Hey is there any alternatives to CloudFlare reverse proxies? I want to hide my server IP but not share everything with CF…

  • chiisanaA
    link
    English
    225 months ago

    What is your objective for ‘hide server IP’?

    Privacy to disconnect your identity from the service? There is no solution to this. Full stop. Even with Tor, the state backed acronym entities will figure it out if you get on their radar.

    If your objective is to keep your service online, you’re going to be hard pressed to find cost effective alternatives… Commercial solutions are expensive, like, “if you have to ask about the price, you can’t afford it” expensive.

    Alternatively, you can try to roll your own by having many many proxy servers yourself… but if you’ve got a target on your back, you’ll never have enough instances; DDOS-as-a-Service is much cheaper than the amount of reverse proxies required to keep your service online.

    There’s probably other use cases, but chances are, you’d still be hard pressed to find a solution that’s cost effective.

    • foremanguyOP
      link
      fedilink
      English
      -75 months ago

      I would like to access to my server only trough the proxy, like if I put my real IP I end up with nothing, but if I put the proxy IP it show me my server

      • chiisanaA
        link
        English
        195 months ago

        Again, that’s what you’d like to achieve, but why?

        Without the reason, there is no way to provide a useful answer that would adequately address the underlying reason.

        • foremanguyOP
          link
          fedilink
          English
          05 months ago

          Simply to protect my home server from attacks, and serve the content only with the remote server in a datacenter

          • chiisanaA
            link
            English
            255 months ago

            What kind of attacks, against what service?

            DDoS? It’s cheaper to hire botnets to attack than to defend. You’d most likely still be knocked off even just by the amount of traffic that leaks through your proxy before the VM gets cut off at the data centre. Specifically: it is much more likely that data centres will give higher thresholds before null routing your VM than your residential ISP would be wiling to tolerate.

            Brute force on shell? SQL injection? Remote shell execution? Deploying the extra layer will not protect you from these as your own proxy will not give you WAF.

            It is always important to know why you’re doing something, before anyone can prescribe a solution.

            • @KairuByte@lemmy.dbzer0.com
              link
              fedilink
              English
              7
              edit-2
              5 months ago

              Most people are under the impression that their IP being public is somehow super dangerous, and that “hackers will attack me” if it ever gets out. So likely “all the attacks against my entire network.”

              Edit: Secondary thought, they legitimately have unsecured endpoints on their IP, and are hoping no one will notice if they aren’t handing out their IP to others. Still incorrect though.

              • lemmyvore
                link
                fedilink
                English
                05 months ago

                Some ISP don’t rotate IPs so it can end up pinpointing your house very precisely.

            • @peregus@lemmy.world
              link
              fedilink
              English
              1
              edit-2
              5 months ago

              Well, if you use the CloudFlare WAF with login protection (available in the free tier), you’re pretty much safe since the connection doesn’t arrive at your server if you don’t authenticate in CF first (with Gmail, Microsoft, OTP, etc.) @foremanguy92_@lemmy.ml

            • foremanguyOP
              link
              fedilink
              English
              05 months ago

              If I want to host my services to the internet, I need to open a port in my firewall nah? is that not a bit risky than only allow access from the address of the data center to use this open port?

              • chiisanaA
                link
                English
                125 months ago

                You do not strictly need to open a port – tunnelling through another server could be a solution, but let’s park this for a moment.

                What you are describing as “open a port in my firewall” is actually many smaller parts, some key ones that may be relevant are:

                1. (Firewall) Telling your gateway to not drop traffic when someone outside is request to connect to the specified port; and
                2. (Port Forwarding) Telling your gateway to forward traffic from that port to a specific computer’s specific port within the network (i.e.: your computer, port 80)
                3. (Running a service) Having a service (say for example, a web server) running on the specified computer’s specific port answering requests

                All three things (amongst others that’s not immediately relevant here) must be properly setup for any network request to happen. What do I mean by that? I can have a port not drop traffic (i.e.: firewall down). When someone from outside of my network trying to access the port, they’d get to my router, but nothing happens because there’s no where for the packet to go. I can have my firewall down, and port forwarding enabled, but the web server isn’t running. When someone from outside of my network trying to access the port, they’d get to my router, get forwarded to my computer, but because the web server isn’t running, nothing happens. Someone from outside of my network can only gain access to my service (and only that service) only when all three are setup and working together.

