this post was submitted on 20 Aug 2024
17 points (100.0% liked)

Selfhosted

40296 readers
322 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I had self-hosted services on a Raspberry Pi using Docker in my college room. Since I couldn't set up port forwarding, I couldn't enable HTTPS for them. I know that I can still have https without port forwarding but it is not straightforward and difficult for me. And, I used cloudflare tunnel to access them from outside my college network. When I access them using cloudflare tunnel, it uses HTTPS. However, I found conflicting information online about the connection between the server and cloudflare, with some sources saying it's HTTP and others saying it's HTTPS. What's true?

top 9 comments
sorted by: hot top controversial new old
[–] ducking_donuts@lemm.ee 10 points 3 months ago

The Tunnel daemon creates an encrypted tunnel between your origin web server and Cloudflare’s nearest data center, all without opening any public inbound ports.

From https://www.cloudflare.com/products/tunnel/

[–] chiisana@lemmy.chiisana.net 8 points 3 months ago

The answer depends on how you’re serving your content. Based on what you’ve described about your setup, your content is likely served over HTTP through the secured tunnel. The tunnel acts like an encrypted VPN, which allows unencrypted content to be sent securely over the wire. This means although your web server is serving unencrypted content, it gets encrypted before it goes to Cloudflare, so no one along the path could snoop on it.

[–] MangoPenguin@lemmy.blahaj.zone 6 points 3 months ago

The tunnels are encrypted. But I don't know if they use SSL or something else.

[–] conciselyverbose@sh.itjust.works 4 points 3 months ago* (last edited 3 months ago)

You should be able to set it up, which seems to be the crux of your question.

The reason for the conflict is likely that the traffic is encrypted through the tunnel, but cloudflare holds the certificates needed to verify the identity of your site and can see all the traffic.

But tunnels are done by having your server initiate the connection with cloudflare, so it behaves like a client in terms of networking, and it should work in most cases.

(Worth noting that video was against their policies for using at least the free tunnels last I was aware, so if that's part of your use case you might not be able to use it.)

[–] johntash@eviltoast.org 3 points 2 months ago

What you read online may have been referring to how cloudflare itself can always see the unencrypted traffic?

Cloudflare tunnels are encrypted, but inside of that encrypted tunnel could be a regular http stream.

[–] SteveTech@programming.dev 1 points 3 months ago

Cloudflare tunnels uses a QUIC connection between the cloudflared on the server and Cloudflare itself, which is encrypted similarly to HTTPS.

Whatever protocol cloudflared uses to talk to your webserver locally is configurable through the Cloudflare access web UI (just change http to https). I've actually got it configured to use unix sockets, which lets me treat it differently in my nginx config.

[–] HamSwagwich@showeq.com 1 points 3 months ago

Nobody can answer this because it depends entirely on how you set it up. It can be set up either way. Whatever you point your internal endpoint at is what it is.

[–] just_another_person@lemmy.world 1 points 3 months ago

I believe Cloudflare has a trusted root cert that is distributed with browsers and such, and for tunnels, they generate a signed cert for that hostname interaction, and act as a reverse proxy to your machine when called. This should always show as an HTTPS host, but there must be a mechanism via DNS or something to identify and authorize your host to serve HTTPS, and if that lapses for some reason, I would assume they default to plain HTTP.

I'm just thinking about this logically and having used this particular setup though.

[–] Decronym@lemmy.decronym.xyz 0 points 3 months ago* (last edited 2 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
nginx Popular HTTP server

[Thread #929 for this sub, first seen 20th Aug 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]