this post was submitted on 15 Jun 2024
50 points (89.1% liked)

Selfhosted

40425 readers
517 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hey is there any alternatives to CloudFlare reverse proxies? I want to hide my server IP but not share everything with CF...

all 50 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 5 months ago (12 children)

What is your objective for ‘hide server IP’?

Privacy to disconnect your identity from the service? There is no solution to this. Full stop. Even with Tor, the state backed acronym entities will figure it out if you get on their radar.

If your objective is to keep your service online, you’re going to be hard pressed to find cost effective alternatives… Commercial solutions are expensive, like, “if you have to ask about the price, you can’t afford it” expensive.

Alternatively, you can try to roll your own by having many many proxy servers yourself… but if you’ve got a target on your back, you’ll never have enough instances; DDOS-as-a-Service is much cheaper than the amount of reverse proxies required to keep your service online.

There’s probably other use cases, but chances are, you’d still be hard pressed to find a solution that’s cost effective.

load more comments (12 replies)
[–] foggy 20 points 5 months ago* (last edited 5 months ago)

Sucuri?

Akamai?

Kinda depends on what's going on, price point, etc. is this for DDOS purposes?

You do not need a CDN, but you have users. So, is this for like, a Plex server, serving friends in a similar geographic region?

What's the use case? That will greatly help us answer.

[–] TCB13 8 points 5 months ago* (last edited 5 months ago) (1 children)

@[email protected] ,

Step 1: get a cheap VPS, or even a free one (https://www.oracle.com/cloud/free/)

Step 2: If you've a static IP at home great, if you don't get a dynamic DNS from https://freedns.afraid.org/ or https://www.duckdns.org/

Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:

server {
    listen 80;
    server_name example.org; # your real domain name you want people to use to access your website
    location / {
        proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
    }
}

Step 4: Point your A record of example.org to your VPS.

Step 5: there's a potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from and to get around this you can do the following on the home server nginx config:

http {
(...)
        real_ip_header    X-Real-IP;
        set_real_ip_from  x.x.x.x; # Replace with the VPS IP address.
}

This will make sure only the VPS is allowed to override the real IP of the client.

Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.

Proceed to disable plain text / HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. You should replace them with server { listen 443 ssl; so it listens only for HTTPs traffic.

Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;

Step 8: set the home server's firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.


Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change proxy_pass to the IP of the home server inside the tunnel like proxy_pass http://10.0.0.2). This has two advantages: 1) you don't need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network... however it also has two drawbacks: you'll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn't bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won't gain much there in terms of security.

[–] [email protected] 0 points 5 months ago (2 children)

Say someone wants to take your service down, you've got 500Mbits line at home ISP, and 10Gbits on your VPS; they sends 1Gbits of traffic to your VPS, your VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you're knocked offline.

Say someone discovers the actual IP, dropping traffic from anything else other than the VPS doesn't help if they just, again, flood your line with 500Mbits of traffic. The traffic still flows from the ISP to your gateway before they could be dropped.

Say someone wants to perform SQL injection on your website, there is no WAF in this stack to prevent that.

Say someone abuses a remote code execution bug from the application you're hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn't protect that.

You've provided a comprehensive guide, and I don't want to single you out for being helpful, but I must ask: What problem does this solve, and does OP actually have the problem this stack can solve? From the replies we've seen in this thread, OP doesn't have sufficient understanding to the full scope of the situation. Prescribing a well intended solution might be helpful, but it gives a false sense of security that doesn't really help with the full picture.

[–] [email protected] 4 points 5 months ago

The chances someone is going to DDOS a residential IP is small as important as you think you are nobody cares about taking down someones plex server.

[–] TCB13 1 points 5 months ago (1 children)

You aren't wrong but the things you're mentioned are always an issue, even if he was running the entire website on a VPS.

VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.

Yeah, but at the same time any VPS provider worth it will have some kind os firewalling in place and block a DDoS like that one. People usually don't ever notice this but big providers actually have those measures in place and do block DDoS attacks without their customers ever noticing. If they didn't hackers would just overrun a few IPs and take all the bandwidth the provider has and take their all their customers down that way.

I'm not saying anyone should actually rely only on the VPS provider ability to block such things but it's still there.

The OP should obviously take a good read at nftables rate limiting options and fail2ban. This should be implemented both at the VPS and his home server to help mitigate potential DDoS attacks.

Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.

It doesn't and it was never supposed to mitigate that as the OP only asked for a way to reverse proxy / hide is real IP.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

You aren’t wrong, but that’s also the point… It makes no difference if they’re securing a VPS or their own network. In fact, they’d need to secure both systems — and I’ve seen so many neglected VPS’s in my time… I’ll be the first to admit: myself included.

There are very valid reasons to need a tunnel; CGNAT, ISP level port blocking, network policies (ie campus dorm), etc etc etc. However, if you read the other replies, this doesn’t seem to be the case here, and OP doesn’t seem to even know why they’re hiding their IP. They just wanted to do it because of some loose notion that it may be nice since they’re opening up their port.

