this post was submitted on 23 Dec 2025
73 points (94.0% liked)

Selfhosted

53934 readers
411 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
73
In what way am I the product when using CloudFlare's free tier? (lemmy.world)
submitted 4 days ago by early_riser@lemmy.world to c/selfhosted@lemmy.world
51 comments fedilink hide all child comments
 

I'm using CloudFlare to hide my home IP and to reduce traffic from clankers. However, I'm using the free tier, so how am I the product? What am I sacrificing? Is there another way to do the above without selling my digital soul?

top 50 comments
sorted by: hot top controversial new old
[–] dugmeup@lemmynsfw.com 22 points 3 days ago (1 children)

The simple answer is twofold

  1. Their attack surface is massive. By getting all this data from millions of devices they are fantastic at detecting and finding solutions for zero day attacks. This is a big selling point for enterprise who care about zero day a whole lot

  2. Free tier also used by IT tinkerers means when the question is asked "what X should we use? What have you used before?" CloudFlare is heads and shoulders above the rest. This is why Microsoft allowed a lot of world to pirate their OS.

[–] irmadlad@lemmy.world 2 points 2 days ago

This is why Microsoft allowed a lot of world to pirate their OS.

Microsoft actually took a unique approach to piracy. In a lot of lesser developed countries in the past, users were 'allowed' to use pirated copies. There used to be a running joke that the Israelis ran their country on a single license of MS. How true that is remains to be seen. So, while companies bristle in public about piracy, it is indeed a topic of discussion in the board room and is often a part of their loss leader strategies.

Cloudflare kind of the same thing. I can tell you that even tho I realize a large portion of the user base here are anti-Cloudflare, and while there are definite pros and cons one needs to understand before using their services, and even tho I know there are other ways to skin the cat....... even on the free tier side, I am more apt to recommend that which works well for me.

[–] False@lemmy.world 70 points 4 days ago

This is basically "the first hit is free"

[–] zorro@lemmy.world 63 points 4 days ago (1 children)

It costs cloudflare basically nothing to host free customers ( if you start to push real traffic you will get an instant call from sales). By being a free customer you are basically a guinea pig for all new features as they are rolled out globally.

[–] early_riser@lemmy.world 4 points 4 days ago (1 children)

How much traffic before the sales team comes knocking?

[–] mesamunefire@piefed.social 23 points 4 days ago

They have an upper limit. https://developers.cloudflare.com/workers/platform/limits/

A couple of my products went WAAAY above that and you essentially have to get a quick standard plan. If you have this problem, congrats, you are probably doing something really well or really bad!

They are not as bad as say AWS / Azures offerings when it comes to billing. Arguably, theres a reason they are still around when there are other tools that do similar things. Used to be, it was the most solid part of the infa. Nowadays....its for some reason going down quite often. And not just the world-wide issues taht everyone else is seeing. We have a product that CANNOT go down and cloudflare has been responsible for a couple of big issues, which is really unfortunate. Its still the best "work" service for what they do, but I dont have any of my personal infa connected.

[–] Netrunner@programming.dev 12 points 3 days ago (1 children)

All these answers are wrong. If you use cloudflare you're giving them all your data unencrypted as that's how reverse proxying for them works.

[–] KairuByte@lemmy.dbzer0.com 1 points 1 day ago

I mean, in certain circumstances sure. But all it would take is a whisper of proof that they abused this position to destroy their business model.

[–] monkeyman512@lemmy.world 24 points 3 days ago (1 children)

I am no expert, so grains of salt and such. But my assumption is that it's a marketing expense. They get a lot of people familiar with cloud flare services and some of them later need a professional level solution. So people use what they are already familiar with. This is the same reason why tech companies provide hardware/software to schools for cheap/free.

[–] Marthirial@lemmy.world 3 points 3 days ago

Developers, like me, use the free tier for staging and testing and then when the project is deployed to production, I setup a paid account for the client.

I also use their domain registrar and sometimes buy CDN bandwidth in complex setups.

[–] ptz@dubvee.org 23 points 4 days ago* (last edited 4 days ago) (4 children)

I have never used it, so take this with a grain of salt, but last I read, with the free tier, you could not secure traffic between yourself and Cloudflare with your own certs which implies they can decrypt and read that traffic. What, if anything, they do with that capability I do not know. I just do not trust my hosted assets to be secured with certs/keys I do not control.

