The tunnel doesn't have to use the Public IP inbound, the cloudflare tunnel calls outbound that can be entirely locked up.
If you are using Cloudflare's DNS they can hide your IP on the dns record but it would still have to be locked down but some folks find ways to tighten that up too.
If you're using a bare metal server it can be broken up.
It's fair that it's a 3rd party's castle. At the same time until you know how to run and secure a server, some services are not a bad idea.
Some people run pangolin or nginx proxy manager on a cheap vps if it suits their use case which will securely connect to the server.
We are lucky that many of these ideas have already been discovered and hardened by people before us.
Even when I had bare metal servers connected to the internet, I would put a firewall like pfsense or something in between.
What does the tunnel bring except DoS protection and hiding your IP? And what is the security concern with divulging your IP? Say when I connect to a website, the website knows my IP and I don't consider this a security risk.
If I run vulnerable software, it will still be vulnerable through a Cloudflare tunnel, right?
Genuinely interested, I'm always scared to expose things to the internet :-).
With the amount of automated bots that port scan looking for anything/everything that's open, as well as scanning DNS records for server IPs that could be targeted, one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind, to effectively be internal.
As for what's exposed to the web, let's say the payload of a website, if there was something vulnerable in the javascript, that could be a weakness hosted anywhere.
Cloudflare can also help achieve this without too much fuss for self-hosted projects, be it personal, and production grade, assuming the rest of the trimmings are tehre.
> one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind
Oh I see, so that I benefit from the "professional" firewall of Cloudflare, as opposed to my own that I may have possibly misconfigured or forgot to update etc?
Or is there more, like Cloudflare will block IPs that know to come from malicious actors and things like this?
The tunnel doesn't have to use the Public IP inbound, the cloudflare tunnel calls outbound that can be entirely locked up.
If you are using Cloudflare's DNS they can hide your IP on the dns record but it would still have to be locked down but some folks find ways to tighten that up too.
If you're using a bare metal server it can be broken up.
It's fair that it's a 3rd party's castle. At the same time until you know how to run and secure a server, some services are not a bad idea.
Some people run pangolin or nginx proxy manager on a cheap vps if it suits their use case which will securely connect to the server.
We are lucky that many of these ideas have already been discovered and hardened by people before us.
Even when I had bare metal servers connected to the internet, I would put a firewall like pfsense or something in between.
What does the tunnel bring except DoS protection and hiding your IP? And what is the security concern with divulging your IP? Say when I connect to a website, the website knows my IP and I don't consider this a security risk.
If I run vulnerable software, it will still be vulnerable through a Cloudflare tunnel, right?
Genuinely interested, I'm always scared to expose things to the internet :-).
Small "except". :)
With the amount of automated bots that port scan looking for anything/everything that's open, as well as scanning DNS records for server IPs that could be targeted, one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind, to effectively be internal.
As for what's exposed to the web, let's say the payload of a website, if there was something vulnerable in the javascript, that could be a weakness hosted anywhere.
Cloudflare can also help achieve this without too much fuss for self-hosted projects, be it personal, and production grade, assuming the rest of the trimmings are tehre.
> one of the nice patterns of cloud hosting is how application and data servers are hosted behind firewalls of some kind
Oh I see, so that I benefit from the "professional" firewall of Cloudflare, as opposed to my own that I may have possibly misconfigured or forgot to update etc?
Or is there more, like Cloudflare will block IPs that know to come from malicious actors and things like this?
Both are a yes.