                “But what about the hackers?”

                Yes, the untrusted networks, such as the internet, could be a bad place with people with bad intentions. There are many different things they could do to make things undesirable; let’s explore some of them together.

                Say we want to run an instance of Lemmy using a new experimental server software (i.e.: not the official Lemmy server). Now, unfortunately, some racist people decided to come and make racist posts on our instance. A tunnel / proxy doesn’t solve this. Instead, we have to ban their accounts. It may not seem much, and it was completely innocuous to our system, but we’ve just dealt with our first attack.

                One of those racist person happens to be the “scary hacker” type, so they came back and try to brute force our admin account’s password to unban themselves. This is not too bad, but we need to address this somehow. A tunnel / proxy doesn’t solve this; but something like Fail2Ban might be able to look at the login failures and put a temporary IP ban on the attacker.

                They’re back! And this time, they decide to repeatedly hammer the search function, thereby taking all the resources from our database, so our instance cannot serve other users. A tunnel / proxy doesn’t solve this; but some rate limiting configurations in the server application might help.

                They’re not happy about getting rate limited there. So this time, they decided to continuously post garbage to our instance, not even normal requests, just connect to our web server, and spam AAAAAAAAAAAAAA… non stop, at such a quick pace that it fully saturates our network connection, and we cannot do anything else on the network. A tunnel / proxy doesn’t solve this; we’d need to block them from the firewall. This is not entirely true; blocking them at the firewall doesn’t solve the problem, because the traffic still goes from the ISP to the firewall, which will still be saturated before the firewall could drop the traffic, but to use as an example it narrates a potential problem well enough.

                They’re angry now, and they pay a few bucks to botnets to have many many many thousands of infected computers to spam AAAAAAAAA… non stop at our service. Again, a tunnel / proxy doesn’t solve this; we’d need to have something smarter than just our firewall and individually ban the IP addresses. This is where we’d need the professionals with typically commercial offerings.

                It could escalade the other direction. Instead of attacking with aim to take the service down, they could do other damaging things. Say they found a problem with our server software. Instead of giving the /post/<postid> a numeric id, they can do something fancy like /post/1 AND 1 ==1; UPDATE users SET banned = FALSE WHERE username = 'racist-user' and unban themselves. A tunnel / proxy doesn’t solve this; but a Web Application Firewall (WAF) might.

                Now it escalades more. Through a complex chain of intentionally malformed image uploaded to the instance, the image resizer attempting to resize the image, which gets tripped over by the malicious image, which causes a remote code execution, which they use to create a remote access trojan (RAT) shell so they can connect to our server and run commands. This is usually the “big bad” that most people are scared of… someone from outside of their network having access to their system and thus gains the ability to extract their documents or encrypt their photos etc. A tunnel / proxy doesn’t solve this; but a WAF or an anti-virus on the server itself might.

                Through these albeit simplified but lengthy exploration, we see that none of these would actually be addressed by a tunnel / proxy. There are other possible attacks, and they’d require other solutions.

                So, goes back to what I was saying earlier… it is important to know why you’re trying to do something. Blindly prescribing tunnel / proxy doesn’t actually solve the problem.

          • @WolfLink@sh.itjust.works
            link
            fedilink
            English
            5
            edit-2
            5 months ago

            Honestly, if it’s just a small, personal project, just use common sense and take some basic precautions (e.g. use a firewall, use NGINX instead of serving Wordpress directly, etc.).

            Note that CloudFlare doesn’t protect you from everything either - it only provides some very specific services. A rudimentary level of caching images being the most common one a free account level would be able to use.