There are other things CF can do (bot detection, DDoS protection, etc), but if you just want to avoid exposing your home IP, a cheap VPS running Nginx can work the same way as a CF tunnel. Setup Wireguard on the VPS and have your backend servers in Nginx connect to your home assets via that. If the VPS is the "server" side of the WG tunnel, you don't have to open any local ports in your router at all. I've been doing that, originally with OpenVPN, since before CF tunnels were ever offered as a service.

Edit: You don't even need WG, really. If you setup a persistent SSH tunnel and forward / bind a port to your VPS, you can tunnel the traffic over that.

[–] Auli@lemmy.ca 13 points 3 days ago

I don't get this whole expose my IP. It's not a secret and people.are scanning it neither you have a port open or not. The whole IPv4 range is constantly being scanned.

[–] HelloRoot@lemy.lol 4 points 4 days ago (4 children)

I have the same setup but using frp which stands for fast reverse proxy.

The term VPN is pure marketing bs. What is called VPN today used to be called Proxy Server.

I've also heard good things about using Pangolin for the same setup.

[–] melmi@lemmy.blahaj.zone 8 points 4 days ago (7 children)

VPN and proxy server refer to different things. There's lots of marketing BS around VPNs but that doesn't make the term itself BS, they're different and it's relevant when you're talking about networking.

load more comments (7 replies)
[–] rexbron@lemmy.ca 3 points 3 days ago

Good luck I’m behind nine proxies!

[–] ptz@dubvee.org 3 points 4 days ago (1 children)

I used to use HAProxy but switched to Nginx so I could add the modsecurity module and run WAF services. I still use HAProxy for some things, though.

[–] HelloRoot@lemy.lol 2 points 4 days ago* (last edited 4 days ago) (1 children)

Oh I forgot to say: I have crowdsec on the VPS in front of frp and traefik on the server at my home, where I add all the modules I want.

frp just pipes all the packets through transparently.

But yeah, same thing, should work the same and there are dozens of ways to set that all up.

[–] ptz@dubvee.org 2 points 4 days ago (1 children)

I've been looking into crowdsec for ages now and still haven't gotten around to even a test deployment. One of these days, lol, and I'll get around to it.

[–] HelloRoot@lemy.lol 2 points 4 days ago* (last edited 4 days ago) (1 children)

It's pretty neat and I feel like there is a clear value exchange for both parties in the free tier, so less shady than cloudflare.

[–] Auli@lemmy.ca 1 points 3 days ago

Don't see an issue yet even though they are crowdsourcing their list generation. At least they are giving you something for it or you can take it. But if you do you get smaller lists.

[–] Buelldozer@lemmy.today 2 points 3 days ago* (last edited 3 days ago) (1 children)

The term VPN is pure marketing bs. What is called VPN today used to be called Proxy Server.

Perhaps if you are only talking about the consumer level stuff advertised on TV. Otherwise I can assure you that "Virtual Private Networks" are a real thing that have absolutely nothing to do with Proxy Servers.

On down the comment chain you mention "...our computers would not see each other and would not be able to connect to each other via that service. " as some kind of test of whether a thing is a VPN or Proxy Service but what you're missing is that this is a completely common and advisable configuration for companies. In fact Zero Trust essentially demands configurations like this. When Bob from Marketing fires up his VPN to the Corporate Office he doesn't need access to every server and desktop there nor does his laptop need to be able to access the laptops of other VPN users. They get access to what they need and nothing more.

Hell the ability to access the internet via the tunnel, called Split Tunneling, is also controllable.

It's that ability to control where the tunnel terminates that allows consumer VPNs, like Proton, to be used the way they are.

So while private individuals absolutely do use VPNs as an ersatz replacement for Proxy Servers they are nowhere near the whole use case for VPNs.

[–] HelloRoot@lemy.lol 1 points 3 days ago* (last edited 3 days ago)

Hell the ability to access the internet via the tunnel, called Split Tunneling, is also controllable.

It’s that ability to control where the tunnel terminates that allows consumer VPNs, like Proton, to be used the way they are.

you can do the same split tunneling via proxy servers

while private individuals absolutely do use VPNs as an ersatz replacement for Proxy Servers they are nowhere near the whole use case for VPN

I agree. That also means that for certain usecases they are equivalent. It's sometimes worth checking all options to find the best one for that specific case.

[–] obviouspornalt@lemmynsfw.com 4 points 4 days ago* (last edited 4 days ago) (2 children)

I'm using my own LetsEncrypt certs for TLS with cloudflare free. I too wonder how I'm the product in this scenario.

