I mean, this and the reddit board are /r/selfhosted. We self-host, yet I see so much about people relying on 1.1.1.1 and Cloudflare’s proxy services that they never second-guess.
I don’t care about Cloudflare. My server doesn’t exist to use their proxies and services when the entire point is to divide from reliance on third-parties.
I already found Anubis, I’m sure many of you are familiar with it. Are there any other useful tools or similar that you guys have been using?
Isn’t one of Cloudflare’s biggest strengths that they have a shitton of servers around the world and can thus provide DDOS resilient caching?
Having a shitton of servers is kind of the antithesis of self hosting.
One this that’s really hard to replace is DDoS protection.
Cloudflare does a lot of things from DNS to tunnels. Can you describe the part you’re interested in?
…asterisk? The proxy everyone uses, the middleware that detects bots and such before letting you through. Their bread and butter. I’m not sure of any formal name.
This is the way
A bit like this? https://github.com/chaitin/safeline
Only safeline’s webui is open source, and the dev is a little odd. Just like tailscale, I don’t like closed source reliance. I’ve been referred to open-appsec as an open alternative, but I’m not sure on them either.
If you want DDoS protection you’re gonna need to work with someone who can swallow and filter a whole botnet’s worth of traffic and keep running. That takes some serious infrastructure.
I recommend Cloudflare for small businesses because their terms of service are actually decent, and blending their traffic into that stream makes their website indistinguishable from larger competition.
The next closest things are Pangolin (https://digpangolin.com/) and WireGuard. You’ll need to rent a server somewhere with a public-facing IP to run the server-side software (and DDoS protection is based on the services provided by your datacenter host). Pangolin has a UI similar to Cloudflare, but under the hood, it’s just Wireguard, so if you prefer more direct control, you can just set up a Wireguard tunnel by hand.
For myself, and my own needs, I don’t need all that. I just use DDNS* to point my DNS records to my home’s public ip address & use port forwarding to connect ports 80 & 443 to Nginx Proxy Manager. (When I add Anubis, I’ll port forward to Anubis and then have Anubis redirect valid traffic to Nginx Proxy Manager) This setup offers no protection against DDoS, but for what I use it for, I think it’s an acceptable risk (I’d either have to get someone’s attention and ire or just be cosmically unlucky)
*the server has a cron job to curl the DDNS refresh URL every hour.
I think you’re either looking for a tunnelling solution or a Web Application Firewall. And there are several options. ModSecurity, or SafeLine, BunkerWeb, Coraza, open-appsec. For (AI) crawlers and bad bots we have Anubis, Iocaine… or something like more traditional blocklists or something like OpenResty which is some modified Nginx plus modules…
The tunneling itself can be done with a simple reverse proxy like Nginx, Traefik, Caddy…
I’ve messed around a bit with ModSecurity. But I’m still looking for something aganist the crawlers.
If you just want a secure connection, you can use a reverse proxy with certbot and nginx. Plenty of people have already done this and you can find their work on hub.docker.com
Agreed!