For someone in that situation, introducing a whole stack that punches through the firewall via an VPN or alike introduces way more risk than just securing down the gateway directly, and handle the other issues as they come up.

[–] [email protected] 6 points 5 months ago (2 children)

Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.

I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.

It will obscure your local WAN IP and give you a static IP but that's about the only benefit. And you have to be pretty network savvy to configure it correctly.

It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).

[–] [email protected] 1 points 5 months ago (1 children)

Not heard of RouterOS before ... I didn't realise jad released firmware that would run in a normal VM... don't suppose you have anything to compare it to pfSense?

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago) (1 children)

They do maintain an x86 build. I haven't used pfSense but I have used OpnSense so that's that closest thing I have to compare it to. I think the upside and downside to RouterOS/Mikrotik is the same thing: it allows very granular control over almost everything. Maybe to a fault. It's probably overkill for most home networks.

[–] [email protected] 1 points 5 months ago

Ok, thanks... Good to know for a rainy day.

[–] [email protected] 1 points 5 months ago

DDOS protection is going to depend on the VPS. But for most services you could spin up a pretty lean Debian vm running a proxy like nginx proxy manager and run that over the tunnel. Something like opnsense seems like overkill.

[–] breakingcups 5 points 5 months ago (1 children)

Depends on why you want to hide your server ip, what's your use case? Is it to protect against DDOS?

Cloudflare is evil, but is there any other party you would trust to share everything with?

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

Do you something like a vps would be more secure? Paying some dollars a month

[–] [email protected] 2 points 5 months ago (1 children)

I like that idea.

I'd suggest OVH or Digital Ocean.

If you think a DDoS attack is possible I'd suggest azure for that.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

I'd probably use a VPS myself.

I seem to recall db0 saying that lemmy.dbzer0.com is behind some sort of reverse proxy. I assume that they're in the same boat as OP.

looks

$ host -t a lemmy.dbzer0.com
lemmy.dbzer0.com has address 51.77.203.116
$ whois 51.77.203.116
[snip]
role:           OVH Technical Contact
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
tech-c:         SL10162-RIPE
nic-hdl:        OTC2-RIPE
abuse-mailbox:  [email protected]
mnt-by:         OVH-MNT
created:        2004-01-28T17:42:29Z
last-modified:  2014-09-05T10:47:15Z
source:         RIPE # Filtered

% Information related to '51.77.0.0/16AS16276'

route:          51.77.0.0/16
origin:         AS16276
mnt-by:         OVH-MNT
created:        2018-03-07T09:24:45Z
last-modified:  2018-03-07T09:24:45Z
source:         RIPE
$

I don't know if that's a VPS, but looks like they're using OVH.

[–] [email protected] 3 points 5 months ago (1 children)

a reverse proxy these days is pretty much just a requirement of any dynamic service. they often run on the same host as the software

[–] [email protected] 2 points 5 months ago (1 children)

Aight, but db0 had something about it obscuring the server location, IIRC.

[–] [email protected] 1 points 5 months ago

it’s possible, but that would seem… odd… for such a large and tech-savvy instance. there’s a lot of reasons why this isn’t a good idea, and very few technical reasons why it is

my guess is that it’s less about obscuring server location for privacy reasons as is the implications in this thread, and more about handling changes cleanly or something like that - in which case, sure it obscures the server location but more that it makes the server “location” (or hardware, etc) irrelevant and fungible

[–] solrize 4 points 5 months ago (1 children)

Do you want something that also has CDN like Cloudflare? Bunny.net is good, but way more expensive than a cheap VPS if you use a lot of traffic.

[–] [email protected] 2 points 5 months ago (1 children)

No I don't need a CDN only a way to hide my IP to final users and that nobody can use my real IP to connect to my server

[–] jelloeater85 2 points 5 months ago

Literally cloudflare tunnel, sorry my dude.

[–] [email protected] 3 points 5 months ago (1 children)
[–] [email protected] 2 points 5 months ago (1 children)

So I need to have always the same exit node, need to connect to the server via an other IP and only this server know my ip

[–] [email protected] 4 points 5 months ago (1 children)

AFAIK tor websites (onion service) doesn't require exit node, and no one knows your IP unless you are unlucky enough all nodes you connected are controlled by same entity.

[–] [email protected] 2 points 5 months ago (1 children)

But the speeds are much slower nah? And can I host "normal" website trough Tor?

[–] [email protected] 3 points 5 months ago

Yes, speed would be much slower.

Yes, you can host a normal website through tor.

[–] [email protected] 3 points 5 months ago

If for personal access only, ZeroTier might solve your use case.

[–] [email protected] 3 points 5 months ago

VPS with Wireguard

[–] [email protected] 2 points 5 months ago

Perhaps NetBird, ZeroTier or Tailscale? If you want to make a service available publicly, check out Tailscale Funnel.

[–] [email protected] 2 points 5 months ago

Very confused by the answers here. Anyway, check this list: https://github.com/anderspitman/awesome-tunneling

I personally used frp many years ago and it worked great.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

12 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #803 for this sub, first seen 15th Jun 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]

[–] bin_bash 1 points 5 months ago

I used boringproxy for years and I recomend you