this post was submitted on 17 Jun 2023
12 points (92.9% liked)

Selfhosted

40404 readers
816 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi, I wanted to host a personal Lemmy instance online (for just myself, I don't think I can take the upkeep for other users - please let me know if this is not possible) and wanted to understand how to "attach" a CDN service to it.

The idea behind doing this is that I'm in the US but I'm looking to host a server in Europe. I am looking into Cloudflare's free CDN service, but it would be great if someone could point me towards how I can configure this setup to speed up the loading time for my Lemmy instance (which is going to be far away from me, geographically).

I would also like to know about your setups and how you have hosted Lemmy.

Thanks!

top 39 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 year ago (1 children)

Quick question: why? Why not choose to host a server in the US, near it's "costumer base"?

If you're doing it for the exercise, fine (though I think you'll find that cloud flare is pretty hands-off and you basically just click a few buttons).

If you're genuinely looking to improve cross-planet load times, I regret to inform you that a personal Lemmy instance is very much not a good target for this. A CDN works by hosting whatever parts of your site you can nearer to the people who will request them. For a huge company like discord, this means that when you upload an image to a server, they will sum up all users likely to load that image soon, find where they are and send a copy of that image nearby, saving on intercontinental traffic. They get to do this because they have many users, and they control the CDN (because they built it).

You on the other hand, are going to ask cloud flare nicely to do all of this for you. Since you aren't paying, cloud flare is going to try to do this automatically and without cooperation from your software. This means that cloud flare will basically only try to cache parts of Lemmy that are static, so really only the page layout and that's about it. Ultimately, the Lemmy website for your instance might load a little bit faster, but posts can't be predicted and so those will have to go cross-continental on a cache miss.

The other advantage this affords is that anyone interested in taking down your instance will have to take it up with cloud flare. If the way they're trying is brute force, they will fail where they would have succeeded against just your server. If their way of doing it is through legal threats, they might have better luck (though cloud flare tries to remove itself from a position where they have to police what their service can be used for, my opinion is that it is a matter of time before they are forced to).

[–] MigratingtoLemmy 4 points 1 year ago (2 children)

Thank you for the wonderful comment!

The only reason I'm looking to host in Europe is because of the prices: this server will not allow for sign-ups (i.e. it will only be for me). I will likely only need 1GB of RAM and very little CPU power to get this to work. The prices in Europe for low-cost VPSes are better than in the US. I don't actually care about which country/continent I'm hosting it in, this decision was purely financial.

I have a question: I believe I can set Lemmy to auto-sync content from communities I'm interested in (I can set the frequency for the auto-sync) - would it be possible for Cloudflare to cache the content if it is already in the database of my Lemmy instance? I know that CDNs can only really cache static content but I do not know enough about CDNs/Cloud Networking in general to be able to figure out just what it would be able to cache.

Thank you, yes I had the protections offered by Cloudflare in mind when I asked this question. I do not plan to do anything illegal so I hope I'll be fine.

Could you also tell me why Cloudflare asks me to change the authoritative nameservers on my registrar's page to their nameservers? I think my networking is getting a bit rusty, I really can't figure it out.

One more thing; is there a difference in configuring a Cloudflare CDN vs a Cloudflare reverse-proxy for a VPS instance? I see people in c/homelab talk about this but I never really delved into it, but if I could access my network remotely using this it would a great bonus.

Thanks!

[–] [email protected] 4 points 1 year ago (2 children)

Adding to the hetzner comment: I think AWS has free very crappy servers. If you're a student, the Github Student Pack has free digitalocen credits.

In theory, cloud flare could pre-cache content before you request it. Unfortunately, that would require significant effort from Lemmy to let cloud flare know that there is new content, and then it would be up to cloud flare to decide to cache it for 1 client. Both these things aren't happening.

CF needs to dynamically control where requests for your server end up, and for that they need to be the authoritative DNS for it.

Cloud flare indeed acts as a reverse proxy (because that's how CDNs work), but unlike a self-hosted reverse proxy, theirs will be on their servers, so will not have much more more access to your network than yourself outside of it. I think they have some sort of offering to actually give your more access, but A) idk if that's free and B) that requires an always-on computer in your local network, at which point why not just host your Lemmy instance on it?

[–] [email protected] 2 points 1 year ago (1 children)

Another option for very cheap VM, storage, bandwidth: Oracle Free Forever

https://www.oracle.com/cloud/free/

[–] [email protected] 2 points 1 year ago

Wasn't aware of that since I both have my own server and happen to despise oracle but good for people who need cheap compute!

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thank you for your comment!

