CloudFlare Tunnels - Secure Approach, or Tempting Fate?

[Thomas Straub 1]

On 1/18/2023 at 4:43 PM, vaise said:

I imagine a company like cf is very security aware.  A rogue employee a possible I guess.  My tunnel is only open to my emby instance ip address using the zero trust application config - not my whole network.  It also follows the waf so I only allow specific certain countries, block bots etc.  Just Australia can connect to mine.  I tested all that with a vpn to various bad places (inc USA).

Unlike my swag back door method I have (which I also use but is disabled unless cf shuts me down) which my unify firewall was reporting many attempts daily to connect to my wan port by known bad stuff.  I have a jail and geo blocking, but still baddie attempts.

Router venerabilities are reported all the time and old ones are never patched so for many users, that’s more likely to be a security issue with opening to the internet I believe.

 

Same deal. My Emby instance (together with my other self hosted stuff I want exposed which is pretty much Heimdall, Sonar, Radar, and SAB) are all behind Zero Trust, CF tunnels and I use 1Password AND an ingress Firewalla. My DNS is also AdGuard Home via Docker. 
 

I have done all I can pretty much to ensure I can use Emby while at the same time access my encrypted media without the whole world having access. This has me putting a lot of trust in CF but if they ever went bust I could easily just hop back on Swag via Docker. 

[vaise 304]

HeHe - if they go bust, a load of the internet will be in trouble.

[Thomas Straub 1]

Agreed! I check back here frequently to see if there’s something else I should be doing but it doesn’t look like it — for now anyway. 

[mike_mcevoy 5]

Hi all, thanks for this thread, really use full for the config of the tunnel for emby. Connection seems good but just wondering if anyone has see an issue with transcoding through cloudflare. basically when I run it through CF it only transcodes a max of 1mbps however if I dont go through the tunnel its is 5mbps? just wondering is anyone knows is that is a limitation of the free account, maybe an upgrade route if nessessary but so far it is way better than VPN as I am on a starlink connection with about 300 down and 30 up currently. @vaise

[vaise 304]

I limit transcoding.  I have threatened friends and family that I will turn it off if they don’t upgrade to better playback devices.  They have all done that now.  I can’t say I have seen an issue in the past with transcoding however.

[Thomas Straub 1]

@vaiseAll of mine now have NVIDIA Shields because I carried out that same threat. My Emby set up became a whole home self-hosted thing over COVID lockdowns. That little Intel Mac Mini with Docker, Emby, RClone...it's really really been a staple. I am PETRIFIED of having to re-do it all.

[WadeWilson 0]

On 8/6/2022 at 4:56 PM, pir8radio said:

the issue is, you still pass video through their system if you have the orange cloud enabled for that domain.  this is what they prohibit..  not caching of video, just passing it through cloudflare. 

@pir8radioHate to use an old topic do ask this, but thought it better than opening yet another new topic about tunnels and proxy. The question I have is about that orange cloud selection you are referring to and CF video restrictions. What I am trying to find out is if that applies to both tunnels and/or just using their standard dns proxy and opening 443.  I would assume yes, but everything I find on the forums talks about using the tunnels when being banned. If so, this is leaving me to believe the only way to risk no ban for video would be disabling the orange cloud which would then expose my real IP, if that were a concern of mine.  Then would it be any safer to spin up a proxy server on say a linode (or some other cheap vps) and point dns in CF to that with no orange cloud, then point the vps to my home reverse proxy?  The other question would be when cloudflare blocks you does it ban the whole account, or just video transmissions? Can another account be created with another e-mail or would I just be out of luck with cloudflare at that point?  My domain is hosted through them as well so I want to try and avoid issues there if at all possible.  

[adminExitium 173]

It applies to everything as long as the actual traffic is passing through CF, that may be through a proxied domain, tunnels, workers etc. If you are just using them for DNS, that's not a problem.