| ▲ | j45 5 days ago |
| Never expose your server IP directly to the internet, vps or baremetal. |
|
| ▲ | palata 5 days ago | parent | next [-] |
| Unless you need it to be reachable from the Internet, at which point it has to be... reachable from the Internet. |
| |
| ▲ | j45 5 days ago | parent [-] | | Public facing services routed through a firewall or waf (cloudflare) always. Backend access trivial with Tailscale, etc. | | |
| ▲ | palata 4 days ago | parent [-] | | Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server? Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home). | | |
| ▲ | j45 13 hours ago | parent [-] | | No such thing as a stupid question. If you plug in a machine at home, it is behind the router, and behind the router's firewall. If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine. If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally. It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like. | | |
| ▲ | palata 6 hours ago | parent [-] | | Thanks a lot! One thing I don't really get is why it is "more dangerous" to expose a port on my home IP, versus exposing a port on a Cloudflare tunnel. In both cases, a random user from the Internet can reach my server, and if I host a vulnerable application on that exposed port, it can be exploited.
Right? In order to host my server at home, but keep it outside my LAN, I have been considering having two routers: a "perimeter" router (not sure if that's how it's called) that connects to my ISP, and my normal "LAN" router. The LAN router does not expose anything, as usual. I connect my server to the perimeter router, so that it is in the "DMZ" between both routers. And on the perimeter router, I expose the port to my server. My idea being that if my server gets hacked, it doesn't affect my LAN. A bit like if my server was on a remote VPS. And then I can run something like proxmox to separate my different services on my server. But doing this, I expose my home IP instead of a Cloudflare IP, so now I'm concerned that maybe it is a risk? :-) |
|
|
|
|
|
| ▲ | sergsoares 5 days ago | parent | prev | next [-] |
| Not expose the server IP is one practice (obfuscation) in a list of several options. But that alone would not solve the problem being a RCE from HTTP, that is why edge proxy provider like Cloudflare[0] and Fastfy[1] proactivily added protections in his WAF products. Even cloudflare had an outage trying to protect his customers[3]. - [0] https://blog.cloudflare.com/waf-rules-react-vulnerability/
- [1] https://www.fastly.com/blog/fastlys-proactive-protection-cri...
- [2] https://blog.cloudflare.com/5-december-2025-outage/ |
|
| ▲ | cortesoft 5 days ago | parent | prev | next [-] |
| Any server? How do you run a public website? Even if you put it behind a load balancer, the load balancer is still a “server exposed to the internet” |
| |
| ▲ | j45 5 days ago | parent [-] | | Public facing services routed through a firewall or waf (cloudflare) always. Backend access trivial with Tailscale, etc. Public IP never needs to be used. You can just leave it an internal IP if you really want. | | |
| ▲ | cortesoft 5 days ago | parent [-] | | A firewall is a server, too, though. | | |
| ▲ | j45 13 hours ago | parent [-] | | Thanks. Not sure of your point. The firewall could run on a piece of dedicated equipment, where it might not be a server, or it could run in a container, on a dedicated computer, which might be the server. Again, I'm only speaking about what I have experience with in addition to my past experience and have surprisingly found to run well despite thinking I'd never self-host again. |
|
|
|
|
| ▲ | mrkeen 5 days ago | parent | prev | next [-] |
| You're going to hate this thing called DNS |
| |
| ▲ | j45 5 days ago | parent [-] | | Been running production servers for a long time. DNS is no issue. External DNS can be handled by Cloudflare and their waf. Their DNS service can can obsfucate your public IP, or ideally not need to use it at all with a Cloudflare tunnel installed directly on the server. This is free. Backend access trivial with Tailscale, etc. Public IP doesn't always need to be used. You can just leave it an internal IP if you really want. |
|
|
| ▲ | miramba 5 days ago | parent | prev | next [-] |
| Is there a way to do that and still be able to access the server? |
| |
| ▲ | j45 5 days ago | parent | next [-] | | Yes, of course. Free way - sign up for a cloudflare account. Use the DNS on cloudflare, they wil put their public ip in front of your www. Level 2 is install the cloudflare tunnel software on your server and you never need to use the public IP. Backend access securely? Install Tailscale or headscale. This should cover most web hosting scenarios. If there's additional ports or services, tools like nginx proxy manager (web based) or others can help. Some people put them on a dedicated VPS as a jump machine. This way using the Public IP can almost be optional and locked down if needed. This is all before running a firewall on it. | |
