I would so love to meet this guy and be best friends with him and every time I watch his videos I feel so influenced to dive into technology more and more it’s crazy!
I would just love to have friends to nerd talk with. I work in IT and I am not even sure my colleagues know what Docker is. IT in my country is influenced too much by our education system that still teaches token ring, WIC-2A/S ports for data between routers. Even our vendors that deliver software/web solutions act confused if I ask them what programming languages they use e.g Python, GO, Rust, PHP like they have not even heard of anything besides Visual Basics 2000 The closet I think I have is my engineer friends who are very up to date :) Sorry for the semi rant guys. Have a nice weekend :D
@@christianlempa yes! I have authelia set up and I cannot get it to work with anything other than the local domain setup. It does not work at all for the cloudflare tunnel portion of the rule. :( If there is a suggestion on how to do that, I am all ears as I have been trying for about 2 days now.
Hey Christian, just wanted to point out that your zsh history prefiller may have leaked a production token. I'm sure you probably noticed and it's all good, but just wanted to let you know
Word of warning: Streaming video or serving disproportionate amount of images is prohibited by CloudFlare. Watching your camera feeds will get your account terminated. It is actually somewhere in their Tunnels agreement.
@@christianlempa No problem. I figured it from a youtube video about Blueiris and how some people lost their accounts over that. I was about to put my Blueiris there, but now I rather just go with a VPN I already have (Nord has an internal feature they call Meshnet)
CF Tunnel is what I'm using to expose my Matrix and Mastodon servers endpoint so they can federate. Otherwise I still prefer accessing stuff via Tailscale (which BTW recently added Tailscale Funnel). But Cloudflare is a different kind of beast if you want to combine Warp with Tunnel or Warp-to-Warp, but I digress 😃
interesting video and the service is easy to set up but... even though the video is sponsored I think it would be fair to point out that according to the terms and conditions you MUST NOT use CloudFlare to upload videos and photos... it's not always clear until you get your account banned... I think it would it was fair to point out this fact :/
PERFECT Timing! I've been using CloudFlare tunnel on my server for a while, but decided to do a cleanup/consolidation on my Docker networks. Realized I had used the command line to set the tunnel up originally, but wanted to set up a stack in Portainer to handle future updates. Everything I need was in the tutorial (BTW - I think there might be a typo in the command to set up the token). THANKS!
Can't agree more, this is perfect timining! I just setup docker and a CloudFlare tunnel for the first time on my home server. This guide has definitely showed me a few more things I'll want in my setup.
I have à question you know if this tunnel or other we can connect with same ip but différent port. Ex: yacht app like portainer, because need always change the tunnel ip:port for access 😢. Ty
That's a great video I am soo excited for more videos about it about rdp with Cloudflare or access please continue your good work Could you do a video about authentification with Cloudflare access and a self-hosted IAM like Authelia or Keycloak (if possible with a user-friendly UI😅) or nether an existing active directory server
Great video! Can you do an in-depth video covering those settings in the cloudflare zero trust for exposing web application? How to allow mobile app api access while locking down web access.
Christian, can you make some recommendations regarding how to employ "authentication providers and other security measures" due to TLS terminating at CF? What specifically have you done to mitigate this risk? Thanks!
@cristian Thanks for the amazing guides I whould love to see you setup and configure authentik with truenas scale seems there are not guides on this subject and will be very populat as a replacement for authellia that is complex to setup and manage
what if the self hosted setup includes both Træfik and Authelia? Is there something different to be done there? I can reach a simple Nginx container in the same network, but when I try to reach containers behind Træfik and Authelia, I cannot seem to reach them. Thanks for the great videos!
It would be nice to see a video about the authentication, Because, For example, if I setup the nextcloud using the tunnel, and I enabled the one time pin authentication, then, I am not sure if the nextcloud mobile application would still connect to this nextcloud instance, as the end point would be protected by one time pin, probably the mobile app would fail to connect. Thanks for your comments.
Great video. Finding tunnels great for home use. I would like to enable more security, but can you think of a way to do this that still allows mobile apps (nextcloud) to access the tunnel? Would like to see a video about this.
Hey Christian, Thank you for the valuable insights you share on your RU-vid channel. I have a question: Is it possible to forgo Traefik's SSL termination mechanism and instead utilize Cloudflare's HTTPS termination service to manage our certificates? I'm curious about the advantages of integrating Traefik's DNS challenge with Cloudflare, especially when we have the option to enable Cloudflare's free SSL/TLS. Thanks.