I am opting for the very low cost providers like Racknerd and CloudServer (see: $1 VPS offerings) - which host most of their servers outside the US.

Thank you for the explanation, I would like to know more about the "effort" from Lemmy's side to let Cloudflare cache content before it is requested.

CF needs to dynamically control where requests for your server end up, and for that they need to be the authoritative DNS for it.

Could you explain this point a bit more? Why would Cloudflare need to control DNS for my domain? How is this linked to them proxying my traffic? I've been trying to understand this for a bit now - how does having CF's own nameservers let CF proxy my traffic?

I was also considering hosting Lemmy in my own network, but I can't seem to find any guides on which ports to forward - if I could just find a decent guide on the networking required to host Lemmy I might even do it on-prem.

Thanks a bunch!

[–] Perhyte 2 points 1 year ago* (last edited 1 year ago) (1 children)

Using Cloudflare nameservers helps to proxy your traffic because if proxying is enabled ("orange cloud") those servers aren't handing out your IP address to people who request your domain, they're handing out addresses belonging to Cloudflare machines near the visitor instead. They have machines in data centers all around the world, and they would like the traffic to end up in the data center closest to where it's needed.

Doing that means they can do stuff like reduce cross-region network traffic: for instance, if your VPS is in Europe but a bunch of visitors from the US suddenly request a certain image on your site (because you've just posted to a popular community, perhaps), they only need to have that image data cross the Atlantic once before they can serve it up many times in the US. Besides saving bandwidth that also allows it to be served faster to most visitors, because most requests for it are effectively served from a local data center instead of from one on another continent. They'll also continue to be able to serve your image even when your VPS is down for whatever reason, as long as it's already in cache.

Theoretically they could probably do all of that using CNAME records instead, I don't know why they don't. Maybe there's some technical reason or maybe they just prefer this slightly simpler setup. I suppose it would add an extra DNS roundtrip, but that wouldn't really be noticeable to most users.

(Most of that is probably oversimplified and but hopefully that clarifies it a bit)

[–] MigratingtoLemmy 1 points 1 year ago

Thank you, I got the gist of it now!

[–] kinttach 2 points 1 year ago* (last edited 1 year ago)

Hetzner (a popular European host) now has US locations and their pricing is really good. Look for hetzner.com - which is in English instead of hetzner.de, their native German site.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Buy your domain with cloudflare, or transfer it over to them. Then just set up dns to point to you server and make sure the proxy switch is on. Pretty sure that's all you need to do at the free tier

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Hi, can I purchase my domain elsewhere? The other commenter mentioned something about changing nameservers, how would the process you describe be different from just changing nameservers (if I have a domain name from a different provider)?

[–] [email protected] 2 points 1 year ago (1 children)

It's basically the same. Like they said, you just follow the intructions on cloudflare to change the name servers on your registrar and then you're good

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thank you for your comment. I'm going through the cloudflare docs, and I have a question: why do we need to change our nameservers to Cloudflare's? I know this might sound like a noob networking question but I just can't seem to figure it out. Thanks!

[–] [email protected] 1 points 1 year ago (1 children)

No problem! You change the name servers on your registrar to cloudflare's so that when traffic goes to your.domain, cloudflare is the one that processes the dns request.

If you kept the name servers of your registrar then the traffic would just be processed by the registrar, cloudflare wouldn't even see the traffic.

Basically the name server defines your domain's current dns provider.

Hope that makes sense

[–] MigratingtoLemmy 1 points 1 year ago (2 children)

Ah, this is what I'm confused about. I get that traffic would need to flow through Cloudflare's network, but why would Cloudflare require me to change my nameserver for that? How about a CNAME alias instead? What are the technical limitations for which Cloudflare asks this of me? I just want to understand the working behind them asking me to change my nameservers.

Thanks!

[–] [email protected] 1 points 1 year ago (1 children)

When you make a dns request, it goes to the nameservers first to see which server is has the dns config. A CNAME record is in the dns config

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

I'm sorry, what I don't understand is how does changing my nameservers to cloudflare's nameservers help propagating my traffic through their CDN infrastructure?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Because changing your nameservers to cloudflare's allows you to use their DNS service, which comes with the CDN infrastructure.

Here is the cloudflare dns for my lemmy server's domain:

The switch where it says proxied means that I am using the CDN to obfuscate the real IP of the server.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thank you, but I'm still having trouble understanding the technical reason for Cloudflare to require users to change their nameservers. Let me try and summarise what I understand:

When a user changes their nameservers to Cloudflare nameservers, all requests to the domain are routed to Cloudflare's DNS endpoints. Because we are using a CDN (and are proxying traffic to our site through Cloudflare), the CDN endpoint (because it is the proxy) intercepts all traffic directed towards our domain. If we were to not change the nameservers for our domain to Cloudflare's nameservers, Cloudflare would not be able to link our domain to the specific CDN endpoint it has likely set up for us at the back-end, which would defeat the purpose of the CDN and the proxying wouldn't work.