      • @foggy@lemmy.world
        link
        fedilink
        English
        65 months ago

        Setup a VPN on a VPS. Use traefik and authelia. Authelia will be your authentication portal and traefik will tunnel the traffic from the auth portal to configd locations within the VPN. Get your home network on that VPN.

        Choose VPS provider based on geographic location.

  • @foggy@lemmy.world
    link
    fedilink
    English
    20
    edit-2
    5 months ago

    Sucuri?

    Akamai?

    Kinda depends on what’s going on, price point, etc. is this for DDOS purposes?

    You do not need a CDN, but you have users. So, is this for like, a Plex server, serving friends in a similar geographic region?

    What’s the use case? That will greatly help us answer.

  • @TCB13@lemmy.world
    link
    fedilink
    English
    8
    edit-2
    5 months ago

    @foremanguy92_@lemmy.ml ,

    Step 1: get a cheap VPS, or even a free one (https://www.oracle.com/cloud/free/)

    Step 2: If you’ve a static IP at home great, if you don’t get a dynamic DNS from https://freedns.afraid.org/ or https://www.duckdns.org/

    Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:

    server {
        listen 80;
        server_name example.org; # your real domain name you want people to use to access your website
        location / {
            proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS.
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;
        }
    }
    

    Step 4: Point your A record of example.org to your VPS.

    Step 5: there’s a potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from and to get around this you can do the following on the home server nginx config:

    http {
    (...)
            real_ip_header    X-Real-IP;
            set_real_ip_from  x.x.x.x; # Replace with the VPS IP address.
    }
    

    This will make sure only the VPS is allowed to override the real IP of the client.

    Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.

    Proceed to disable plain text / HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. You should replace them with server { listen 443 ssl; so it listens only for HTTPs traffic.

    Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;

    Step 8: set the home server’s firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.


    Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change proxy_pass to the IP of the home server inside the tunnel like proxy_pass http://10.0.0.2). This has two advantages: 1) you don’t need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network… however it also has two drawbacks: you’ll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn’t bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won’t gain much there in terms of security.

    • chiisanaA
      link
      English
      05 months ago

      Say someone wants to take your service down, you’ve got 500Mbits line at home ISP, and 10Gbits on your VPS; they sends 1Gbits of traffic to your VPS, your VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.

      Say someone discovers the actual IP, dropping traffic from anything else other than the VPS doesn’t help if they just, again, flood your line with 500Mbits of traffic. The traffic still flows from the ISP to your gateway before they could be dropped.

      Say someone wants to perform SQL injection on your website, there is no WAF in this stack to prevent that.

      Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.

      You’ve provided a comprehensive guide, and I don’t want to single you out for being helpful, but I must ask: What problem does this solve, and does OP actually have the problem this stack can solve? From the replies we’ve seen in this thread, OP doesn’t have sufficient understanding to the full scope of the situation. Prescribing a well intended solution might be helpful, but it gives a false sense of security that doesn’t really help with the full picture.

      • @Auli@lemmy.ca
        link
        fedilink
        English
        45 months ago

        The chances someone is going to DDOS a residential IP is small as important as you think you are nobody cares about taking down someones plex server.

      • @TCB13@lemmy.world
        link
        fedilink
        English
        15 months ago

        You aren’t wrong but the things you’re mentioned are always an issue, even if he was running the entire website on a VPS.

        VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.

        Yeah, but at the same time any VPS provider worth it will have some kind os firewalling in place and block a DDoS like that one. People usually don’t ever notice this but big providers actually have those measures in place and do block DDoS attacks without their customers ever noticing. If they didn’t hackers would just overrun a few IPs and take all the bandwidth the provider has and take their all their customers down that way.

        I’m not saying anyone should actually rely only on the VPS provider ability to block such things but it’s still there.

        The OP should obviously take a good read at nftables rate limiting options and fail2ban. This should be implemented both at the VPS and his home server to help mitigate potential DDoS attacks.

        Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.

        It doesn’t and it was never supposed to mitigate that as the OP only asked for a way to reverse proxy / hide is real IP.

