For many software engineers, the allure of self-hosting is undeniable. It represents autonomy, a playground for experimentation and helps you learn about the infrastructure that makes the internet work.
However, the freedom of self-hosting comes with a critical responsibility: security. Exposing your home network to the internet is like opening your front door to everyone. Without proper protection, your home setup can quickly become a target.
This article explains the key methods and tools for securing your self-hosted applications, changing it from a weak spot into a secure setup. We'll go through DNS, look at the threat of DDoS attacks, and show how Cloudflare Tunnels, especially with Docker, provide a strong solution for achieving zero-trust security for your self-hosted environment.
To complement this written guide, I've created two accompanying YouTube videos:
This video delves into the underlying concepts of DNS, DDoS attacks, reverse proxies, and how Cloudflare's infrastructure works to mitigate these threats.
This video provides a hands-on walkthrough, demonstrating how to set up Cloudflare Tunnels with Docker, securing a sample web application step-by-step.
Why Self-Hosting Needs Special Attention
When you self-host a website, you're essentially making your home network a part of the public internet. This drastically increases your attack surface. Let's look at some key implications:
Your Public IP Address: This is your home network's "address" on the internet. Traditionally, to make your website accessible, you'd point your domain's DNS records to this IP. This direct association creates a clear target for malicious actors.
Open Ports: To serve web traffic, you typically need to open ports 80 (HTTP) and 443 (HTTPS) on your router, forwarding them to your web server. Open ports are like open doors, inviting potential intruders to probe your network for weaknesses.
Dynamic IP Addresses: Most residential ISPs assign dynamic IP addresses, which change periodically. This makes self-hosting less reliable because your website's DNS records need to be updated constantly to point to the correct IP. If they're not, your site can become unreachable. We'll see how to solve this problem later on.
What is DNS and how does it work?
Domain Name System (DNS) is like the internet's phone book. It's the technology that translates human-friendly website names (like www.example.com) into the numerical IP addresses that computers use to communicate. Without DNS, browsing the web would be incredibly difficult.
However, for self-hosting, the traditional DNS system has a weakness: it can expose your home IP address. When someone looks up your domain, the DNS lookup process eventually leads back to your home's IP address, if you are using a basic self hosting setup.
DDoS Attacks: The Digital Siege
Once a malicious actor gets hold of your home IP address, which as we saw, can be exposed through the DNS resolution process, they can launch a Distributed Denial of Service (DDoS) attack.
DDoS attacks are a major threat to self-hosted websites. In a DDoS attack, attackers use a network of infected computers (called a "botnet") to flood your server with traffic. This overwhelms your server's resources, making your website slow or completely inaccessible to legitimate users.
For self-hosted sites, a DDoS attack can be devastating. Not only can it take your website offline, but the flood of traffic can also disrupt your entire home network, affecting other services and even your household's internet access.
If you're interested in diving deeper into topics like this, including software engineering, self-hosting, home labs, Docker, Kubernetes, and other DevOps practices, head over to the Let's Talk Dev YouTube channel.
Let's Talk Dev - YouTube
I share my insights and tips on software engineering topics such as web development, databases, cloud computing, and more. Hi, I'm Mihai and I'm a full-stack software engineer with a passion for creating innovative and user-friendly solutions using web and cloud technologies. I have a home lab where I like to experiment with Kubernetes and other cutting-edge technologies. I'm also a big fan of open-source software. When I'm not coding, I enjoy photography, reading books, learning about finance and entrepreneurship, and watching movies.
youtube.com
Cloudflare: Your First Line of Defense
Cloudflare, at its core, is a Content Delivery Network (CDN) with a strong focus on security. It acts as an intermediary between your users and your origin server, providing numerous benefits:
- Reverse Proxy: Cloudflare operates as a reverse proxy, meaning all traffic to your website flows through its network first. This masks your origin server's IP address, shielding it from direct exposure.
- DNS Resolution Through Cloudflare: When you use Cloudflare's DNS services, the resolution process is handled by their vast network of globally distributed DNS servers. This not only improves performance but also adds another layer of obfuscation, preventing attackers from easily discovering your home IP through DNS queries.
