Jump to content

CloudFlare Tunnels - Secure Approach, or Tempting Fate?


Thomas Straub
Go to solution Solved by Carlo,

Recommended Posts

Thomas Straub

Hello all,

I've been browsing around the forums lately, and full disclosure: my serve is running on my Intel Mac Mini, but has a mix of Docker containers for certain services, and others run native apps (Emby being one).

My main way of securing my Emby server was via a Docker container called "Swag" (from LinuxServer.io) and then wrapping the traffic through Cloudflare DNS. It was all proxied via Cloudflare and working wonderfully. However, I had to have port 443 forwarded. For added security, my files are hosted via GDrive for Business and are encrypted via RClone. I also have a Firewalla Gold at my network entry point, which functions as an ingress firewall. I think all is well, since my users all use Emby Connect, and every certificate seems to work. In Emby's network pane, I use my domain emby.XXX.com, and "handled by reverse proxy".

Having some time over the weekend, I've migrated things from the Docker approach for encryption to using a CF tunnel. The CF tunnel seems to be able to ad DNS names for my services (e.g., emby.XXX.com, plex.XXX.com) from the web interface, requires "strict" certificates for TLS, and removes one Docker container from my set up. Its really easy to expose internal services externally this way, and appears to eliminate the need for port opening! Everything is still proxied via CF, as it was when I was using Swag.

In this regard, I've read that CF decrypts and views the traffic, which is surprising. I have things encrypted in GDrive, so I am not worried about prying eyes, or having any sort of "free version" hang ups like some folks have.


My questions are two-fold: (1) Is using a tunnel the wisest way to avoid intrusion at the moment (outside of VPNs and other device use cases that I cannot implement with non-tech savvy users)? and (2) Is my RClone encrypted traffic being actively sniffed by CF, such that this approach isn't viable; if so, what would you choose?

 

Love Emby, and wish I could change my display name here to my alias, but I don't think I realized when I made the account. Looking forward to the discussion!

Link to comment
Share on other sites

Thomas Straub

@LukeHere's hoping they're in line with my assumptions. I still have my old docket CF stuff ready to re-deploy if necessary.

Link to comment
Share on other sites

It sounds like a Cloudflare tunnel would be idea for you and this setup.  It's a bit involved but not that hard once you know the steps.

If you like I could give you a hand with this over the weekend.  I've not done a tunnel on a Mac before so the weekend would be a bit better for this.

Carlo

Link to comment
Share on other sites

kikinjo

Question 1 : Are you talking about argo tunnel or ? If it is argo tunnel thats expensive and billed on data, dont go there, just use CF with professional account and you are good.
Question 2: Your rclone is encrypted but not when streamed thru CF. Use pro account on Cf and you are good. free accounts are blocked for streaming anyways after some days.

Best way is to use your vpn, i suggest Wireguard, and you will not have any prying eyes and u will sve 20$ monthly for CF. i m using it for years. If u need help with it just msg me.

Edited by kikinjo
Link to comment
Share on other sites

Thomas Straub
10 hours ago, cayars said:

It sounds like a Cloudflare tunnel would be idea for you and this setup.  It's a bit involved but not that hard once you know the steps.

If you like I could give you a hand with this over the weekend.  I've not done a tunnel on a Mac before so the weekend would be a bit better for this.

Carlo

Thanks for the assist Carlo.

I actually have cloudflared and a cloudflare tunnel running successfully already! I was wondering if I was "tempting fate", i.e., in all likelihood going to get shut down by CF with no place to go! I found it relatively easy, and much less maintenance than the Swag Docker reverse proxy. Just get the DNS set up, set up the tunnel, point to your localhost:port and you're golden! 
 

Have you heard of any bans from the free accounts on CF for using cloudlfared tunnels in this set up? Thank you in advance!

Link to comment
Share on other sites

Thomas Straub
9 hours ago, kikinjo said:

Question 1 : Are you talking about argo tunnel or ? If it is argo tunnel thats expensive and billed on data, dont go there, just use CF with professional account and you are good.
Question 2: Your rclone is encrypted but not when streamed thru CF. Use pro account on Cf and you are good. free accounts are blocked for streaming anyways after some days.

Best way is to use your vpn, i suggest Wireguard, and you will not have any prying eyes and u will sve 20$ monthly for CF. i m using it for years. If u need help with it just msg me.

Kikinjo,

For question 1, I was asking if Cloudflare Tunnels (See, here: Set up your first tunnel · Cloudflare Zero Trust docs, not sure it was formerly Argo) are a good alternative to reverse proxies to prevent intrustion. Sorry if that wasn't clear. With my prior LinuxServer.io setup, I had to forward port 443, then let the proxy pass the traffic to different services via the Docker container. With CF tunnels, none of that is needed. I ran things this way for years and never got a block from streaming (by "this way" I mean the reverse proxy. The tunnel is new!)

