• 1 Post
  • 3 Comments
Joined 2 years ago
cake
Cake day: June 15th, 2023

help-circle

  • Is there a reason to expose your services to the whole internet? That’s what CF tunnels and Tailscale Funnel do.

    I can’t really recommend either of them, Funnel forces you to use a .ts.net subdomain you can’t use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.

    If you really must expose your services publicly then get a cheap VPS, point your domain A and AAAA records at its public IPs, make a tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let’s Encrypt certificates for your domain).

    This way you get an unbroken TLS connection all the way through, with nobody in the middle.

    The tunnel that you use between your server and the VPS can work behind CGNAT because it’s outgoing.

    Technically the tunnel doesn’t necessarily need to be encrypted because it will only carry TLS connections anyway, but then you have to deal with authorization. It’s probably simplest to do an SSH tunnel.