1. Forum
  2. DOVE-Net
  3. Internet

  • Cloudflare

    From poindexter FORTRAN@VERT/REALITY to All on Wed Apr 21 14:26:00 2021
    I found an interesting article on Reddit about a home lab user using the home/free tier of Cloudflare for their network.

    On top of the usual DDOS stuff, they handle SSL and proxying to HTTP/HTTPS
    for your facing services, provide DNS for your domain, allow access to their CDN, and you get to hide your home IP in the process.

    There's a lot of analytics, I'm just starting to play with that now.

    The original poster is using pfsense to talk to Cloudflare's API, it sounds like you could do some interesting things with it.

    Definitely worth checking into, I'd started setting up a reverse proxy on my network, mostly to handle LetsEncrypt renewals, but this would render that moot as well as add some other features.


    ... The neuroanatomy of fear and faith share common afferent pathways.
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
  • From lynx769@VERT/BTTMLSS to poindexter FORTRAN on Thu Apr 22 00:17:00 2021
    The original poster is using pfsense to talk to Cloudflare's API, it sound like you could do some interesting things with it.

    I've got a small container which checks every 5 minutes if my home IP has changed and calls Cloudflare's API to update the wildcard A record for my domain.

    I'm hosting a half dozen services running behind nginx-ingress and let's encrypt cert issuer on a kubernetes cluster. The cluster is running small RancherOS VMs on Proxmox.

    With the wildcard, I just spin up a new service and have a valid certificate issued automatically and be in business. The only downside is that Cloudflare can't proxy wildcard records so I lose the proxy benefit though.

    Lachlan

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net
  • From Nelgin@VERT/EOTLBBS to lynx769 on Thu Apr 22 08:36:20 2021
    lynx769 wrote:
    The original poster is using pfsense to talk to Cloudflare's API, it sound
    like you could do some interesting things with it.

    I've got a small container which checks every 5 minutes if my home IP has changed and calls Cloudflare's API to update the wildcard A record for my domain.

    I have nsupdate running on my router which runs openwrt. It will automatically update my DNS without having to check every so often. It's nice and quick.

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
  • From Arelor@VERT/PALANT to poindexter FORTRAN on Thu Apr 22 12:41:46 2021
    Re: Cloudflare
    By: poindexter FORTRAN to All on Wed Apr 21 2021 07:26 am

    I found an interesting article on Reddit about a home lab user using the home/free tier of Cloudflare for their network.

    On top of the usual DDOS stuff, they handle SSL and proxying to HTTP/HTTPS for your facing services, provide DNS for your domain, allow access to their CDN, and you get to hide your home IP in the process.

    There's a lot of analytics, I'm just starting to play with that now.

    The original poster is using pfsense to talk to Cloudflare's API, it sounds like you could do some interesting things with it.

    Definitely worth checking into, I'd started setting up a reverse proxy on my network, mostly to handle LetsEncrypt renewals, but this would render that moot as well as add some other features.


    ... The neuroanatomy of fear and faith share common afferent pathways.

    Cloudflare is a Google-class threat to privacy and freedom of the Internet.

    Their SSL management is very meh if you use them only as an SSL accelerator. They break the asumption that the SSL/TLS connection is performed to the website's hosting location. If you use them as an accelerator they get to see all the supposedly encrypted traffic and your users won't know it unless they pay a lot of attention.

    Anti-DDOS is nice. It is too bad that in order to have your own DDOS protection nowadays you need the infrastructure to route DOS connections to /dev/null, which is kind fo expensive.

    --
    gopher://gopher.richardfalken.com/1/richardfalken

    ---
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From poindexter FORTRAN@VERT/REALITY to lynx769 on Thu Apr 22 13:15:00 2021
    lynx769 wrote to poindexter FORTRAN <=-

    With the wildcard, I just spin up a new service and have a valid certificate issued automatically and be in business. The only downside
    is that Cloudflare can't proxy wildcard records so I lose the proxy benefit though.

    I'm new to the cert game. I assumed that LetsEncrypt couldn't do wildcards.
    If they did, I could replace all of the standalone LE instances with the reverse proxy server I want to build. But, then I wouldn't need the proxy server, as it's going to be there to allow my internal hosts to renew their
    LE certificates. :)

    What are you using as a reverse proxy? I am planning on using nginx, only because I've recently used it at work to proxy some servers behind a single IP.


