[HN Gopher] Exposing a web service with Cloudflare Tunnel (2022)
___________________________________________________________________
Exposing a web service with Cloudflare Tunnel (2022)
Author : sturza
Score : 66 points
Date : 2025-07-09 09:08 UTC (3 days ago)
(HTM) web link (erisa.dev)
(TXT) w3m dump (erisa.dev)
| 44za12 wrote:
| I absoltuley love it. Recently used this to host my blog along
| with multiple hobby projects on my 5-6 years old Raspberry Pi,
| more on it here:
|
| https://aazar.me/posts/reincarnating-a-raspberry-pi
| j45 wrote:
| This is awesome, makes me want to try out a Pi for this.
| 44za12 wrote:
| Would 100% recommend, cheapest bare metal you can get, AFAIK.
| j45 wrote:
| Likely, minus those great little used units.
| kramer2718 wrote:
| This looks AMAZING! Will be doing this for an upcoming project.
| Dachande663 wrote:
| (2022)
| j45 wrote:
| Still relevant, and always new to someone.
| ahofmann wrote:
| Posts on hn that are not from the current year should have
| that information in the title. If it is missing, users post
| the year in parentheses.
| j45 wrote:
| That's a fair thing to include for posts from a prior year.
|
| A post that is new to everyone vs new to some might save a
| few clicks.
|
| I was commenting on the post still having relevance despite
| the age, or without the year.
|
| Edit: typo
| jekwoooooe wrote:
| I love CF tunnels I use it to "expose" some internal services
| that are gated with google auth and other zero trust protections.
| I don't have to worry about exposing ports or using a vpn.
| teiferer wrote:
| I'm sorry, I don't get the point. Perhaps I'm missing something.
|
| If I open a single port to my home server, then anybody can send
| any traffic to my server _on that port_. The attack surface is
| exactly the process running on my home server, listening on that
| port.
|
| If I use the cloudflare tunnel, anybody using my web service
| connects to some cloudflare server which transparantly forwards,
| through the tunnel, everything to the process running at home.
| The attack surface is ... exactly the process running on my home
| server, receiving everything coming into the tunnel, effectively
| listening on the port opened on the cloudflare server.
|
| Where is the difference? Any security issue _in the process
| running on my server_ that can be exploited by sending traffic to
| it is attackable in either case.
|
| Does cloudflare filter the traffic in any way? How does it know
| what's good and what's bad traffic?
| hotpocket777 wrote:
| I was personally using tailscale funnel (similar?) because my
| isp didn't give me a static ip moreso than for any security
| reason.
| iLoveOncall wrote:
| Yeah the point of CloudFlare tunel is absolutely not what is
| shown in this article. It's to _privately_ expose services on
| the web without opening ports.
|
| You can out auth, georestrictions, etc. so that people are
| authorized before they ever reach your computer.
|
| I expose a lot of services on my NAS via CloudFlare tunels, but
| every single one of them is behind an authentication screen
| managed by CloudFlare and running on their servers.
| toast0 wrote:
| > If I open a single port to my home server, then anybody can
| send any traffic to my server on that port. The attack surface
| is exactly the process running on my home server, listening on
| that port.
|
| If you open a single port on your home server, you're exposing
| that port, sure. But you're also exposing your IP, and with
| that comes attacks on your IP stack, if you're worried about
| that. Presumably cloudflare proxies application traffic, but
| likely normalizes fragmentation and tcp flags and what nots.
|
| Additionally, when you're exposing your IP, you're subject to
| volumetric attacks on your IP. High volume DDoS is often spoofs
| your IP to UDP servers that will respond, generating high
| volumes of traffic that overwhelm either your system in
| general, or the bandwidth on your connection. If you're behind
| a tunnel, the tunnel endpoint will get that traffic, and
| Cloudflare seems to manage that well. If you manage to attract
| a DDoS at your application level, that could very well make it
| through the tunnel and overwhelm your service. I think
| Cloudflare does offer some filters for that, but my knowledge
| is limited. IMHO, most of the value is from avoiding non-
| application traffic; but I just host most of my stuff in cheap
| hosting and if someone wants to DDoS me, my server will go down
| and that's fine.
| teiferer wrote:
| Sure, DDoS protection sounds useful, but that's not at all
| what the article is about.
| toast0 wrote:
| The article is mostly about the how, and not the why. It
| briefly mentions the why with:
|
| > you might be worried about forwarding your IP and
| connections to the world without properly securing them.
| Setting it all up sounds like a hassle, right?
