- Omer ATAGUN
If you were around in the tech back in beginning of 2000's everybody wanted to host their gaming server alongside with web servers. You have had to open ports from your router, redirect to the relative tcpstream in your computer ( web, game server etc. ) and expose it through internet. Yet this was never enough to accomplish such thing. DSL and many other connections had dynamic ip addresses. Once your internet is off in which it was relatively often, your ip would have changed and your home server with bunch of things in it, would go dark.
These days, this problem got even bigger. ISP's figured that they can sell static ip addresses for the ones that are planning to do business with it. Considering ipv4 is limited, things went wild.
Thanks to Cloudflare we have now pretty easy home-server setup rather than struggling with double NAT's or dynamic ip addresses.
Let's talk about what is reverse-ssh and how cloudflare handles this ?
Lets talk about scenario that you are under nested NAT. Which means you obtained an ip address with bunch of other people that are in same network.
Figuratively claiming that your ip address is 18.104.22.168. There are other connections established ( your neighbour etc). You have assigned a random port number. ISP's router has awareness of which port you have assigned to, lets talk as for an example that you obtained port 3211. Your neighbour obtained port 33111.
Now, if you were to get into your router and try to open port 80, that would mean nothing. Because it would be something that no network protocols would able to be resolve. If we example it, you would open up some address like this
So now that we know this is no go, we move ourselves into creating reverse-proxy. If we can not make ourselves get hacked from outside, we can make it from the inside.
We could connect to any computer that has static ip and a ports exposed, then we could channel incoming connection to our connection. This way actual server would forward the packages to our server. Here is the problem. To achieve this securely, we need a lot more than just simple ssh connection.
That's where the cloudflare kicks in to the jam
Reverse proxy with Cloudflare ZeroTrust
As of right now i am writing this article, this service is free. It may change in future but i still see a big potential to be used, since it make things so much easier.
Cloudflare provides reverse-ssh with docker images, or direct installation. Yes that easy. Without you worrying about any other configuration.
Wait what? how then dns server recognize this?
Once you set your tunnel via cloudflare, and lets assume you have forwarded your domain to cloudflare as well. Cloudflare will update your DNS record automatically and add CNAME record indicate your key to their tunnel network.
Lets go through how to achieve this.
Once you logged-in to your cloudflare, click on left menu
Zero trust. With new page coming infront of you, go to left menu again and select
access -> Tunnels where you will find a button called
Give your tunnel a name.
Choose the environment you are pleased to, i am personally using docker in my home server built with old parts that i do not use anymore. Specs are 16gb DDR3 ram, i5 4th generation and 128gb SSD.
Once you completed initiating your session with cloudflare tunnel. Continue with editing your public hostname give it a https and click on
additional application settings where you can enable
No TLS Verify
You are pretty much done, you can tell cloudflare zero tunnel to look for specific ip in your network and/or port particularly.
You can set N amount of tunnels to a different ports and ip in your network, but to me this is unbearable. All the time i change any port or ip, i would have to go each tunnel instance and update them accordingly.
So i have complimented this beautiful system with creating my favorite cluster management system Rancher
Use rancher or portainer to make it idiomatic
In one of my blog posts i have mentioned how to install rancher. Here is the Link.
Prepare into your home-server rancher cluster and forward all the domains or subdomains to the specific network ip and port. So that you would never need to do it again :)
By this way, even if your internet connection/location changes, you can open up your server and all will be working accordingly. Well extending is up to your needs.
This pretty much sums up the logic behind or reverse-proxy and using it cleverly to accomplish home server.
Note: I am using LTE connection in my remote home backed with UPS ( for electrical shutdowns ) and this blog with many other projects are served from it including, backend server, socket server, CDN, my own cloud etc.
till next time, stay hydrated.