I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.
Another option is to use a VPS + nginx + a wireguard VPN.
Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.
Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.
Oh interesting, so you only drop a public key onto the VPS, and you forward TLS to the VM at home instead of terminating on the VPS. That's a neat idea.
So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.
If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.
For plain HTTP, of course all traffic would be easily intercepted and readable.
For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.
So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)
I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.
Good point. You are not dependent on Cloudflare, though, you can use other similar services or open the port on your router if it supports it. And if you pay for it, you can get an SLA so that they can't mess with you by terminating your project.
I would still consider it very nice of them to offer this free service that let's you break free from your dynamic IP, crappy router and at the same time giving you protection that you couldn't set up yourself.
I think many people just want to be able to make their device available from the internet - this type of liberty is not really important for many people.
If you self-host with your ISP, then isn't your ISP also a choke-point? If your ISP decides to block you for some reason, you have to change ISPs or possibly your location if there is only one good ISP at your location.
I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.