|
| If I were to do this, it would be because I didn't want
| expose my IP to the world. And the two big reasons not to
| expose your IP are so you can't be DDoSed, and to reduce
| the privacy impact. Other people have chimed in that they
| do it because their IP is not static, and I think you can
| run the CF tunnel client behind CGNAT, which is also
| valuable.
| topspin wrote:
| > I'm sorry, I don't get the point.
|
| The point is the problem of exposing a port, as opposed to the
| _additional_ problem of whatever security concerns you imagine
| your backend "process" may have.
|
| I suppose you may not imagine that exposing a port is somehow
| problematic. However, it is. First, an open port reveals many
| things[1] about your operation you would likely prefer not to
| reveal. Second, it requires Internet service that permits
| control over open ports, and the authority to utilize it,
| either or both of which may not be available to you.
|
| I have no trouble appreciating the value of this, both for
| personal and commercial purposes. The inherent DDOS protection
| alone is a huge benefit.
|
| [1] Off the top of my head: a.) The ASN and, ultimately, the
| ISP you're using. b.) The approximate physical location of your
| system. c.) Through fingerprinting, your firewall device, and
| whatever problems it has.
| mgerdts wrote:
| The missing part of this recipe is to make it so that when your
| internet exposed app gets compromised the attacker doesn't have
| easy access to your home network.
| topspin wrote:
| I greatly appreciate the fact that solutions to the real
| concern you point out are _not_ somehow bundled into this.
| There are many ways to deal with isolating the backend, and I
| prefer my own, and evolving them as and when I wish. Cloudflare
| Tunnel is a primitive that solves the part I can 't without
| much greater effort and expense.
| speerer wrote:
| The big - really big - downside for me is the CF termsofservice
| which suggest that any data pushed through their service is
| perpetually licensed to them:
|
| > 2. LICENSE GRANT TO CLOUDFLARE
|
| > By submitting, posting, or publishing your content,
| suggestions, enhancement requests, recommendations, feedback,
| information, data, or comments ("Content") to any Website or
| Online Service, you are granting Cloudflare a perpetual,
| irrevocable, worldwide, non-exclusive, royalty-free right and
| license (with the right to sublicense) to use, incorporate,
| exploit, display, perform, reproduce, distribute, and prepare
| derivative works of your Content.
|
| https://www.cloudflare.com/en-gb/website-terms/
| vntok wrote:
| That's incorrect. See:
|
| > THESE TERMS DO NOT APPLY TO YOUR ACCESS AND USE OF THE
| CLOUDFLARE PRODUCTS AND SERVICES THAT ARE PROVIDED UNDER THE
| SELF-SERVE SUBSCRIPTION AGREEMENT, THE ENTERPRISE SUBSCRIPTION
| AGREEMENT, OR OTHER WRITTEN AGREEMENT SIGNED BETWEEN YOU AND
| CLOUDFLARE (IF APPLICABLE).
|
| ZTNA tunnels only work with a cloudflare account, so they're
| subject to the self-serve subscription agreement.
|
| > You and your End Users (as such term is defined in the
| Privacy Policy) will retain all right, title and interest in
| and to any data, content, code, video, images or other
| materials of any type that you or your End Users transmit to or
| through the Services (collectively, "Customer Content") in the
| form provided to Cloudflare. Subject to the terms of this
| Agreement, you hereby grant us a non-exclusive, fully
| sublicensable, worldwide, royalty-free right to collect, use,
| copy, store, transmit, modify and create derivative works of
| Customer Content, in each case to the extent necessary to
| provide the Services.
| jimmydoe wrote:
| I think you might be confused by the two licenses applied to
| different type of services:
|
| https://www.cloudflare.com/terms/
|
| https://www.cloudflare.com/website-terms/ <- this one you
| quoted explicitly said it does not cover the one above, which
| applies to CDN/tunnel/etc
| theyknowitsxmas wrote:
| Old guide. These days it's a copy and paste from the dash. You
| can also PIN protect the subdomain with Access.
| jinglemansweep wrote:
| Pangolin
| miloschwartz wrote:
| Pangolin could be a great open source alternative if you prefer
| to self host the server component. You could even set up WAF
| with CrowdSec which is awesome
| yegle wrote:
| AFAIKT it violates CF ToS if you host a service that streams
| media traffic via Cloudflare Tunnel.
|
| I was worried about this and had to expose my Plex on the
| internet protected by oauth2-proxy.
___________________________________________________________________
(page generated 2025-07-12 23:00 UTC)