this post was submitted on 17 Jun 2023
12 points (92.9% liked)

Selfhosted

40441 readers
867 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi, I wanted to host a personal Lemmy instance online (for just myself, I don't think I can take the upkeep for other users - please let me know if this is not possible) and wanted to understand how to "attach" a CDN service to it.

The idea behind doing this is that I'm in the US but I'm looking to host a server in Europe. I am looking into Cloudflare's free CDN service, but it would be great if someone could point me towards how I can configure this setup to speed up the loading time for my Lemmy instance (which is going to be far away from me, geographically).

I would also like to know about your setups and how you have hosted Lemmy.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Hi, thanks a bunch for your comment. I love trying to understand the inner workings of more complex networking.

To be able to control this better, they need to have control over the DNS record.

Could you detail on how using their nameservers helps them control the allocation of proxies and other infrastructure better? I'm probably asking a stupid question but I really want to connect the dots. I want to know how using their nameservers enables them to proxy my traffic, and what technical limitations are present such that they won't be able to proxy my traffic if I don't use their nameservers (which btw is not true, because if you are an enterprise customer they have a provision where you can just get a CNAME instead of using their nameserver and it will still work - but for the sake of this discussion I will assume that it won't be possible to proxy traffic without their nameservers. I just want to know why).

Well, technically using Cloudflare isn't the most private thing one can do (I have a feeling they ask free account holders to use their nameservers because they can then run analytics on the data, which is fine. It's "free"), and eventually I'd like to use my own VPS instance as a reverse proxy into my network (to access it from outside) instead of having to use a Cloudflare proxy. However, when strictly speaking of CDN infrastructure, I have no problems with using Cloudflare, since there is no chance of me coming up with infrastructure on my own anyway.

I didn't realise that Cloudflare acts as a MiTM: this is new for me. I would love if you could explain further (or point me to a resource that does) and how this ties in with using Cloudflare as a proxy/CDN setup.

Thanks!

[–] [email protected] 2 points 1 year ago (1 children)

The reasons for having to use their nameservers is probably about getting some data in the process. But DNS queries are quite harmless compared to the MITM issue for the actual traffic.

Traffic proxied via CF uses their TLS certificates. Look up how HTTPS works, and you'll understand that it means the encryption is terminated at Cloudflare.

For the record, CF DNS infrastructure is really solid. For something already public anyway, I'd use their services in a heartbeat. You get some WAF features and can add firewall rules like geoblocking, even on the free tier.

For sensitive data, I probably wouldn't use the proxy service.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Ah, I think I'm starting to understand. Since they ask you to replace the default certificates with Cloudflare specific certificates, in order for these certificates to be authorised, the nameserver needs to be from CF.

But then, if they were to not use their own specific certificate, this would not be a limitation, yes? (As I imagine is the case with the more premium plans). In the case of the premium plans, how do they secure traffic and provide proxy/CDN services with just a CNAME?

[–] [email protected] 2 points 1 year ago (1 children)

A CNAME is just a DNS record that points to another DNS record, technically they could allow it for free users too.

I'd guess the point is they get info on what free users do with their DNS, to help make their paid services more appealing.

No offense, but you might be seriously overthinking this.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Ah, perfect. My hypothesis was correct!

Haha, I'm aware I'm probably trying to delve deeper than most users, but I really want to understand the technology I plan to use. I am also very interested in Networking and such concepts intrigue me!

Could you tell me how proxying traffic would work if they just asked the user to create a CNAME rather than using their nameservers? I still can't figure this part out.

My apologies for asking so many questions, but I just can't seem to rest till I wrap my head around this :)

[–] [email protected] 2 points 1 year ago (1 children)

No need to apologize.

You'd create a CNAME for myservice.mydomain.com, that points to proxynearorigin.cloudflare.com.

proxynearorigin.cloudflare.com contains the A and AAAA records for the reverse proxy servers. When you do a DNS query for myservice.mydomain.com, it will (eventually) resolve to the CF proxy IPs.

The CF proxies see from the traffic that you originally requested myservice.mydomain.com and serve your content based on that. This still requires you to tell Cloudflare where the origin server is so the reverse proxies can connect to it.

On the free service instead of the CNAME you set the origin server's IP as the A and/or AAAA record. Enabling the proxy service actually changes this so that when someone makes a DNS query to myservice.mydomain.com they get the proxy addresses straight as A and AAAA records, leaving the IP you originally configured known only to Cloudflare internally.

It's hard to explain this, and since I don't work at Cloudflare the details may be off too. The best way to get an idea is play around with something like NGINX and run a local DNS server (Bind, Unbound, dnsmasq, PiHole...) and see for yourself how the DNS system works.

CDN isn't really related to DNS at all. In the case of the CF free tier, it's actually more like caching static content, which is technically a bit different. A CDN is a service that replicates said static content to multiple locations on high-performant servers, allowing the content to always be served from close to to the client. Where DNS comes in is that Anycast is probably used, and cdn.cloudflare.com actually resolves to different IPs depending on where the DNS query is made from.

There's also the chance that I don't actually know what I'm talking about, but luckily someone will most likely correct me if that's the case. :)

[–] MigratingtoLemmy 1 points 1 year ago

Thank you so much. This was very helpful, I am finally clear on what CloudFlare is doing. I can't tell you how happy I am to have understood what is going on behind-the-scenes. Your explanation makes perfect sense, my guess was similar to your explanation on how this works in the free-tier, but I just wasn't able to figure out how they would do it in the more premium tiers. Thanks you so much again!

Cheers