I’m sure I’ll find the answer to my question here. It’s been asked a few times, but there hasn’t been a definitive answer. Everywhere, something else is said (#).
I want to set up remote access to Immich (a Docker image hosting service) using Cloudflare Tunnel. The problem is that by default, Cloudflare can see all the data that goes through the tunnel. To do this, I want to use TLS with self-signed certificates through Let’s Encrypt.
In this way, I can keep the data fully encrypted between the client and the server, in the following way:
client–>tls–>tunnel–>tls–>server. Then all traffic going through the tunnel would not be viewable.
Is this configuration really possible so that Cloudflare won’t be able to see my data? How can I make this entire configuration work at its best?
- Get a cheap VPS.
- Get a domain name and point its
A
record to the IP of the VPS. - Set up a VPN tunnel between the VPS and your home server. You can use Tailscale or wg-easy. You don’t need to worry about CGNAT because you’re establishing the VPN by going out of your server (either through Tailscale or to the VPS IP with wireguard).
- Port-forward 443 on the VPS public IP through the tunnel to a reverse proxy running on the home server (NPM, Caddy, Traefik etc.)
- Get a Let’s Encrypt wildcard TLS certificate for *.yourdomain.tld.
- Set up the reverse proxy to use the TLS certificate for immich.yourdomain.tld and point it at your immich container.
Wow, thank you for the response, I’ll try to check it out, it seems like a complicated process for someone who just started with the whole self-hosting world. But thank you very much for the response!