In response to the discussion on a recent thread about whether to trust Cloudflare, as some people are not very comfortable with it terminates HTTPS (MITM).

There is this thing called Fast Reverse Proxy (FRP) https://github.com/fatedier/frp

It’s open source, very lightweight and I have used it in multiple instances. Frankly there doesn’t seem to be a lot of people know/use it here. The idea is you deploy this on a VPS with public IP, and have your server at home connect to it. It is pretty much like your own Cloudflare tunnel, only you have much more control over it (ports, TCP/UDP/HTTP, auth, etc).

I use it on the cheapest VPS ($5) I can find close to where I live. It acts as a simple TCP reverse proxy to my server, where Nginx Proxy Manager handles the actual HTTPS. (You can let FRP handle HTTPS but then you need to think about if you trust the VPS and also keep the certs updated there, so nah.)

It’s developed by a Chinese dude as it is pretty much a necessity for selfhosters (mostly minecraft servers) in China, since Public IP is scarce there and most people live behind CGNATs.

  • HTTP_404_NotFound@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Personally, when I used to route my home services through a VPS- I used a simple VPN tunnel from my VPS to my home network, which my home router would establish (dynamic IP).

    From there, my firewall dictated what was actually allowed to enter through the tunnel… and the reverse proxy, did its thing.

  • garibaldi3489@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    This type of tool is interesting, and provides some of the functionality that Cloudflare Tunnel does, but with frp, a vulnerability in your app (or its login screen) could be more easily exploited since you don’t have the traffic protection features that Cloudflare provides, right? Maybe combining this with fail2ban (or is there another similar self-hosted tool) would not only act as a proxy but also help protect your app to a degree like Cloudflare does?

  • sarkyscouser@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m assuming the benefit over say Caddy + Authelia is that you don’t need to open any local ports such as 80 and 443?

  • Tivin-i@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Well, pretty much any type of tunneling software such as Tailscale or Wireguard will achieve the same, you just need to change a bit where your components are located.

    What I personally do is have swag proxy on the VPS with crowdsec and authelia, this redirects the traffic to the internal wireguard/tailscale mesh network to the specific service requested.

    If you are the only user of the services, create a tailscale or a netmaker; Not sure about tailscale but in Netmaker (wireguard based) you can choose to have your VPS as the relay host.

  • lilolalu@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I think a lot of proxy servers have that functionality, HAproxy definitely has… With nginx you need the “plus” Version to proxy tcp.

  • NekoLuka@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I use this for all my services that need to be accessible from the outside world… For my private services I use tailscale + headscale

  • garibaldi3489@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    With Cloudflare Tunnels, if you disable TLS decryption, use Full or Full (strict), and verify that the certificate in your browser is yours and not Cloudflare’s certificate, wouldn’t that mean that the SSL is unbroken from your server to the browser? Or can these options not be used with Cloudflare Tunnels?