        • chiisanaA
          link
          English
          1
          edit-2
          5 months ago

          You aren’t wrong, but that’s also the point… It makes no difference if they’re securing a VPS or their own network. In fact, they’d need to secure both systems — and I’ve seen so many neglected VPS’s in my time… I’ll be the first to admit: myself included.

          There are very valid reasons to need a tunnel; CGNAT, ISP level port blocking, network policies (ie campus dorm), etc etc etc. However, if you read the other replies, this doesn’t seem to be the case here, and OP doesn’t seem to even know why they’re hiding their IP. They just wanted to do it because of some loose notion that it may be nice since they’re opening up their port.

          For someone in that situation, introducing a whole stack that punches through the firewall via an VPN or alike introduces way more risk than just securing down the gateway directly, and handle the other issues as they come up.

  • rand_alpha19
    link
    fedilink
    85 months ago

    You could try Tailscale? It creates a secure tunnel to your server so you don’t have to connect it to the internet. Not sure if that checks all your boxes though.

    • @machinin@lemmy.world
      link
      fedilink
      English
      15 months ago

      I was looking into Tailscale, but it got me a little worried. I’m not very knowledgeable, so I hope someone can correct me

      They don’t allow ssh, so you have to give your keys over them and they manage your ssh connection? That seems idiotic. Surely that can’t be correct?

      I’m my use case, I was wanting to rsync to an off-site Synology from a Linux box. Synology also doesn’t allow ssh over their VPN service - frustrating.

      • rand_alpha19
        link
        fedilink
        35 months ago

        I’m not really knowledgeable about it, but there is an article from Tailscale that explains how they use SSH (basically it creates a separate SSH server specifically for Tailnet traffic). From what I understand, this feature is relatively new.

        You may also want to look into Tailnet lock.

      • folkrav
        link
        fedilink
        English
        3
        edit-2
        5 months ago

        Pretty much the only thing I use Tailscale for is remotely SSHing from my phone to my home NAS, and they definitely don’t manage my keys. They do have a “Tailscale SSH” feature I don’t use…

      • @node815@lemmy.world
        link
        fedilink
        English
        15 months ago

        You can always use something like SSHwifty It retains your logins through your browser’s session data and never on your server, but it will allow you to remote into your local system from anywhere on the WWW if you desire to do so. With Tailscale, once you are connected into your Tailnet, you can pretty much SSH into any of your devices as long as the subnet sharing flag is turned on I believe. I’ve never had any issues with mine not allowing any SSH connections.

    • foremanguyOP
      link
      fedilink
      English
      05 months ago

      But I need to configure something on the client side… I want people to access my server as they access their Instagram account

      • rand_alpha19
        link
        fedilink
        35 months ago

        Then you can’t “hide” your server IP without a VPS/VPN set up. Maybe I’m not understanding what you’re asking? Your public IP is visible to any machine you connect to and that includes Cloudflare’s servers.

        Are you worried about copyright or something? This isn’t legal advice, but I doubt they give a shit unless you’re hosting content illegally for a large number of people. Obviously, only take the risk if you are comfortable with the potential consequences where you live.

  • @jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    65 months ago

    Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.

    I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.

    It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.

    It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).

    • SayCyberOnceMore
      link
      fedilink
      English
      15 months ago

      Not heard of RouterOS before … <quick search> I didn’t realise jad released firmware that would run in a normal VM… don’t suppose you have anything to compare it to pfSense?

      • @jubilationtcornpone@sh.itjust.works
        link
        fedilink
        English
        3
        edit-2
        5 months ago

        They do maintain an x86 build. I haven’t used pfSense but I have used OpnSense so that’s that closest thing I have to compare it to. I think the upside and downside to RouterOS/Mikrotik is the same thing: it allows very granular control over almost everything. Maybe to a fault. It’s probably overkill for most home networks.

    • 𝓢𝓮𝓮𝓙𝓪𝔂𝓔𝓶𝓶
      link
      fedilink
      English
      15 months ago

      DDOS protection is going to depend on the VPS. But for most services you could spin up a pretty lean Debian vm running a proxy like nginx proxy manager and run that over the tunnel. Something like opnsense seems like overkill.

