💾 Archived View for dioskouroi.xyz › thread › 29382906 captured on 2021-11-30 at 20:18:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
________________________________________________________________________________
(This post should read "Argo tunnel" instead of just "Argo")
I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.
One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.
Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.
[1]:
https://gitlab.com/stavros/harbormaster
Actually I think it should just say "Cloudflare Tunnel"
From:
https://blog.cloudflare.com/tunnel-for-everyone/
As part of that change (and to reduce confusion), we’re also renaming the product to Cloudflare Tunnel.
Cloudflare Tunnel (the service used here) is my current recommendation for most people when it comes to tunneling. Nobody wants to pay for tunnels, and it's the best loss-leader product offered by a reputable company that I'm aware of. The DNS integration is particularly nice.
My only concern is if it gets popular enough that a lot of self-hosters start using it for things like Plex and Jellyfin, which I believe is against Cloudflare's TOS, they might crack down on that.
If you prefer a self-hosted tunneling system, I maintain a list here:
https://github.com/anderspitman/awesome-tunneling
A related cool thing you can do with Cloudflare and a Raspberry Pi:
https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-...
(browser-based SSH to a machine connected using Argo Tunnel).
Another nice alternative is Tailscale
I use ZeroTier for this too, although Tailscale would work just as well. To avoid port forwarding out of my local network (irrational fears), I have a $5 droplet running Pomerium (a SSO proxy, similar to self-hosted Cloudflare Access) and it sits on my ZeroTier network along with the boxes at my house, proxying requests (once they are authenticated) through ZeroTier to the boxes on the private network.
It works very well. Pomerium is easy-ish to configure (especially because it takes care of certs for you), and I can log into stuff on my LAN without having to boot up the ZeroTier client which takes a minute to connect on iOS (or from devices that don't have ZeroTier installed). I would've used Cloudflare Access + Argo Tunnel, but at the time they were still charging for tunneled bandwidth (like $10/GB or something outrageous), so this ended up cheaper.
Hi there! Pomerium team member here. We are very glad to hear Pomerium is working well for you and that it was easy-ish to setup.
Could you share more with the team and community so we can improve the setup experience for other users going into the future?
Our Slack here!
Or join Discuss and document your thoughts for other users here!
A major difference is that with Tailscale every visitor must install a client. The article's solution should be fully browser-based.
Cool! I currently do a self-hosted version using nginx, certbot, and vouch-proxy [1]. Nginx checks with vouch for every HTTP request and redirects to Google for SSO if unauthenticated. It works well for humans in browsers, but not so much for robots. I'm sure I could configure nginx to do token-based auth, just haven't had the need.
[1]
https://github.com/vouch/vouch-proxy
So good to see so many home-hosting posts on HN lately! If you're using Kubernetes at home, we bundle all of this up (remote access, web-forwarding) as part of our service at
Whats the function of "gluetun" in this setup? Would the VPN-Tunnel then also run via Cloudflare Tunnel?
Hi,
Gluetun has no link to the actual tunnel setup, but since many people seemed to struggle with a vpn container I just used that as a bonus example!
I wonder if this would work to self-host on a crusty old T480 with a broken screen? Can Argo tunnel be used sort of like a dyndns? Although my Google Fiber connection at home has had the same IP, but in order to get a static IP, I need to get a Google Fiber Business connection which is 2.5x times more expensive.
Yep it should work great. If you have the expertise and inclination to set up port forwarding and dyndns, you'll get better performance with that, but IMO tunneling is the best solution for self-hosting for most people until IPv6 takes over.
I do have a firewall at home and I can open up a port and forward that to the laptop. Just that I don't want to spend money on DynDNS services and was trying to find a free solution. Thanks for confirming!
Self-hosting is so _so cool_. Nothing more satisfying that hosting your own website from scrappy ol equipment :-)
I used namecheap to register my domain, and they have an option for dynamic DNS without ongoing fees (besides domain fees, I guess). I would be surprised if other registrars didn't have something similar.
https://www.namecheap.com/support/knowledgebase/article.aspx...
There are free DynDNS services for example DuckDNS
Could also get a domain name and make a simple cron job and update your DNS. Works with many DNS registrars like Cloudflare.
Another example:
They generate you a line to drop in cron for automatic updates.
Yes, will works.