I do agree, they should use the same address space for ingress and egress. Though tunnels I would hope would be immune, but perhaps not.

Do you have the examples of this so I can take a look? Was it ports forwarded that were opened to all cloudflare ranges, or tunnels and a backend exploit?

That’s both a really honest answer and a good reason to use it depending on the person. Nice work.

Try to not run containers as root?

I admit there is a level of trust needed in cloudflare, but I also need to trust the container makers, and the hardware manufacturers as well. I use cloudflare with O365 and jumpcloud for my auth sources and I’ve been thrilled. Different policies by subdomain, works great.

Honestly my load is so light I don’t bother monitoring performance. Uptime kuma for uptime, I used to use prtg and uptime robot when I ran a heavier stack before I switched to an all docker workload.

Yeah, might be for the best.

Do you have any auth in cloudflare? If so, that mitigates a lot of zero-days. First they have to get past cloudflare, then a zero-day in your nginx.