Well their WAF and dos protection are pretty nice.
An easy secure setup would be to spin up a guest VM and isolate it in its own subnet.
Disable routing between your guest and the rest of your lan and you can sleep easy at night so long as your app doesn’t serve any crazy dynamic content.
"Walking around covered in body armor and allowing the military to drive me to work in a tank" is nice protection but it's also very restrictive. I don't think the argument against this is so much that Cloudflare doesn't provide nice features as that those features are entirely unneeded for 99.99% of people hosting from home. The downsides of heavy protection are vastly increased complexity and dependence on a non-'dumb pipe' non-ISP corporation which kind of defeats the point of hosting from home.
You really can just host your webserver from home network and forward the port using your consumer grade router and consumer home connection most of the time and nothing bad happens. But this kind of tunneling would be great for when you have a bad ISP that blocks port 80 instead of just saying servers aren't allowed.
Lmao your response made me chuckle. You're entirely right! Probably nothing bad will happen. Especially if you partition your network like I mentioned in my OP.
I would get worried about somehow enabling access to defects in my router by opening some inbound ports. I realize that's a little paranoid...but recently I have been playing around with https://github.com/threat9/routersploit and routinely find defects in consumer routers.
Here's my other beef with cloudflare: Once I gotta pay 200+/mo for their security services or whatever, I could just rent out a private rack in a colocation and throw some old beefy lga-2011 xeon hosts. Now I don't need anything on my LAN exposed and I have dedicated IPs, physical security, and backup generators...etc.
> Here's my other beef with cloudflare: Once I gotta pay 200+/mo for their security services or whatever, I could just rent out a private rack in a colocation and throw some old beefy lga-2011 xeon hosts. Now I don't need anything on my LAN exposed and I have dedicated IPs, physical security, and backup generators...etc.
Yeah but now you need to source the hardware for the rack, make sure it stays up and there's no hardware failures, etc, etc. Even simpler is to grab a Linode dedicated box which comes with v4 and v6 IPs and you get all the benefits for only $30 / mo instead.
Second hand dual lga2011 machines are so cheap it’s amazing. Enterprise grade servers are mega reliable I think people overestimate the probability of hardware failure.
A $30 linode box has like 2 vcpus and maybe 4Gb ram.
Where I live I can get a 1U slot in a shared colo rack for $30-$60/mo. Buy a used dual Xeon blade for a few hundred bucks and now I have a setup with 20x the resources. But yeah I admit there’s a lot more manual effort involved.
IMO if you can get a 1U for those prices, it's silly not to take it. Where I'm at I can't though and that's where a dedicated Linode box may make more sense.
You don't have to enable port forwarding to get your router exploited. I'd argue that port forwarding has neither positive nor negative effect on your router's security.
I've been hosting from home for 20+ years and I've never been troubled. But I only run static websites.
Yeah like I said I realize I am being paranoid but there are far fetched scenarios where serving static sites from home could compromise my home network.
Take the recent log4j vulnerabilities. Serving static content and logging trivial fields like request headers would lead to RCE. If that box can route to my home router, and my router has a defect available through routersploit, my network is completely pwned.
A network isolated VM with a tunnel to a remote vps would stop that particular attack.
All that being said…if a sophisticated adversary is targeting me I have to concede there are much easier routes to take.
I’m a security engineer at my day job so I may have conditioned myself into excessive fear.
A static webserver is just the webserver in my mind. If you use something like nginx you are only going to be surprised by a remote exploit about once every two decades. Yeah, if you use some sprawling set of 'apps' that use things like Log4j on top of your server you're exposing attack surfaces.
An easy secure setup would be to spin up a guest VM and isolate it in its own subnet.
Disable routing between your guest and the rest of your lan and you can sleep easy at night so long as your app doesn’t serve any crazy dynamic content.