hosting, I have applications running in docker containers on separate ports, I setup a frontend with caddy on a separate board that only hosts caddy and reverse proxy to the apps and cloudflare in front of it all. Seems to work pretty well

[–] [email protected] 1 points 1 year ago

Cloudflare Tunnels have a basic reverse proxy built in, so you could technically still have one and eliminate Traefik.

However, I still use one for nginx, and one for each important app (frigate, home assistant, probably others), plus an extra on a raspberry pi as more of a VPN if my wireguard server goes down.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #117 for this sub, first seen 8th Sep 2023, 06:15] [FAQ] [Full list] [Contact] [Source code]