| ▲ | m00x 5 days ago | parent | prev | next [-] | | Yes, cloudflare tunnels do this, but I don't think it's really necessary for this. I use them for self-hosting. | | |
| ▲ | doublerabbit 5 days ago | parent [-] | | That server is still exposed to the internet on a public IP. Just only known and courted through a 3rd party's castle. | | |
| ▲ | j45 5 days ago | parent [-] | | The tunnel doesn't have to use the Public IP inbound, the cloudflare tunnel calls outbound that can be entirely locked up. If you are using Cloudflare's DNS they can hide your IP on the dns record but it would still have to be locked down but some folks find ways to tighten that up too. If you're using a bare metal server it can be broken up. It's fair that it's a 3rd party's castle. At the same time until you know how to run and secure a server, some services are not a bad idea. Some people run pangolin or nginx proxy manager on a cheap vps if it suits their use case which will securely connect to the server. We are lucky that many of these ideas have already been discovered and hardened by people before us. Even when I had bare metal servers connected to the internet, I would put a firewall like pfsense or something in between. | | |
| ▲ | palata 4 days ago | parent [-] | | What does the tunnel bring except DoS protection and hiding your IP? And what is the security concern with divulging your IP? Say when I connect to a website, the website knows my IP and I don't consider this a security risk. If I run vulnerable software, it will still be vulnerable through a Cloudflare tunnel, right? Genuinely interested, I'm always scared to expose things to the internet :-). | | |
| ▲ | j45 13 hours ago | parent [-] | | Small "except". :) With the amount of automated bots that port scan looking for anything/everything that's open, as well as scanning DNS records for server IPs that could be targeted, one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind, to effectively be internal. As for what's exposed to the web, let's say the payload of a website, if there was something vulnerable in the javascript, that could be a weakness hosted anywhere. Cloudflare can also help achieve this without too much fuss for self-hosted projects, be it personal, and production grade, assuming the rest of the trimmings are tehre. | | |
| ▲ | palata 6 hours ago | parent [-] | | > one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind Oh I see, so that I benefit from the "professional" firewall of Cloudflare, as opposed to my own that I may have possibly misconfigured or forgot to update etc? Or is there more, like Cloudflare will block IPs that know to come from malicious actors and things like this? |
|
|
|
|
| |
| ▲ | Carrok 5 days ago | parent | prev | next [-] | | Many ways. Using a "bastion host" is one option, with something like wireguard or tinc. Tailscale and similar services are another option. Tor is yet another option. | | |
| ▲ | cortesoft 5 days ago | parent | next [-] | | The bastion host is a server, though, and would be exposed to the internet. | | |
| ▲ | j45 13 hours ago | parent [-] | | It can run a firewall and forward to internal traffic as well. |
| |
| ▲ | venturecruelty 5 days ago | parent | prev [-] | | >Never expose your server IP directly to the internet, vps or baremetal. |
| |
| ▲ | iLoveOncall 5 days ago | parent | prev | next [-] | | Yes, CloudFlare ZeroTrust. It's entirely free, I use it for loads of containers on multiple hosts and it works perfectly. | | |
| ▲ | j45 5 days ago | parent [-] | | It's really convenient. I don't love that its a one of one service, but it's a decent enough placeholder. |
| |
| ▲ | 5 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | sh3rl0ck 5 days ago | parent | prev [-] | | Either via a VPN or a tunnel. |
|
|
| ▲ | procaryote 5 days ago | parent | prev [-] |
| As in "always run a network firewall" or "keep the IP secret"? Because I've had people suggest both and one is silly. |
| |
| ▲ | j45 5 days ago | parent [-] | | A network firewall is mandatory. Keeping the IP secret seems like a misnomer. Its often possible to lock down the public IP entirely to not accept connections except what's initiated from the inside (like the cloudflare tunnel or otherwise reaching out). Something like a Cloudflare+tunnel on one side, tailscale or something to get into it on the other. Folks other than me have written decent tutorials that have been helpful. |
|