Great Videos! I have created a tunnel in the past for Plex, but recently when attempting to do so, I noticed that the localhost now ends with /web. Normally its localhost:port, but now localhost:port/web to access plex locally. Do you know how we can now tunnel with the /web, or even other's that have /ui?
If I were to self host a game server like "Project Zomboid" in a container on my ProxMox server would CloudFlare Tunnel be a good option to secure my Homelab. Or would somthing like this introduce too much latency. I have only ever seen people using this service with things that aren't that effected by latency.
hi @Christian Lempa, Thank you, I have a question, how do you install traefik plugin from Github? I also try to install it, but it's fail with invalid download
That's Excalidraw, specifically used inside Obsidian. Obsidian is a markdown editor and knowledge management app with lots of extensions, one of them is Excalidraw. Excalidraw also exists as a standalone web app.
Great video. Would love to see a video on setting up the various authentication methods and creating better policies for self hosted apps (including allowing API access to them). Thanks heaps
how I can view or monitor for example IP of the machine that connects and use my tunnel expose website? I dont see a monitor for activity on cloudfare dashboard
Awesome! Thank you, Christian, again for the great motivation :D Every time I watch your videos, I feel inspired to implement your techniques into my own homelab or at least start experimenting with them. By the way, I would be more than glad to hear your recommendations for securing access to exposed services through these tunnels. Cheers!
Interessanter Ansatz! Wieder ein Pluspunkt für Traefik. Würde aber sehr gerne beim NPM bleiben, da ich nicht alles in Docker-Containern habe mir der händische Weg mit GUI irgendwie besser gefällt. Bin nun dazu übergegangen eine separate Domain für Cloudflare Tunnel zu nehmen und eine andere, die weiterhin klassisch mit DynDNS läuft, für den Fall, dass Cloudflare mal nicht als Option in Frage kommt. Nur wie mache ich das mit Nextcloud AIO o.Ä. wo die Domain hardgecoded festgelegt ist? Da funktioniert der OR-Operator || vermutlich nicht? Bin hier noch etwas überfragt. Besonders Nextcloud möchte man ja auch lokal mit Daten bespielen, ohne gleich alles durchs Internet schieben zu müssen.
I have a question, no one wants to port forward their public ip address because china/russia/bots/whatever so they do this type of stuff. The IP address is always IPv4 when people talk about this stuff. Would it be ok to have the same services, that cloudflare would expose, hosted on one of the IPv6 addresses that a home user would have at their disposal?
Hey Christian, I tried setting up a public hostname to my local proxmox management IP, I get the cloudflare bad gateway error (host) and does it matter that the ''Origin Configurations" on the public hostnames page shows 0? Come a long way watchin your videos!
Hi Christian, ich steh gerade vor der Frage wie es im Okt weiter geht mit Docker Umstellung bei TrueNas Scale. Habe gerade neu installiert und scheue nun wieder alles mit TrueCharts zu machen, da iX garantieren will die eigenen Apps zu Docker zu migrieren samt Einstellungen. Hast du da schon ein Plan?
First of all, awesome guide as always! Now, what I kind of miss is your Traefik setup. Your other video with Traefik helps, but I somehow can't get certificates from Let's Encrypt. Are your Traefik settings different when you use it with Cloudflare Tunnel?
Just done this before watching this video last week. I don't mind exposing my ip address, people can already guess and I had to move ssh port higher. Because it was constantly abused. It still is, but with much lower rate. But advantage is that it somewhat helps with other stuff: you don't need nginx reverse proxy, you don't need to renew let's encrypt certificates for each service every three months, you don't need to setup port forwarding on docsys modem/router and open port 443 whenever it needs factory reset. I just haven't tried this for ssh and to have dynamic dns (script that checks local ip every 30 minutes and renews dns when it changes - which can be likely done via cloudflare api) and to for blocking access based on country.
Thanks for this. Fantastic material. Your linked video on docker networks was great also. However! 😂. It never explains your use and configuration of the backend and frontend networks. Where is that covered?
Hello Christian, I am using container name as URL in public hostname section. But it doesn't work. Only docker network IP work for me. Can i know why ? Please..
Hi Chrisitan: Got this working fine so long as everything is running inside the same docker container as Traefik. Is it a simple process to have Traefik function across multiple docker containers on different machines? I have programs on other servers that I would like to proxy, but Traefik cannot see them.
hey Christian, thanks for the great videos please I am facing the same error "404 page not found" Could you please explain more about how to change the labels as you did in the video noting that my docker containers are hosted remotely on a VPS also I am using nginx proxy manager I will try to replace it with traefik soon but i think its the same problem
Hello! Great video! Can such a solution be done without a third-party service such as cloudflare? Purpose: hosting services on the open Internet without port forwarding on the router.
