Hey is there any alternatives to CloudFlare reverse proxies? I want to hide my server IP but not share everything with CF…

  • foggy@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    7 months ago

    Sucuri?

    Akamai?

    Kinda depends on what’s going on, price point, etc. is this for DDOS purposes?

    You do not need a CDN, but you have users. So, is this for like, a Plex server, serving friends in a similar geographic region?

    What’s the use case? That will greatly help us answer.

  • breakingcups@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    7 months ago

    Depends on why you want to hide your server ip, what’s your use case? Is it to protect against DDOS?

    Cloudflare is evil, but is there any other party you would trust to share everything with?

    • foremanguy@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      7 months ago

      Do you something like a vps would be more secure? Paying some dollars a month

  • TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    7 months ago

    @[email protected] ,

    Step 1: get a cheap VPS, or even a free one (https://www.oracle.com/cloud/free/)

    Step 2: If you’ve a static IP at home great, if you don’t get a dynamic DNS from https://freedns.afraid.org/ or https://www.duckdns.org/

    Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:

    server {
        listen 80;
        server_name example.org; # your real domain name you want people to use to access your website
        location / {
            proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS.
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;
        }
    }
    

    Step 4: Point your A record of example.org to your VPS.

    Step 5: there’s a potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from and to get around this you can do the following on the home server nginx config:

    http {
    (...)
            real_ip_header    X-Real-IP;
            set_real_ip_from  x.x.x.x; # Replace with the VPS IP address.
    }
    

    This will make sure only the VPS is allowed to override the real IP of the client.

    Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.

    Proceed to disable plain text / HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. You should replace them with server { listen 443 ssl; so it listens only for HTTPs traffic.

    Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;

    Step 8: set the home server’s firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.


    Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change proxy_pass to the IP of the home server inside the tunnel like proxy_pass http://10.0.0.2). This has two advantages: 1) you don’t need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network… however it also has two drawbacks: you’ll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn’t bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won’t gain much there in terms of security.

    • foremanguy@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      So I need to have always the same exit node, need to connect to the server via an other IP and only this server know my ip

      • axzxc1236@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        AFAIK tor websites (onion service) doesn’t require exit node, and no one knows your IP unless you are unlucky enough all nodes you connected are controlled by same entity.

        • foremanguy@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          But the speeds are much slower nah? And can I host “normal” website trough Tor?

          • axzxc1236@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            Yes, speed would be much slower.

            Yes, you can host a normal website through tor.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Do you want something that also has CDN like Cloudflare? Bunny.net is good, but way more expensive than a cheap VPS if you use a lot of traffic.

  • jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.

    I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.

    It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.

    It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).