Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
palata 5 days ago

Unless you need it to be reachable from the Internet, at which point it has to be... reachable from the Internet.

j45 5 days ago | parent [-]

Public facing services routed through a firewall or waf (cloudflare) always.

Backend access trivial with Tailscale, etc.

palata 4 days ago | parent [-]

Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server?

Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home).

j45 13 hours ago | parent [-]

No such thing as a stupid question.

If you plug in a machine at home, it is behind the router, and behind the router's firewall.

If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti

The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine.

If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally.

It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like.

palata 6 hours ago | parent [-]

Thanks a lot!

One thing I don't really get is why it is "more dangerous" to expose a port on my home IP, versus exposing a port on a Cloudflare tunnel. In both cases, a random user from the Internet can reach my server, and if I host a vulnerable application on that exposed port, it can be exploited. Right?

In order to host my server at home, but keep it outside my LAN, I have been considering having two routers: a "perimeter" router (not sure if that's how it's called) that connects to my ISP, and my normal "LAN" router. The LAN router does not expose anything, as usual. I connect my server to the perimeter router, so that it is in the "DMZ" between both routers. And on the perimeter router, I expose the port to my server. My idea being that if my server gets hacked, it doesn't affect my LAN. A bit like if my server was on a remote VPS.

And then I can run something like proxmox to separate my different services on my server.

But doing this, I expose my home IP instead of a Cloudflare IP, so now I'm concerned that maybe it is a risk? :-)