I always assumed it was a loss leader play: the more selfhost type people are using cloudflare at home, the more likely they are to recommend and implement it at work, on a paid tier.

[–] Buelldozer@lemmy.today 1 points 3 days ago

Cloudflare has a ton of services in their "free" tier and there's a lot of confusion in here because people toss around "Cloudflare" without specifying which service they are actually talking about.

If you are using Cloudflared (notice the d) with your own LE Cert then you are probably fine.

[–] K3can@lemmy.radio 1 points 3 days ago* (last edited 3 days ago) (1 children)

Are you using their proxy or just DNS ?

If you have the little orange cloud (proxy) on your DNS entry, go to your public facing webpage and examine the cert. Chances are it's not what you think it is.

[–] cole@lemdro.id 1 points 3 days ago* (last edited 3 days ago) (1 children)

it is exactly what I think it is. you can use your own certs

[–] K3can@lemmy.radio 1 points 2 days ago* (last edited 2 days ago)

Typically on their free accounts they use your cert for communication between them and you, and use cert they issue for communication between them and everyone else.

User -> CF cert -> CF -> your cert -> your server.

That's why I suggested examining the cert on your external facing page.

Regardless, one way or the other, they need to be able to decrypt your data in order to apply their services (WAF, etc).

Unless, again, you're just using DNS (grey cloud).

[–] early_riser@lemmy.world 1 points 4 days ago (3 children)

In my experience even a site with low legitimate traffic will eventually buckle under the torrent of bots and scrapers if it's up long enough to get indexed by search engines, so the longer my stuff is out there the more I anticipate I will need DDoS protection.

[–] ptz@dubvee.org 5 points 4 days ago* (last edited 4 days ago) (1 children)

I've got bot detection setup in Nginx on my VPS which used to return 444 (Nginx for "close the connection and waste no more resources processing it), but I recently started piping that traffic to Nepenthes to return gibberish data for them to train on.

I documented a rough guide in the comment here. Of relevance to you are the two .conf files at the bottom. In the deny-disallowed.conf, change the line for return 301 ... to return 444

I also utilize firewall and fail2ban in the VPS to block bad actors, overly-aggressive scrapers, password brute forces, etc and the link between the VPS and my homelab equipment never sees that traffic.

In the case of a DDoS, I've done the following:

  • Enable aggressive rate limits in Nginx (it may be slow for everyone but it's still up)
  • Just stop either Wireguard or Nginx on the VPS until the storm blows over. (Crude but useful to avoid any bandwidth overages if you're charged for inbound traffic).

Granted, I'm not running anything mission-critical, just some services for friends and family, so I can deal with a little downtime.

[–] mesamunefire@piefed.social 4 points 4 days ago (1 children)

I have something similar with fail2ban + hidden buttons. If the requester goes and clicks on the hidden buttons on the main site, it gets into a rabbit hole. After 3 requests, it gets banned for a bit. Usually stops the worst offenders. OpenAI and some of the scrapers are the worst.

Google/bing, I do actually see them hit robots.txt then jump off, which is what they should be going.

[–] ptz@dubvee.org 1 points 4 days ago* (last edited 4 days ago) (1 children)

Oooooh. That's smart. I mostly host apps, but in theory, I should be able to dynamically modify the response body and tack on some HTML for a hidden button and do that.

I used to disallow everything in robots.txt but the worst crawlers just ignored it. Now my robots.txt says all are welcome and every bot gets shunted to the tarpit 😈

[–] mesamunefire@piefed.social 1 points 4 days ago (1 children)

Nice! Thats another way to do it. 😀

I know others use Arabis(?) I think thats what it called. The anime girl one that does a calc on top. Ive never had good luck with it. I think bot are using something to get around and it messes with my requests. Might also be my own fiddling.

[–] FrostyPolicy@suppo.fi 2 points 4 days ago (1 children)

I know others use Arabis(?) I think thats what it called.

You probably mean Anubis.

[–] mesamunefire@piefed.social 1 points 4 days ago

Woops yes!

[–] atzanteol@sh.itjust.works 4 points 4 days ago* (last edited 4 days ago)

I've run a publicly accessible low-legitimate-traffic website that has been indexed by Google and others from my home network for >20 years without anything buckling so far. I don't even have a great connection (30mbps upstream).

Maybe I'm just lucky?

[–] K3can@lemmy.radio 1 points 3 days ago

Consider what a DDOS attack looks like to Cloudflare, then consider what your home server can actually handle.

