Use a reputable self-hosted VPN, for example https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/ (Trail of Bits is one of the top auditor/security company)

I use tailscale and nginxproxymanager to do this. It was like 4 command

This type of tool is interesting, and provides some of the functionality that Cloudflare Tunnel does, but with frp, a vulnerability in your app (or its login screen) could be more easily exploited since you don’t have the traffic protection features that Cloudflare provides, right? Maybe combining this with fail2ban (or is there another similar self-hosted tool) would not only act as a proxy but also help protect your app to a degree like Cloudflare does?

Personally, when I used to route my home services through a VPS- I used a simple VPN tunnel from my VPS to my home network, which my home router would establish (dynamic IP).

From there, my firewall dictated what was actually allowed to enter through the tunnel… and the reverse proxy, did its thing.

This is just the kind of tool to get me back to this

I just use a vpn

With Cloudflare Tunnels, if you disable TLS decryption, use Full or Full (strict), and verify that the certificate in your browser is yours and not Cloudflare’s certificate, wouldn’t that mean that the SSL is unbroken from your server to the browser? Or can these options not be used with Cloudflare Tunnels?

I use this for all my services that need to be accessible from the outside world… For my private services I use tailscale + headscale

Well, pretty much any type of tunneling software such as Tailscale or Wireguard will achieve the same, you just need to change a bit where your components are located.

What I personally do is have swag proxy on the VPS with crowdsec and authelia, this redirects the traffic to the internal wireguard/tailscale mesh network to the specific service requested.

If you are the only user of the services, create a tailscale or a netmaker; Not sure about tailscale but in Netmaker (wireguard based) you can choose to have your VPS as the relay host.

It does the same as haproxy but haproxy is better

I use a SSH tunnel. Doesn’t need more then a barebones VPS running with OpenSSH.

What recent thread about trust Cloudflare?

Tunnel needs a client software, it’s higher risk, larger attack surface than normal http reverse proxy.

The Cloudflare tunnel feature is part of its zero-trust product. It make sense if you are capable of audit the client source code. If you trust the client as you trust nginx reverse proxy software, tunnel is safer.

Regular free Cloudflare proxy include basic WAF, it is more useful than selfhosted VPS reverse proxy or fail2ban. These commercial services learn attack patterns much earlier.

My homelab exposed services all have real HTTPS certs behind Cloudflare. My service is configured trust Cloudflare origin only so attackers cannot bypass WAF. This is also the same setup my workplace setup to protect multi-million transactions.

If the tunnel is used not for security reason, but bypass CGNAT, it’s at least not worse than selfhosted reverse proxy.

Frp is a pretty cool tool, I mostly use Tailscale with a Reverse Proxy on a VPS for my remote access, but I tunnel my Minecraft Servers using frp, since it’s lower latency and more stable than Tailscale. For Websites I couldn’t notice a difference, and Tailscale + Caddy worked easier for me than frp

I’m assuming the benefit over say Caddy + Authelia is that you don’t need to open any local ports such as 80 and 443?

Isn’t cloudflare tunnel a reverse proxy too?