- Basic DDoS Mitigation: Cloudflare's network is designed to absorb and filter malicious traffic. Their anycast network distributes traffic across numerous data centers, making it difficult for attackers to overwhelm a single point. It also identifies and blocks known malicious traffic patterns, preventing them from reaching your server.
Limitations of Traditional Cloudflare Protection for Self-Hosting
While Cloudflare's basic DNS and DDoS protection offer a substantial improvement, they are not a complete solution for self-hosting scenarios. Here's why:
To allow Cloudflare to communicate with your web server, you still need to open ports 80 and 443 on your router and forward them to your server. This keeps a potential vulnerability open. Attackers can directly target those open ports, attempting to exploit any weaknesses in your web server (i.e. Nginx) or other services running on your network.
This also doesn't get rid of the dynamic IP address issue. If your home IP address changes, your website becomes inaccessible until you manually update your DNS records on Cloudflare. This manual intervention is prone to errors and can lead to downtime. There are more automated solutions out there, however they all rely on making the change on a schedule dinterval, which still leads to downtime.
Also, while Cloudflare hides your IP from direct DNS queries, determined attackers might still uncover it through other means, such as examining email headers or exploiting vulnerabilities in third-party services you use.
Cloudflare Tunnels: The Zero Trust Solution
Cloudflare Tunnels provide a paradigm shift in how you expose self-hosted services to the internet. Instead of opening inbound ports and relying on traditional DNS pointing to your home IP, Tunnels create a secure, outbound-only connection from your server to the Cloudflare network. This fundamentally changes the security model to one of "zero trust."
How Cloudflare Tunnels Work: A Deep Dive
- cloudflared Daemon: You install a lightweight agent called cloudflared on your server (or within a Docker container, as we'll see later). This daemon is responsible for establishing and maintaining the secure tunnel.
- Outbound-Only Connection: cloudflared initiates an outbound connection to Cloudflare's edge network. This is crucial because it eliminates the need to open any inbound ports on your router, drastically reducing your attack surface.
- Tunnel Creation: You create a tunnel in the Cloudflare dashboard, giving it a unique name.
- Service Configuration: You configure the tunnel to route traffic to specific services running on your local network. For instance, you can specify that traffic for www.example.com should be routed to your web server running on port 80. So you can choose which services are accessible through the tunnel and which aren't.
- DNS Integration: Finally, when creating the tunnel, DNS records in Cloudflare are automatically configured to point to the Cloudflare network, specifying the tunnel to be used for each service. So even if your home IP changes, the tunnel will still be opened and connected to Cloudflare's network.
To recap, the benefits of using Cloudflare Tunnels are:
- Not reliant on opened ports
- Dynamic IP resilience
- Granular access control
- Better security
- Simplified management
Docker and Cloudflare Tunnels
You can run the cloudflared daemon within a separate Docker container alongside your application containers.
You can also use cloudflared in a docker-compose.yml. Docker Compose simplifies the process of defining and managing multi-container applications. You can define your web application, database, and cloudflared container in a single docker-compose.yml file, ensuring they call all communicate between each other easily through Docker's internal DNS.
Refer to my accompanying YouTube video for a detailed step-by-step guide on setting up Cloudflare Tunnels with Docker. The video covers:
- Creating and managing tunnels through the Cloudflare dashboard
- Installing and configuring cloudflared within a Docker container
- Using docker compose (and Portainer) to expose a self hosted service to the internet!
The tldr; is:
cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel --no-autoupdate run
environment:
- "TUNNEL_TOKEN=${TUNNEL_TOKEN}"
Embracing Secure Self-Hosting
Self-hosting offers a unique blend of control, flexibility, and learning opportunities. However, security should always be paramount. Cloudflare Tunnels, provide a robust and elegant solution for securing your self-hosted environment.
About me
I'm Mihai Farcas, a software engineer with a few years of experience under my belt. I'm passionate about writing code and love sharing knowledge with fellow developers.
My YouTube channel, "Let's Talk Dev," is where I break down complex concepts, share my experiences (both the good and the face-palm moments).
Connect with me:
Website: https://mihai.ltd
YouTube: https://www.youtube.com/@letstalkdev
GitHub: https://github.com/mihailtd
LinkedIn: https://www.linkedin.com/in/mihai-farcas-ltd/
Top comments (0)