There's likely a very large gap between those two points.

For me, my server will start to suffer long before traffic reaches the level of a modern DDOS attack.

[–] Auli@twit.social 19 points 3 days ago* (last edited 3 days ago) (1 children)

@early_riser they can see all of your data going over it. They terminate the connection at their end. So data collection if nothing else. And yah what are they going to collect is the same thing people said about Google.

d
data is king and the more they have the more they can go through it and see patterns.

[–] irmadlad@lemmy.world 5 points 3 days ago (1 children)

I’m an expert at nothing, however, the following is how I understand the relationship between your origin server and Cloudflare Tunnels/Zero Trust services. I stand by to be schooled:

  • Traffic between your origin server and Cloudflare’s edge is always encrypted (with outbound only connections via cloudflared daemon). That protects against eaves dropping on the wire between your origin server and Cloudflare.
  • Traffic between end users/clients and Cloudflare’s edge is encrypted (via HTTPS/TLS).
  • However, Cloidflare acts as a proxy, similar to a reverse proxy. For standard HTTP/HTTPS services. Cloudflare terminates TLS decrypts at their edge to apply features like WAF, DDoS protection, caching, or Zero Trust policies. They then reencrypt and forward the traffic to your origin server. This means Cloudflare can see the plaintext content of your traffic in transit through their network.
  • If you expose non-HTTP protocols that are end 2 end encrypted by design (e.g., SSH, RDP, or VPN protocols like WG/OVPN), and you tunnel them thru Cloudflare Tunnel without Cloudflare terminating the encryption, the application slayer data remains encrypted end 2 end. Cloudflare only sees encrypted blobs which they can’t decrypt without the keys.
  • Utilizing Tailscale on the origin server creates a mesh VPN using WG. It encryps all traffic directly between devices. P2P when possible, or encrypted relays. Your data is encrypted on the source device and only decrypted on the destination device. Neither Tailscale’s coordination servers nor Cloudflare can decrypt it.

If this is inaccurate, please do EILI5. I’m always down to learn.

[–] boonhet@sopuli.xyz 2 points 3 days ago (1 children)

Pretty sure you can choose to decrypt on your own server so cloudflare doesn't see unencrypted data ever.

[–] irmadlad@lemmy.world 3 points 3 days ago

Indeed you can. When a user makes a request, it is sent to Cloudflare, which then routes it to your server through the tunnel. The traffic can be encrypted while in transit to Cloudflare, ensuring that their network does not inspect or decrypt the contents. Once the encrypted traffic reaches your server, you handle decryption using your own application logic. Only your server has the keys to decrypt the data, so Cloudflare remains blind to any sensitive information.

[–] irmadlad@lemmy.world 11 points 3 days ago

In what way am I the product when using CloudFlare's free tier?

I realize the name of the game is to protect as much of your data as possible, however, unless you have your own ISP/backbone, you are, at some point, the product. I utilize the evil Cloudflare Tunnels/Zero Trust. For last month, I used 375.28 GiB. I don't run the 'arr stack tho. I do, however, stream my own audio collection via Navidrome. I have had zero issues with the evil Cloudflare Tunnels/Zero Trust, except for a brief pause while Cloudflare had some issues last month. Other than that, smooth sailing. I also have tailscale as an overlay on the server and on the stand alone pfsense firewall, which has a very robust set of rules and heavy filtering going on.

Is there another way

There are always other ways. Pangolin, et al. It just depends on you, and what you want to put in to get out of it all. If you are going this route, investigate a WAF like Crowdsec, or similar, and you might want to look at pfsense or opnsense.

[–] architekt@lemmy.ml 3 points 3 days ago

An alternative would be to install Pangolin on a small v-server

[–] just_another_person@lemmy.world 12 points 4 days ago* (last edited 4 days ago)

You're using a service that is proxying your data. They can read all of it.

If you don't care, then good for you. You're still the product as being a user because whatever you happen to be serving may eventually become interesting to them.

If not, no harm done. It costs pennies to host a 24/7 load balanced reverse proxy. You just can't do it yourself.

[–] Lumidaub@feddit.org 9 points 4 days ago* (last edited 4 days ago)

If nothing else, it's "look at all these people using our services, that's proof we're awesome, even on the free tier, so imagine what you'll get if you pay us!" ¯\⁠(⁠°⁠_⁠o⁠)⁠/⁠¯

load more comments
view more: next ›