Exposing a web service with Cloudflare Tunnel (2022)

I think you might be confused by the two licenses applied to different type of services:

https://www.cloudflare.com/terms/

https://www.cloudflare.com/website-terms/ <- this one you quoted explicitly said it does not cover the one above, which applies to CDN/tunnel/etc

That's incorrect. See:

> THESE TERMS DO NOT APPLY TO YOUR ACCESS AND USE OF THE CLOUDFLARE PRODUCTS AND SERVICES THAT ARE PROVIDED UNDER THE SELF-SERVE SUBSCRIPTION AGREEMENT, THE ENTERPRISE SUBSCRIPTION AGREEMENT, OR OTHER WRITTEN AGREEMENT SIGNED BETWEEN YOU AND CLOUDFLARE (IF APPLICABLE).

ZTNA tunnels only work with a cloudflare account, so they're subject to the self-serve subscription agreement.

> You and your End Users (as such term is defined in the Privacy Policy) will retain all right, title and interest in and to any data, content, code, video, images or other materials of any type that you or your End Users transmit to or through the Services (collectively, “Customer Content”) in the form provided to Cloudflare. Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.

> If I open a single port to my home server, then anybody can send any traffic to my server on that port. The attack surface is exactly the process running on my home server, listening on that port.

If you open a single port on your home server, you're exposing that port, sure. But you're also exposing your IP, and with that comes attacks on your IP stack, if you're worried about that. Presumably cloudflare proxies application traffic, but likely normalizes fragmentation and tcp flags and what nots.

Additionally, when you're exposing your IP, you're subject to volumetric attacks on your IP. High volume DDoS is often spoofs your IP to UDP servers that will respond, generating high volumes of traffic that overwhelm either your system in general, or the bandwidth on your connection. If you're behind a tunnel, the tunnel endpoint will get that traffic, and Cloudflare seems to manage that well. If you manage to attract a DDoS at your application level, that could very well make it through the tunnel and overwhelm your service. I think Cloudflare does offer some filters for that, but my knowledge is limited. IMHO, most of the value is from avoiding non-application traffic; but I just host most of my stuff in cheap hosting and if someone wants to DDoS me, my server will go down and that's fine.

> I'm sorry, I don't get the point.

The point is the problem of exposing a port, as opposed to the additional problem of whatever security concerns you imagine your backend "process" may have.

I suppose you may not imagine that exposing a port is somehow problematic. However, it is. First, an open port reveals many things[1] about your operation you would likely prefer not to reveal. Second, it requires Internet service that permits control over open ports, and the authority to utilize it, either or both of which may not be available to you.

I have no trouble appreciating the value of this, both for personal and commercial purposes. The inherent DDOS protection alone is a huge benefit.

[1] Off the top of my head: a.) The ASN and, ultimately, the ISP you're using. b.) The approximate physical location of your system. c.) Through fingerprinting, your firewall device, and whatever problems it has.

I was personally using tailscale funnel (similar?) because my isp didn’t give me a static ip moreso than for any security reason.

Yeah the point of CloudFlare tunel is absolutely not what is shown in this article. It's to privately expose services on the web without opening ports.

You can out auth, georestrictions, etc. so that people are authorized before they ever reach your computer.

I expose a lot of services on my NAS via CloudFlare tunels, but every single one of them is behind an authentication screen managed by CloudFlare and running on their servers.

This is awesome, makes me want to try out a Pi for this.

I greatly appreciate the fact that solutions to the real concern you point out are not somehow bundled into this. There are many ways to deal with isolating the backend, and I prefer my own, and evolving them as and when I wish. Cloudflare Tunnel is a primitive that solves the part I can't without much greater effort and expense.

Still relevant, and always new to someone.

Pangolin could be a great open source alternative if you prefer to self host the server component. You could even set up WAF with CrowdSec which is awesome