For a self-hosted application with a valid SSL certificate and support for OAuth, what are the benefits that Cloudflare Access provides? From what I can tell, it also filters traffic to possibly block attacks? Can it even be used with a self-hosted app if you aren’t also running Cloudflare Tunnel? Is there a better alternative (that also integrates with major OAuth providers like Google, Github, etc) for self-hosters? Thanks for the help in understanding how this works.
There’s not much reasons of exposing any of your local services to internet. Use vpn to have access to your local resources. This is best you can come up with for your home lab
For most things I agree but I this case I’m thinking of a service where you want to have a group of people access and they all aren’t willing or tech-saavy enough to install a VPN
Question : what if I need to access my home computer from a work laptop and I’m not allowed to install things such as the WireGuard VPN client. Do I use native say Windows VPN?
Benefits have been listed out here by others. The few restrictions I found on the free tier of Cloudflare is that they limit file size for uploads to 200MB. If you were exposing your NAS and want to upload a large file then you need to pay for Cloudflare or it will be restricted.
Remember that cloudflare will see your traffic, Even with an ssl certificate.
Right, so I’m trying to determine if that is worse or if exposing a service without Cloudflare (and being more at risk from someone trying to break into my service because of not having the monitoring/protection Cloudflare provides) is worse.
I use it within my Kubernetes to expose services outsides my house, and then I use Azure AD to manage access.
I know this isn’t very self hosted, but for me where I have a dynamic IP and don’t want to play with port forwarding, it’s really good. Nice and easy especially with Kubernetes and the helm chart I wrote
Don’t you need to configure DDNS regardless? And port forwarding as well unless you went with tunnels?
For cloudflare tunnels no, it does a nat punch through I think it’s called, where it connects from inside your network out to 2 edge locations to cloudlfare, where it then can send traffic back and forwards.
If I wanted to expose by port forwarding, then yes you are correct, I could configure ddns.
Personally, I would configure my own version of DDNS where it’s just a cron job once every 5 minutes to run terraform and check if my public IP has changed, and if it has run an apply.
Does that answer the question?
There’s a great tiny little program/docker container called cf-ddns that is great for this