  • @breakingcups@lemmy.world
    link
    fedilink
    English
    55 months ago

    Depends on why you want to hide your server ip, what’s your use case? Is it to protect against DDOS?

    Cloudflare is evil, but is there any other party you would trust to share everything with?

    • foremanguyOP
      link
      fedilink
      English
      2
      edit-2
      5 months ago

      Do you something like a vps would be more secure? Paying some dollars a month

      • Toes♀
        link
        fedilink
        English
        25 months ago

        I like that idea.

        I’d suggest OVH or Digital Ocean.

        If you think a DDoS attack is possible I’d suggest azure for that.

        • @tal@lemmy.today
          link
          fedilink
          English
          2
          edit-2
          5 months ago

          I’d probably use a VPS myself.

          I seem to recall db0 saying that lemmy.dbzer0.com is behind some sort of reverse proxy. I assume that they’re in the same boat as OP.

          looks

          $ host -t a lemmy.dbzer0.com
          lemmy.dbzer0.com has address 51.77.203.116
          $ whois 51.77.203.116
          [snip]
          role:           OVH Technical Contact
          address:        OVH SAS
          address:        2 rue Kellermann
          address:        59100 Roubaix
          address:        France
          admin-c:        OK217-RIPE
          tech-c:         GM84-RIPE
          tech-c:         SL10162-RIPE
          nic-hdl:        OTC2-RIPE
          abuse-mailbox:  abuse@ovh.net
          mnt-by:         OVH-MNT
          created:        2004-01-28T17:42:29Z
          last-modified:  2014-09-05T10:47:15Z
          source:         RIPE # Filtered
          
          % Information related to '51.77.0.0/16AS16276'
          
          route:          51.77.0.0/16
          origin:         AS16276
          mnt-by:         OVH-MNT
          created:        2018-03-07T09:24:45Z
          last-modified:  2018-03-07T09:24:45Z
          source:         RIPE
          $
          

          I don’t know if that’s a VPS, but looks like they’re using OVH.

          • Pup Biru
            link
            fedilink
            English
            35 months ago

            a reverse proxy these days is pretty much just a requirement of any dynamic service. they often run on the same host as the software

              • Pup Biru
                link
                fedilink
                English
                15 months ago

                it’s possible, but that would seem… odd… for such a large and tech-savvy instance. there’s a lot of reasons why this isn’t a good idea, and very few technical reasons why it is

                my guess is that it’s less about obscuring server location for privacy reasons as is the implications in this thread, and more about handling changes cleanly or something like that - in which case, sure it obscures the server location but more that it makes the server “location” (or hardware, etc) irrelevant and fungible

  • @solrize@lemmy.world
    link
    fedilink
    English
    45 months ago

    Do you want something that also has CDN like Cloudflare? Bunny.net is good, but way more expensive than a cheap VPS if you use a lot of traffic.

    • foremanguyOP
      link
      fedilink
      English
      25 months ago

      No I don’t need a CDN only a way to hide my IP to final users and that nobody can use my real IP to connect to my server

    • foremanguyOP
      link
      fedilink
      English
      25 months ago

      So I need to have always the same exit node, need to connect to the server via an other IP and only this server know my ip

      • @axzxc1236@lemm.ee
        link
        fedilink
        English
        45 months ago

        AFAIK tor websites (onion service) doesn’t require exit node, and no one knows your IP unless you are unlucky enough all nodes you connected are controlled by same entity.

        • foremanguyOP
          link
          fedilink
          English
          25 months ago

          But the speeds are much slower nah? And can I host “normal” website trough Tor?

  • @Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    2
    edit-2
    5 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CF CloudFlare
    CGNAT Carrier-Grade NAT
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    NAS Network-Attached Storage
    NAT Network Address Translation
    Plex Brand of media server package
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    12 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

    [Thread #803 for this sub, first seen 15th Jun 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]