    ... Mary being complete the job bazooka.
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
  • From poindexter FORTRAN@VERT/REALITY to Nelgin on Thu Apr 22 13:21:00 2021
    Nelgin wrote to lynx769 <=-

    I have nsupdate running on my router which runs openwrt. It will automatically update my DNS without having to check every so often.
    It's nice and quick.

    I've got dynamic DNS, and I use a static A address on my provider for my
    base host name, then CNAME everything off of it. I haven't had my IP address change unless I hard reset my router.


    ... ONE OUT OF FIVE DENTISTS RECOMMEND GUM.
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
  • From lynx769@VERT/BTTMLSS to poindexter FORTRAN on Thu Apr 22 23:20:00 2021
    I'm new to the cert game. I assumed that LetsEncrypt couldn't do wildcards If they did, I could replace all of the standalone LE instances with the reverse proxy server I want to build. But, then I wouldn't need the proxy server, as it's going to be there to allow my internal hosts to renew thei LE certificates. :)

    I should clarify that I'm referring to wilcard DNS records, not wilcard
    certs. However, you can do wilcard certs with DNS challenge. There is a certbot cloudflare dns plugin that you might want to check out, but I haven't used it.

    What I do instead is use an A record for the root domain pointing to my external IP. Then a * CNAME which resolves to the root domain. I am using
    the nginx-ingress for kubernetes with letencrypt cluster issues.

    What that means is that when I deploy an app (e.g. my blog) on the cluster, I can specify the hostname in the manifest that I want the app to respond to and it will resolve to my external IP. The ports are forwarded to the node
    running nginx as reverse proxy which then routes requests internally to the correct node and pod. The letsencrypt issuer takes care of setting up the
    HTTP letsencrypt challenge and renews certificates automatically.

    It all takes less than 5 minutes to deploy a new app or scale it up to more nodes. My blog goes into more details about my set up if you are interested. I started it as a way to document what doing as I was learning about "cloud native" technologies and gitops.

    Lachlan

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net
  • From poindexter FORTRAN@VERT/REALITY to lynx769 on Fri Apr 23 13:35:00 2021
    lynx769 wrote to poindexter FORTRAN <=-

    more nodes. My blog goes into more details about my set up if you are interested. I started it as a way to document what doing as I was
    learning about "cloud native" technologies and gitops.

    What's your blog's address? I'd love to read it.


    ... There are secrets within lies, answers within riddles.
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
  • From lynx769@VERT/BTTMLSS to poindexter FORTRAN on Tue Apr 27 17:11:00 2021
    What's your blog's address? I'd love to read it.

    https://blog.lachlanlife.net

    Lachlan

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: The Bottomless Abyss BBS * bbs.bottomlessabyss.net
  • From poindexter FORTRAN@VERT/REALITY to lynx769 on Wed Apr 28 13:31:00 2021
    lynx769 wrote to poindexter FORTRAN <=-

    What's your blog's address? I'd love to read it.

    https://blog.lachlanlife.net

    Looks interesting, bookmarked for reading later. I've been playing with
    nginx and letsencrypt, Ansible, and Proxmox and OpenLDAP, seems like we're doing some of the same things.




    ... Omens are there to be broken.
    --- MultiMail/DOS v0.52
    þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
  • From Tracker1@VERT/TRN to poindexter FORTRAN on Tue May 4 22:24:43 2021
    On 4/22/2021 6:15 AM, poindexter FORTRAN wrote:

    I'm new to the cert game. I assumed that LetsEncrypt couldn't do wildcards. If they did, I could replace all of the standalone LE instances with the reverse proxy server I want to build. But, then I wouldn't need the proxy server, as it's going to be there to allow my internal hosts to renew their LE certificates. :)

    What are you using as a reverse proxy? I am planning on using nginx, only because I've recently used it at work to proxy some servers behind a single IP.

    You can do wildcards with LE, but you need to have DNS integration.

    I've mostly been using Caddy for reverse proxy and static content...
    I'll use Nginx when I need more than that.
    --
    Michael J. Ryan - tracker1@roughneckbbs.com
    ---
    þ Synchronet þ Roughneck BBS - roughneckbbs.com