Cloudflare tunnels - secure access to applications

Where is the trouble?

 Often once we decide to use some application whether it is the use of our own organization or our own or even publicly we face the question of how to expose it to the world. We can lease somehow a server or a virtual machine from one or another provider of such services. This partially solves the issue because we generally get a public IP included, someone takes care of that server and that's a nice thing. Nadaj, however, I'm not a fan of exposing internal applications used by our organizations to the public. Additionally, we often already have some application servers or file servers at our place anyway.

 

We can always opt to buy a permanent public IP at our headquarters and expose our application there, but then we are left playing with a firewall with an SSL certificate. Well, and we make our IP addresses public and expose ourselves to DDOS attacks making life difficult, euphemistically speaking, for us and the users of our application. Sure, it's best to hide everything in the internal network and give access only via VPN - YES but you can and sometimes you need a little different.

 

Why Cloudflare tunnel

 With help comes Cloudflare and their tunneling service. I just mention that this is not sponsored material I'm mentioning this because I think it's a very interesting service and it's provided by a company with a good reputation. In addition, really the services seem good, easy to configure well and not insignificant in a limited extent quite free. But a lot of it is so cool and free then why do they do it you will probably ask. Well that's more of a question directly to them. In my opinion, this is part of the incentive to use augmented fictions. Let's not kid ourselves as we'll nice a lot of traffic to our service or site we'll probably make money on it and if we're satisfied we'll still pay. In addition, Cloudflare is known for such services as protection against DDOS attacks and more. They also have a free DNS service capable of filtering various threats but also pornography by the way I made a material about it.

 

How it works

We point to Cloudflare servers as the DNS servers for our domain. This makes all the DNS and certificates will be taken care of by Cloudflare for us. Then in the place where we have our service that we will want to expose to the public, such as TrueNAS or another server, we install a special application, service , service, daemon the name does not matter. This application connects to Cloudflare servers through an encrypted tunnel dedicated to us.

 

This makes Clouflare servers have direct access to our service without the need for a dedicated or even fixed IP.
After the hijacked configuration, if we want to access, for example, our Nextcloud from the Internet, our browser will refer to the Cloudflare server, which, through the created tunnel, will refer to our hidden deep, deep in the basement server with our files and serve the requested files. All this with a legitimate certificate. A beautiful thing. What can go wrong.

 

Security of the solution

 And well, something can go wrong, and several things.
It depends on the level of paranoia of the administrator and the importance of what we are trying to make public or hide there depends on how you look at it.
Remember that in this situation in practice Cleoudflare becomes our proxy and will have direct access to the processed data. True, it will be an SSL-encrypted transmission, but it will be between the user's device and the Cloudflare server, which will have to extract the data and send it to our server.

 

In practice, we install ourselves the so-called Man-in-the-middle attack. I bring up this topic not to not use this service just to consider all the pros and cons. This means that we must assume in advance that Cloudflare is honest and maintains good practices. In addition, such Cloudflare application installed in our network gives access to ALL the resources of our network accessible from the server on which it is installed. This is a useful functionality as I am about to show in the lab, but also a huge danger. In practice, by taking over our Cloudflare account, you can expose to the world any service to which the server with the application has access, be it some administrative panel or the panel of our router.

 

This leads to at least two obvious conclusions. The first is always use two-step verification to log in, and not just to Cloudflare. The second is that we must not neglect security on our internal networks as well. The second Threat is that it is possible for someone to steal our tunnel token and serve their content instead of the right content instead of us, but that would probably come to light quickly.

 

The last bit revealed my paranoia a bit because I still think it's a cool service and worth using especially for small projects.

 

Of the advantages worth mentioning is the ability to authorize access to our service available to the public. For example, access only for users who have an email in a specific domain or a specific IP and some others I will also show. And I may have mentioned mostly disadvantages then for a summary of advantages and disadvantages I invite you to the end of the material to summarize.

 

Summary

In short words, the solution:

+ no need for a public IP

+ no need to configure firewalls, networks, routers

+ free automatic SSL certificate

+ protection against DDOS attacks and more

+ possible access authorization

+ simplicity of configuration

+ free in smaller projects

 

- No information in logs about actual users.

- risk of access to our network

 

And if the service is really critical then the question is whether we should display it publicly at all.

 

 

If you would like to learn more about TrueNAS write to us. We will tell you how it works and why it is worth it?