cross-posted from: https://discuss.online/post/30840627
Genuine question, so please don’t be mean to whoever responds. Better to learn than to judge.
Curious if people who are on Cloudflare are considering any selfhosted alternatives? If not, interested to hear what is a deal breaker in regards to using a service besides Cloudflare. I do hear a lot of praise for Cloudflare when facing DDOS, and always happy to learn more!
Yup, happy. A 3 hour outage once in a blue moon really isnt a big deal. Especially when I pay $0.
I host a website for my partners business, and as I pointed out to them, while their website is down right now, so is everyone else’s, so not really losing customers.
So, are you using a domain you’ve registered for the site with cloudflare?
I bought a domain from NamesCheap for less than $5 USD, and used the Cloudflare issued nameservers. Cloudflare does not require you to purchase a domain through them, but they do require you to use their nameservers for obvious reasons.
Yes. I bought the domain through them, to keep it all nice and simple.
you bought one? Like in - one time payment with infinite time ownership?
There are no domains that are infinite time ownership (AFAIK, please correct me if I’m wrong), but its pretty close to ownership. I have the rights to the domain for 10 years, and I get first dibs on renewal after that. So its sorta renting/sorta owning?
You might be misunderstanding the value-add of a CDN to self-hosting, so here’s my attempt at explaining:
I’ve been self-hosting things for a very long time. In the old days, we would wrangle our routers to expose port 80 for HTTP (and later, port 443 for HTTPS) and forward those connections to the self-host server and then add the appropriate DNS records to point our website domain to our home IP address (which was its own fun challenge when ISPs refused to give static IP addresses for home plans). Relatively simple.
However, in recent years (especially after the pandemic) the internet has become a much more hostile place. People find vulnerabilities in your nginx/caddy/apache or whatever reverse proxy you use (or router, or any one of the many other parts of your network/software stack) gain access to your local network and your personal data. And then there are bad actors doing DDoS attacks or AI crawlers generating DDoS levels of incoming requests to overload your hardware.
All that combined means it’s very dangerous to have your home IP exposed to the internet (allowing any sort of inbound requests) at all.
So, how do we access our self-hosted stuff while we’re outside of home? The safest approach is to use a VPN. Tailscale is the most popular one that I’ve come across. Only client devices that are connected to the VPN have access to your stuff. Random bad actors can’t poke your self-hosted stack for vulnerabilities.
Okay, what if you want to share something with people publicly? I for one, use Immich for my photo libraries and it’s very easy to be able to share a link to an album for friends and extended family to access without having to install and configure a VPN on their phones.
That is where cloudflare comes in. We can run
cloudflaredon our machine, which makes an outbound request to cloudflare and creates a tunnel to route all the incoming requests from their servers to your reverse proxy. Your network is still not exposed to the internet, and the edge nodes (the machines that actually front the incoming traffic from the clients) are not owned by you.Now, I guess it’s feasible to rent a VPS on DigitalOcean/OVH/Azure/AWS and run a Tailscale exit node there to achieve a similar result. I haven’t looked too deeply into Pangolin but it looks kind of similar. Now you’re adding extra work to keep those configured correctly (and up-to-date), is less secure because you’re not doing that full time (unlike the engineers at cloudflare) and you’re still dependent on that VPS provider to not go down, so the disaster recovery profile hasn’t changed all that much.
That’s why there’s no self-hosted alternatives to a CDN. I guess you can go with their competitors like Fastly/Akamai/etc, but all of them are considerably more expensive. And even the ones that do have free tiers have data limits or bill per gigabyte. That’s an extra headache to worry about for that one month your mother decides to take 1000 videos of your son during the family vacation and her phone automatically backed up all of them at full-quality.
Never used it nor never will, I want my infra to be as independant as possible, and also fuck internet centralisation and fuck corpos
So I’ve done public DNS zone hosting and you can use let’s encrypt for certs and such, but
- What about caches? I basically use to reduce load and network traffic reduction before it gets to me so I don’t have to run my own varnish cache and get regional caching to reduce repeat cross country calls for people on the other coasts.
- What do you use for DDOS protection?
Basically, cloudflare is free, and i get all that. If I find another place better, I’m open to jumping ship.
Not trying to get into a pissing contest, or twist your arm into anything…however, honest question: What do you consider your ISP? Centralized or no? I mean, there are only around 10 to 15 major Tier-1 backbone ISPs that I know of, everyone else contracts with them. There are about 12–14 true Tier-1 backbone providers that form the core of the global Internet, and a few dozen additional very large backbone networks (Tier 2) that also carry massive amounts of international internet traffic.
Yes, and in fact I am collaborating in a neighborhood project for the implementation of a local ISP. Obviously you are right, with the way the internet is built it is inevitable to depend on some centralized systems out of reach, I cannot lay a submarible cable xD. But other than in cases of absolute need, where there is really no alternative, I want an internet more like it was before I was born, just people communicating using local infra, not Internet Monsantos
I moved my setups to Pangolin and placed it on a VPS and then just have been using it since and is about the same as I could run it with a CDN such as Cloudflare. I know Cloudflare has better security with things but I also use Crowdsec which has been nice for keeping most things away. I host my email through Mxroute so it’s never an issue. While Cloudflare has been very stable for years, this last outage didn’t affect me like it would have, although I’m just use the stuff or my purposes.
I left Cloudflare because I was ready to move away from there and found that Pangolin offered what I was looking for. No hard feelings either way toward Cloudflare at all.
A few hours of downtime in all the years I’ve been using them? That’s a better record than my actual services have.
A lot of people underestimate what cloudflare does and while it was a massive incident in scale minuscule compared to others recent ones other large companies have had
There’s not a way to self host what cloudflare does though
What about Pangolin? Or, are you thinking of other aspects?
That’s only one very small component of what cloudflare does.
We were affected by the recent issues and spent some time working out alternatives to all the features we use. It was daunting…
People using Cloudflare, are you still happy with
Absolutely happy with Cloudflare Tunnels/ZeroTrust. Yes, I realize all the pros and cons. There are some good points made on both sides of the fence. Do I think it makes me less of a selfhoster? Nah. I don’t really have any interest in pedantic, hair splitting, of definitions. Cloudflare isn’t all that I use tho. I use Tailscale on my stand alone pFsense firewall, and on the server itself as an overlay layer of protection. I also use Duckdns in conjunction with LetsEncrypt on my VPS, however, I wanted something that I felt was more secure on my homelab, and Cloudflare fit the bill.
That is not to say I am in this blindly. If at some point Cloudflare, or any other service I use, doesn’t suit it’s purpose anymore, I can always move on to something else. Monitor, and make choices based on those observations. We should do that with any service, software, opensource or closed source anyways.
