this post was submitted on 05 Nov 2023
58 points (95.3% liked)

Selfhosted

40041 readers
770 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello I've been using cloudflare to get remote access for the couple apps I selfhost, but lately I've been hearing about the wonders of tailscale.

It seems that the free tier is enough for my use. Which would be a safe option to have remote access for my 3D printer? Also how are both in terms of privacy?

you are viewing a single comment's thread
view the rest of the comments
[–] EncryptKeeper@lemmy.world 3 points 1 year ago* (last edited 1 year ago) (1 children)

You’re explaining yourself fine, you’re just mistaken about the way Cloudflare tunnels work. You’re confusing concepts between a L4 proxy and a L7 proxy.

What I'm saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers.

This is not the case. You are under the mistaken impression that CF tunnels work like a L4 tunnel, proxying a TCP stream from client to server, allowing you to maintain an encrypted TLS session from client to server. That would be closer to what Tailscale Funnel does (Which I’d advocate for). CF tunnels do not work this way. Cf tunnels work more like a L7 proxy. Your client and your server never talk, so there is no encrypted protocol between them. There is only encryption between you and Cloudflare, and then Cloudflare and your backend server. Cloudflare can and does MitM the data AND the IP headers.

This is similar if you were to connect to any ol' website over an ISP's network. If your session is not HTTPS, then your application data can be read.

You cannot establish an HTTPS connection with your application from your client. You establish an HTTPS connection with Cloudflare, which gives them plaintext access to all the data you send through them.

You can have encrypted sessions inside of CF tunnel-network-tunnel.

To be clear, no you can’t. This is your misunderstanding. At least, you can’t with Cloudflare tunnels. Cloudflare may offer a TCP proxy service, which is what you’re confusing CF tunnels with, if you sign up for an enterprise plan, but you don’t get that functionality in their free plan which OP, and self hosters in general would be using.

[–] varsock@programming.dev 1 points 1 year ago

thanks for the masterclass in CF tunnels.

I am ready to accept everything you've said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.

Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).

Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?