The Security-Wise must for selfhosters

Cloudflared

Cloudflare offers a zero-trust security layer just for free. After installing a docker container of their own what is called Cloudflared it will make a secure tunnel to their systems. This can avoid the need of any internal reverse proxy, open ports or even a static IP. On top of that when going through Cloudflare it makes any selfhosted either in your own office, server rack or just for home use-case much more secure. It can protect from

• scrappers

• misconfigured ssl

• hiding my own public ip

• http protocol level expoits

• better firewall

• and many more (automatically added + paid version)

If the security is not something you looking for, you can get the benefit of Cloudflare cache over their DNS proxy to speed up contentful website loads. For any website image uploads can be transformed using their service (free up to 5k / month) to speed up future loads and cache the content.

Let’s not to get overwhelmed with Cloudflare as it offers so much. Now I will show only how set up Cloudflared tunnel from Truenas.

Requirements

The only stuff you need is the server where you run the service.

Additionally you can add your own domains to Cloudflare for DNS management.

Dashboard

Open Cloudflare dashboard locate the networks → tunnels panel.

Click create a tunnel. Here you have 2 options. All that is needed is cloudflared for now to establish the connection down to that service with outbound connection only. Warp connector is used for bigger organisation when mesh networking or creating private vpns are needed.

To create the tunnel just follow the steps. Well just name it. After which you get to a place of choosing the environment. They offer a one click installation command. I am using Truenas app so I will just retrieve the token for my container to auth in.

Installation

In the Truenas catalog I chose the Clouflared app to install. It just has a template of docker compose to install the official Docker Image. The token created on the cloudflare dashboard will passed into this compose. Upon start it authorizes itself.

Routing

Now let’s not get lost in the dashboard, where were in the tunnel config. My container has access to internet but the actual domain doesn’t get any endpoint where to get to. My webservice runs internally on port 49690, therefore the my public hostname has been configured with such service backend. Works just like nginx proxy manager but much more sophisticated. This config also creates the subdomain / domain if you gave Cloudflare access to DNS records.

Conclusion

I found the dashboard a bit confusing on what is where, but at the end it was very simple to get so much. Highly recommended for anyone who either can’t open a port on router or simply wants to increase the security.