Do I understand this correctly?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Pretty much yes.

If you want a more in-depth explanation of DNS and how nameservers work etc check out this article from cloudflare.

Specifically the part; "There are 4 DNS servers involved in loading a webpage:" It explains it much better than I can.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thank you, I conceptually understand what nameservers (and their types) are, it's just that I'm struggling a bit to link my understanding of DNS to how Cloudflare is proxying traffic through its own network. I assume that my previous comment had an OK explanation, a high-level overview of what happens.

Thanks for your time!

[–] [email protected] 2 points 1 year ago (1 children)

Cloudflare has several reverse proxies all around the world. When you enable their proxy service, CF decides which proxy is used for your traffic. To be able to control this better, they need to have control over the DNS record.

If you have an issue with changing your domain's nameservers (perfectly valid), my guess is you'll also have an issue with the fact that using CF proxy essentially means they are a man-in-the-middle for all your HTTPS traffic and decrypt everything before proxying it forward.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Hi, thanks a bunch for your comment. I love trying to understand the inner workings of more complex networking.

To be able to control this better, they need to have control over the DNS record.

Could you detail on how using their nameservers helps them control the allocation of proxies and other infrastructure better? I'm probably asking a stupid question but I really want to connect the dots. I want to know how using their nameservers enables them to proxy my traffic, and what technical limitations are present such that they won't be able to proxy my traffic if I don't use their nameservers (which btw is not true, because if you are an enterprise customer they have a provision where you can just get a CNAME instead of using their nameserver and it will still work - but for the sake of this discussion I will assume that it won't be possible to proxy traffic without their nameservers. I just want to know why).

Well, technically using Cloudflare isn't the most private thing one can do (I have a feeling they ask free account holders to use their nameservers because they can then run analytics on the data, which is fine. It's "free"), and eventually I'd like to use my own VPS instance as a reverse proxy into my network (to access it from outside) instead of having to use a Cloudflare proxy. However, when strictly speaking of CDN infrastructure, I have no problems with using Cloudflare, since there is no chance of me coming up with infrastructure on my own anyway.

I didn't realise that Cloudflare acts as a MiTM: this is new for me. I would love if you could explain further (or point me to a resource that does) and how this ties in with using Cloudflare as a proxy/CDN setup.

Thanks!

[–] [email protected] 2 points 1 year ago (1 children)

The reasons for having to use their nameservers is probably about getting some data in the process. But DNS queries are quite harmless compared to the MITM issue for the actual traffic.

Traffic proxied via CF uses their TLS certificates. Look up how HTTPS works, and you'll understand that it means the encryption is terminated at Cloudflare.

For the record, CF DNS infrastructure is really solid. For something already public anyway, I'd use their services in a heartbeat. You get some WAF features and can add firewall rules like geoblocking, even on the free tier.

For sensitive data, I probably wouldn't use the proxy service.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Ah, I think I'm starting to understand. Since they ask you to replace the default certificates with Cloudflare specific certificates, in order for these certificates to be authorised, the nameserver needs to be from CF.

But then, if they were to not use their own specific certificate, this would not be a limitation, yes? (As I imagine is the case with the more premium plans). In the case of the premium plans, how do they secure traffic and provide proxy/CDN services with just a CNAME?

[–] [email protected] 2 points 1 year ago (1 children)

A CNAME is just a DNS record that points to another DNS record, technically they could allow it for free users too.

I'd guess the point is they get info on what free users do with their DNS, to help make their paid services more appealing.

No offense, but you might be seriously overthinking this.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Ah, perfect. My hypothesis was correct!

Haha, I'm aware I'm probably trying to delve deeper than most users, but I really want to understand the technology I plan to use. I am also very interested in Networking and such concepts intrigue me!

Could you tell me how proxying traffic would work if they just asked the user to create a CNAME rather than using their nameservers? I still can't figure this part out.

My apologies for asking so many questions, but I just can't seem to rest till I wrap my head around this :)

[–] [email protected] 2 points 1 year ago (1 children)

No need to apologize.

You'd create a CNAME for myservice.mydomain.com, that points to proxynearorigin.cloudflare.com.

proxynearorigin.cloudflare.com contains the A and AAAA records for the reverse proxy servers. When you do a DNS query for myservice.mydomain.com, it will (eventually) resolve to the CF proxy IPs.