For question 2, that's surprising! I would have thought the GDrive encryption via rclone passes the traffic (encrypted traffic) through RClone! Surprised, since I haven't been flagged and have been proxying this way (the reverse proxy way) for years!

I have a Firewalla Gold, so it has a built in Wireguard VPN server I already use. Is this a pain in the butt for end-users? They primarily use Emby on iPads, iPhones and Amazon Fire TV Sticks. I am open to that as a solution, but would rather avoid it. 

Link to comment
Share on other sites

It's a rather ideal way to be online.  No ports open, only one controlled partner is allowed to communicate with your server, it's fast.

What's not to love?

Link to comment
Share on other sites

Thomas Straub

@cayars That was my thought with the Cloudflare Tunnels EXACTLY, which is why it was my weekend project. No more opening port 443, etc. My main worry is Cloudflare seeing the traffic and giving me a ban, but I think my RClone encrypted wrapped GDrive should be fine on that front, no?

All I did was run cloudflared on my Mac Mini, go to the web panel, set up DNS names on Access (e.g., emby.mydomain.com), pointed it to localhost :8096 and waited. BAM, done. Everything is proxied by Cloudflare, and what it doesn't catch, my Firewalla does.

The "old" way, I had to reverse proxy with a Docker container. This way, I just check "allow remote connections", secure mode is "handled by reverse proxy" and Emby works flawlessly. My domains on Cloudflare are set to "strict". SSL implementation testing comes back with a B, same as Facebook. You're right, things are also much quicker.

If it ain't broke, don't fix it?

Link to comment
Share on other sites

strike841
2 hours ago, Thomas Straub said:

My main worry is Cloudflare seeing the traffic and giving me a ban

You shouldn't worry about that. It's all encrypted SSL/TLS traffic anyway. So even if cloudflare could see the traffic inside the tunnel (which I'm pretty sure they can't, but let's say they could) it would all be encrypted SSL/TLS traffic.  Some things they can see of course like hostname, port, what  browser you are using etc. But they can not see what you're watching on your emby server.  Well, technically, since cloudflare sits in the middle they could do a SSL stripping attack and therefore be able to see your traffic. But I THINK that would be bad for business, if anyone found out they were monitoring users that way. But technically they can if they want to. So you need to trust them. Just as you trust Microsoft not recording everything you do on your computer.

Link to comment
Share on other sites

Q-Droid

Cloudflare IS an MITM, that's how it operates when you use their services for proxy, termination and tunneling. It's up to you to trust them and as stated it would be bad for business if they were to violate said trust. Just keep in mind that this gives them the ability to monitor your traffic and the resulting analysis can be used to enforce ToS.

 

Edited by Q-Droid
Link to comment
Share on other sites

Keep in mind they know right away it's video.  There is no trust violation as you're using their certificate.

Set your 3 rules correctly to not proxy the video streams and as well as run a typical home/friend server and you won't have a problem as you're not standing out any different then the rest of us using their system for our personal systems.

Carlo

Link to comment
Share on other sites

Q-Droid
16 minutes ago, cayars said:

Keep in mind they know right away it's video.  There is no trust violation as you're using their certificate.

Set your 3 rules correctly to not proxy the video streams and as well as run a typical home/friend server and you won't have a problem as you're not standing out any different then the rest of us using their system for our personal systems.

Carlo

I think you mean to not cache the video, right? The proxy would always be in effect.

Link to comment
Share on other sites

Thomas Straub
4 hours ago, Q-Droid said:

I think you mean to not cache the video, right? The proxy would always be in effect.

I think that's what @cayars is getting all. I cache are Emby's cover art, images, etc. 

Thank you @strike841 @cayars and @Q-Droid for assuaging my worry. I think I was just over-worrying. I've gotten all of my Docker containers proxied through Cloudflare via cloudflared now, SSL certs intact, and cloudflared can even function as a VPN to access things via a proxied VPN! After playing with it this week, its a pretty solid solution that completely protects my Emby install, avoids port openings (not that I worry, since my Firewalla Gold locks things up pretty tightly) and is much quicker.

I should probably write a guide for this to help other folks

Link to comment
Share on other sites

  • Solution
5 hours ago, Q-Droid said:

I think you mean to not cache the video, right? The proxy would always be in effect.

Yes you set a rule to tell them not to cache anything with a specific starting URL which is how all video get displayed/sent.

