Am I looking for a reverse proxy here? Cloudflare Tunnel not quite the right solution
Posted by Relevant-Law-7303@reddit | sysadmin | View on Reddit | 14 comments
I'd like to serve up port 443 on a server sitting on a DMZ. I also would like to up my hosting game a little bit...meaning, I'd like to control the public facing port a little bit more than just letting it be exposed 24/7/365 to port scans. Geofencing isn't really enough, if I could help finding a better solution.
I went down the Cloudflare Tunnel avenue, and that looked absolutely phenominal....the ability to screen users with the whitelist/PIN. Also hiding my public IP address... just awesome.
Problem is, I can't have data being served become unencrypted anywhere other than in my possession or the user's possession using the file share service. Cloudflare tunnels all the encrypted traffic into their edge.
So what is it I'm looking for? A reverse proxy? My service on port 443 is just a file sharing service that I would like to connect select external users with.
Thanks for your input!
Glad-Watercress4677@reddit
What you actually need is private access not a reverse proxy. Cato networks does this natively, traffic stays encrypted end to end and only users with verified device posture get near the app. No third party terminating your TLS.
kvorythix@reddit
yeah, probably a reverse proxy or app gateway problem more than a tunnel problem
SevaraB@reddit
Is it actually HTTPS over 443? Because it sounds like a WAF is what you’re looking for. If you don’t mind deploying it yourself on another VPS, something like BunkerWeb is free to download and install.
ysfe5xb62gay5hbu2ufn@reddit
Hijacking this thread a little bit. What reverse proxy services do you all recommend? I'm trying to build something similar to OP I think in my homelab.
I've heard of HAProxy where it will just blindly pipe all of the data that goes on port 80 & 443 straight to my home lab. That AND having my data encrypted with a Let's Encrypt cert could be the move?
Should I be looking at a different service that isn't HAProxy?
masterofrants@reddit
You can do f5 bigip IP reverse proxy solution with the Waf solution called ASM module in built into it.
You can deploy a vm too.
jsiwks@reddit
Self host a tradition reverse proxy, or if you like the Cloudflare Tunnel experience but want to control where your encryption happens, try Pangolin, the open-source self-hosted alternative
kona420@reddit
When you say "cant allow to be unencrypted" do you mean cloudflare cant have your keys? Or you just cant let it be unencrypted in flight?
If the former, you could use cloudflare spectrum TCP instead of https proxy. You lose the application aware processing but keep many of the other benefits.
If the latter, you can generate an origin certificate from cloudflare to load on your server. Then use ip tables or similar to whitelist their traffic and block all others. Its a very nice clean setup.
Relevant-Law-7303@reddit (OP)
I figure TLS either uninterrupted from my server, or I'd have to hold the keys. But then I'm getting into the weeds with FIPS 140-2/140-3 encryption, which my server does provide.
MrSanford@reddit
Cloudflare has FEDRAMP moderate if that helps.
0xmerp@reddit
Cloudflare can be set up to be compliant with FIPS 140-2/140-3. It requires some extra configuration, like you need a custom authenticated origin mTLS certificate.
In case you have some use case which requires you to hold the keys but you are ok with Cloudflare as TLS termination point, they have Keyless SSL, but it’s a bit annoying to set up and might require an enterprise plan.
tensorfish@reddit
You are not really shopping for a reverse proxy there. If nobody except you and the client can terminate TLS, the cleaner lane is private access first: VPN / ZTNA / mTLS-gated access, then serve the file app inside that path. Reverse proxies and Cloudflare-style edges only help once you are willing to let another box unwrap the traffic.
MrSanford@reddit
You have to host your own WAF if you don’t want traffic decrypted by the provider.
Relevant-Law-7303@reddit (OP)
I'll take a look. Maybe that's it...
nVME_manUY@reddit
Netbird