The CF proxies see from the traffic that you originally requested myservice.mydomain.com and serve your content based on that. This still requires you to tell Cloudflare where the origin server is so the reverse proxies can connect to it.

On the free service instead of the CNAME you set the origin server's IP as the A and/or AAAA record. Enabling the proxy service actually changes this so that when someone makes a DNS query to myservice.mydomain.com they get the proxy addresses straight as A and AAAA records, leaving the IP you originally configured known only to Cloudflare internally.

It's hard to explain this, and since I don't work at Cloudflare the details may be off too. The best way to get an idea is play around with something like NGINX and run a local DNS server (Bind, Unbound, dnsmasq, PiHole...) and see for yourself how the DNS system works.

CDN isn't really related to DNS at all. In the case of the CF free tier, it's actually more like caching static content, which is technically a bit different. A CDN is a service that replicates said static content to multiple locations on high-performant servers, allowing the content to always be served from close to to the client. Where DNS comes in is that Anycast is probably used, and cdn.cloudflare.com actually resolves to different IPs depending on where the DNS query is made from.

There's also the chance that I don't actually know what I'm talking about, but luckily someone will most likely correct me if that's the case. :)

[–] MigratingtoLemmy 1 points 1 year ago

Thank you so much. This was very helpful, I am finally clear on what CloudFlare is doing. I can't tell you how happy I am to have understood what is going on behind-the-scenes. Your explanation makes perfect sense, my guess was similar to your explanation on how this works in the free-tier, but I just wasn't able to figure out how they would do it in the more premium tiers. Thanks you so much again!

Cheers

[–] kinttach 1 points 1 year ago (1 children)

Setting your nameservers is simply a requirement for Cloudflare. While they theoretically could work via CNAME -- they don’t. On the other hand, their DNS is really nice and is free.

When you use their DNS, for each DNS record, you have the option to proxy traffic through Cloudflare. The proxy is what enables their CDN (and many other features such as forwarding, rewriting URLs, DDoS protection, automatic HTTPS certificates, and so on). It’s a simple on/off switch for each DNS record if you don’t want to proxy a particular host.

[–] MigratingtoLemmy 1 points 1 year ago

Thank you, that would mean that technically there is no need for cloudflare to ask one to change their default nameservers to cloudflare's nameservers - it's just that they want to run their analytics on the data transmitted in exchange for free services. I understand now. I believe some of the paid plans allow for one to use CNAMEs, which makes sense.

Thanks, now I understand. I will need to read more on the networking tech behind a Cloudflare based reverse-proxy setup (and maybe even set up my own through another VPS box someday). I'll go through the docs, thanks again!

[–] jerrimu 1 points 1 year ago (1 children)

Just sign up for cloud flare, you will change your name servers after you set it up, but they walk you through that.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Hi, could you explain the concept behind having to change my nameservers? Thanks

[–] jerrimu 2 points 1 year ago (1 children)

Currently your web address has a domain that is forwarded to your lemmy instance. After setting up cloudlflare, you wil have to switch it to cloudflare's nameservers. They will cdn/host/protect files and part of your site will come from there to users, and the rest will come from your server.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thanks for your comment! Could you tell me why Cloudflare would need for me to use their nameservers to protect my site and proxy traffic through their infrastructure to my instance? I'm very curious about the technical reason for them to ask us to do so

[–] jerrimu 1 points 1 year ago (1 children)

Well if the nameservers went just to your instance, they couldn't provide anything. That address only goes to that machine. To use the cloudflare service, traffic goes there first, then to your instance. Think of a nameserver as an adress. If the content is at your house, then going straight to your house is what you're doing now. There's no wat for cloudflare to get in the middle.

[–] MigratingtoLemmy 1 points 1 year ago (1 children)

Thank you. I'm trying to understand how exactly is using CF's nameservers letting Cloudflare intercept traffic from around the world to my instance?

[–] jerrimu 1 points 1 year ago (1 children)

When you type a TLD into the internet, a nameserver tells where that address is. Right now it's going to your instance, to work, cloudlfare needs to be the address. Cloudflare isnt something you install on your server, it's a nother server.

[–] MigratingtoLemmy 1 points 1 year ago

If Cloudflare just needed the address, they could query the domain name I would provide them during the setup process (which they do, in order to set up the CDN). Why their DNS servers instead of my own?

My apologies, I think I'm missing a crucial point here which is why I'm asking the same question multiple times. Thanks so much for your help!

load more comments
view more: next ›