Is there any Middleware that performs similar functions to Cloudflare, just... selfhosted?
from Vanilla_PuddinFudge@infosec.pub to selfhosted@lemmy.world on 18 Jul 08:58
https://infosec.pub/post/31640682

I mean, this and the reddit board are /r/selfhosted. We self-host, yet I see so much about people relying on 1.1.1.1 and Cloudflare’s proxy services that they never second-guess.

I don’t care about Cloudflare. My server doesn’t exist to use their proxies and services when the entire point is to divide from reliance on third-parties.

I already found Anubis, I’m sure many of you are familiar with it. Are there any other useful tools or similar that you guys have been using?

#selfhosted

threaded - newest

iii@mander.xyz on 18 Jul 09:01 next collapse

Cloudflare does a lot of things from DNS to tunnels. Can you describe the part you’re interested in?

Vanilla_PuddinFudge@infosec.pub on 18 Jul 09:03 collapse

…asterisk? The proxy everyone uses, the middleware that detects bots and such before letting you through. Their bread and butter. I’m not sure of any formal name.

iii@mander.xyz on 18 Jul 09:05 next collapse

A bit like this? github.com/chaitin/safeline

Vanilla_PuddinFudge@infosec.pub on 18 Jul 09:51 collapse

Only safeline’s webui is open source, and the dev is a little odd. Just like tailscale, I don’t like closed source reliance. I’ve been referred to open-appsec as an open alternative, but I’m not sure on them either.

SheeEttin@lemmy.zip on 18 Jul 11:25 next collapse

github.com/TecharoHQ/anubis

jackr@lemmy.dbzer0.com on 18 Jul 11:46 collapse

This is the way

vegetaaaaaaa@lemmy.world on 21 Jul 17:06 collapse

I’m not sure of any formal name

Cloudflare turnstile

lwe@feddit.org on 18 Jul 09:10 next collapse

Pangolin as replacement for cloudflare tunnels and more.

Vanilla_PuddinFudge@infosec.pub on 18 Jul 12:15 collapse

Ok now this is interesting.

I’m not knocking anubis but anubis seems very one-note, a single step. Pangolin looks more encompassing.

cecilkorik@piefed.ca on 18 Jul 14:31 collapse

That is kind of the UNIX philosophy at work and you'll find that in a lot of open-source and self-hosted projects. The goal is to do one very specific thing really well in a small and streamlined package that integrates into other processes in a clear, defined and transparent way, not to be one of these super-convenient but bloated "it does everything and the kitchen sink" behemoths. It's a different style of software development but it's popular in the open source community for a lot of reasons, for example it's a lot more maintainable by a single person or small team with limited time. You'll find most of these large complex open source projects are organized and developed by companies (like Pangolin is), while the smaller UNIX-style projects are often written by individuals or very small teams volunteering their spare time. There are tradeoffs in either direction, but for self-hosting I think following the UNIX philosophy has a lot in common with a typical goal of self-hosting, reducing your dependence on for-profit companies that have a financial incentive to enshittify or otherwise try to squeeze money out of you.

hendrik@palaver.p3x.de on 18 Jul 10:42 next collapse

I think you're either looking for a tunnelling solution or a Web Application Firewall. And there are several options. ModSecurity, or SafeLine, BunkerWeb, Coraza, open-appsec. For (AI) crawlers and bad bots we have Anubis, Iocaine... or something like more traditional blocklists or something like OpenResty which is some modified Nginx plus modules...

The tunneling itself can be done with a simple reverse proxy like Nginx, Traefik, Caddy...

I've messed around a bit with ModSecurity. But I'm still looking for something aganist the crawlers.

InEnduringGrowStrong@sh.itjust.works on 18 Jul 10:58 next collapse

One this that’s really hard to replace is DDoS protection.

calmluck9349@infosec.pub on 18 Jul 11:38 next collapse

Agreed!

bjoern_tantau@swg-empire.de on 18 Jul 12:39 next collapse

Isn’t one of Cloudflare’s biggest strengths that they have a shitton of servers around the world and can thus provide DDOS resilient caching?

Having a shitton of servers is kind of the antithesis of self hosting.

Boomkop3@reddthat.com on 18 Jul 13:53 next collapse

If you just want a secure connection, you can use a reverse proxy with certbot and nginx. Plenty of people have already done this and you can find their work on hub.docker.com

TeddE@lemmy.world on 18 Jul 13:58 collapse

If you want DDoS protection you’re gonna need to work with someone who can swallow and filter a whole botnet’s worth of traffic and keep running. That takes some serious infrastructure.

I recommend Cloudflare for small businesses because their terms of service are actually decent, and blending their traffic into that stream makes their website indistinguishable from larger competition.

The next closest things are Pangolin (digpangolin.com) and WireGuard. You’ll need to rent a server somewhere with a public-facing IP to run the server-side software (and DDoS protection is based on the services provided by your datacenter host). Pangolin has a UI similar to Cloudflare, but under the hood, it’s just Wireguard, so if you prefer more direct control, you can just set up a Wireguard tunnel by hand.

For myself, and my own needs, I don’t need all that. I just use DDNS* to point my DNS records to my home’s public ip address & use port forwarding to connect ports 80 & 443 to Nginx Proxy Manager. (When I add Anubis, I’ll port forward to Anubis and then have Anubis redirect valid traffic to Nginx Proxy Manager) This setup offers no protection against DDoS, but for what I use it for, I think it’s an acceptable risk (I’d either have to get someone’s attention and ire or just be cosmically unlucky)

*the server has a cron job to curl the DDNS refresh URL every hour.