34 minutes ago, Thomas Straub said:

I think that's what @cayars is getting all. I cache are Emby's cover art, images, etc. 

Thank you @strike841 @cayars and @Q-Droid for assuaging my worry. I think I was just over-worrying. I've gotten all of my Docker containers proxied through Cloudflare via cloudflared now, SSL certs intact, and cloudflared can even function as a VPN to access things via a proxied VPN! After playing with it this week, its a pretty solid solution that completely protects my Emby install, avoids port openings (not that I worry, since my Firewalla Gold locks things up pretty tightly) and is much quicker.

I should probably write a guide for this to help other folks

It's a shame it's so hard to try and build a docker setup that would have the tunnel mostly pre-setup. That would make setup with a tunnel a lot easier!

 As you found out, the process isn't hard to do once you understand what to do. Figuring out what to do is the "hard part" but getting easier with more and more documentation.

  • Like 1
Link to comment
Share on other sites

Q-Droid

I think the jist of my post was lost on some.  

If you use Cloudflare as your proxy/WAF/DDoS protection service it means you trust them with your data. That is fine, it's what they do. But understand that your data is not encrypted to Cloudflare. It's encrypted BETWEEN you and CF and BETWEEN CF and your clients.

They've been cracking down on media streaming over free accounts per Section 2.8 of their ToS. So if you're concerned about bans keep in mind you are not hiding anything from them.

 

  • Agree 1
  • Thanks 1
Link to comment
Share on other sites

Thomas Straub
On 4/22/2022 at 2:55 PM, cayars said:

Yes you set a rule to tell them not to cache anything with a specific starting URL which is how all video get displayed/sent.

It's a shame it's so hard to try and build a docker setup that would have the tunnel mostly pre-setup. That would make setup with a tunnel a lot easier!

 As you found out, the process isn't hard to do once you understand what to do. Figuring out what to do is the "hard part" but getting easier with more and more documentation.

You’re 100000% right. I have just the images cached. Tunnel running. Docker containers running. Emby running natively and GDrive encrypted via RClone for storage. Been working for a week, and before that with the Docker encryption scheme for two years. 
 

Here’s hoping I don’t have any other issues, and if I do, I’m glad we have the community here. 

  • Like 1
Link to comment
Share on other sites

  • 2 months later...
vaise

I am following this with interest  as it is something I wanted to have a play with also.  

I currently have a similar original setup, ie I use unraid, and many docker containers, with nginx as the reverse proxy so 443 is the only port in to the nginx, which proxies to everything else.

I currently use cloudflare for all this also, with the usual cache settings. I have subdomains such as emby, radarr, sonarr, ombi, jellyseer etc etc.

The end game for the cf tunnel is to remove the wan port forward of 443 and have all local app endpoints native on the tunnel.

my question is this :

I have a user/password challenge built into the nginx config for some subdomains ie sonarr, radarr etc that I don’t want anyone remote but me to access.  How should I go about configuring that ?  The tunnel mentions something about a pin on setup.

and obviously user connected endpoints to emby, ombi, jellyseer should have no challenge at all as password built into the apps themselves.

Edited by vaise
Link to comment
Share on other sites

Q-Droid

It looks like their Zero Trust platform is also available on the free accounts. The PIN you mentioned might be their email based OTP identity provider. This would have the nice benefit of  any hits on those subdomains being stopped by CF even if you retain the login challenge on the *arrs.  It's in their Zero Trust documentation under Identity but that's about all I know.

 

Link to comment
Share on other sites

vaise

Yep - I suspect I need to read more on it.  It also seems to allow google as an identity provider, which may be an option for the 'arr's.  Obviously emby cant have any sort of identity challenge like that - for the client devices etc to work.

Link to comment
Share on other sites

vaise

As I have a VM running standalone for shinobi cctv on linux, I think I will start with this one as a 'playground' before i then go on to break anything important....... like emby

Link to comment
Share on other sites

vaise

I got all this going for all non emby endpoints, but I also created an embytest that goes via the tunnel.  The tunnel I created on unraid via command line using a youtube article, then I upgraded that to the latest version and it allowed me to converted it to the cloudflare zero Trust GUI version so I could easily add all the challenges there instead of messing with yaml files.  

I will give the embytest.mydomain.com to a few test users to use for verification.  The ability to remove my reverse proxy, and the ddns, and remove the open port 443 is very handy once I have thie all fully tested with some users.

The  email pin challenge is working well for the non emby/jellyseer endoints.

Next step will be create a google o-auth challange rather than the pin challenge.

Cool stuff!  and all for free.  Thanks cloudflare.

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...