Hey Christian, thank you for your dedication to each video and for your great selection of new topics as well as a very intuitive explanation process. Me personally, I'm under a CGNAT on a local ISP and I'm in need to use cloudflare tunnels and its great to see that you can still use traefik for load balancing, that was a great thing you showed me with this video. I'm curious since traefik can run in the internal network, couldn't authelia be deployed with traefik inside the internal network to provide an extra 2FA layer of security? I'm also excited to learn teleport if that's a more convenient way of exposing my services than cloudflare tunnels.
So, I have created the tunnel and it says it is working. I added nginx container and public hostname as you suggested. I head to that URL and it says: bad gateway at host.
I still feel safer using OpenVPN on my own equipment than trust a tunnel to my network through a third party that cannot be guaranteed to not have a backdoor built in.
For someone just starting down this home lab rabbit hole would you recommend going this route for exposing services to the Internet for personal and public use or would you recommend a reverse proxy?
Hi Christian, thanks for your good work on this nice topic! I use cloudflared on a separate ubuntu server in my dmz as connector. The publishing services are running on other servers (and dockers) in separate vlans. I only allow the configured ports, protocols and target-server in my firewall, so that other communication from tdmz to other internal networks isn´t allowed. One advantage over teleport is, that I do not need a cloud-server. Another point is, that cloudflare offers a kind of application firewall on top to the 2fa login, so access to my applications is further narrowed down. The other side is, that in this case we have to trust in cloudflare. I also like it to self host applications and solutions, so I would be happy if you make another video about teleport, how to install, configure and use it. Thanks a lot 🙂
Hi christian I have a salf hosted rust desk server that need tcp and udp ports open and exposed to the internet can this be done with a tunnel or is there a better way?
Thank you for all your videos! I did have one question, perhaps you discussed this in another video but I missed it - can you explain your rationale and usecase for your "frontend" and "backend" networks?
Have you figured out how to do that ? I have the same question, how to create the network service backend or fronted. I have created one in portainer but it does not work.
Muss man die DNS Server von cloudflare verwenden oder kann man manuelle DNS Einträge verwenden? Ich stelle mir vor, dass das ganze über cloudflare ihre DNS Server laufen muss......
Theoretisch könntest du auch eigene DNS Server verwenden, aber das würde wenig Sinn ergeben. Was du machen könntest ist eine eigene DNS Zone erstellen und diese dann an cloudflare delegieren.
Hello , first of all, let me thank you (from France) for the excellence of your videos. As a total noob, . I followed your video on creating a tunnel with Cloudflare and it worked very well, but today my two tunnels are down and I can't find any explanation anywhere. Do you have any suggestions for me? Thanks for everything you do.
That's Excalidraw, specifically used inside Obsidian. Obsidian is a markdown editor and knowledge management app with lots of extensions, one of them is Excalidraw. Excalidraw also exists as a standalone web app.
@@abuseifamina That's Excalidraw, specifically used inside Obsidian. Obsidian is a markdown editor and knowledge management app with lots of extensions, one of them is Excalidraw. Excalidraw also exists as a standalone web app.
I want to know if you can run traefik and cloudflare with the same subdomains? I’m guessing i’d need to create a record on a local DNS server to point at Traefik (instead of Cloudflare) ?
Good video, many hints on what to follow - but you missed the disclaimer that CF is able to access all the traffic due to man in the middle, might be okay for pictures wouldn't want to put my nextcloud there...
Great video! I would've really liked to see the deal with those private networks you can setup in Zero Trust. Not sure if the WARP client thing is the same as a simple custom WireGuard container/VM.
Hey buddy , thanks a lot for this exclellent tutorial. Your tshoot demonstrating the need for both fqdn's in the Traefik Ingress Route saved me a good deal of time to figure out why setup wasn't working. You're the best thanks a lot!!!👍😀
amazing! The 404 cost me HOURS! I couldn't figure out why it's re-routing traffic externally but not internally in the cluster. Made the same change as you did but not with labels per service, instead added a route in the ingress. 10 seconds of gold
Hi Chris, many thanks for the detailed instructions. As always, very well explained. I wanted to ask which tool you used to create the sketches... always makes the one or other system structure a little clearer 😉, thanks in advance, greetings
Even if Cloudflare Tunnel is configured you can still access to the app if you know the specific IP:PORT. Is there something which can be done to address that?
