I’ve been a happy Caddy user for a long time and I really appreciate the work put by team and community! My ride has been absolutely painless thus far. However I’d like to get some guidance on the next steps I should be taking with my setup.
As a background, I’m self-hosting several web services (which are reverse proxied by Caddy) for myself and close family members. The server is on my home network and reacheable in LAN and WAN (the router forwards all traffic from port 443 to the server). My ISP gives me a dynamic IP address and I use DuckDNS to point a duckdns subdomain to my home IP. For the cert renewal I use the DNS challenge since port 80 is not open. So far, I haven’t had issues as in random people hitting my server badly, but I get random bots and crawlers knocking the door regularly. I use the ipfilter plugin to only allow access from my country or local LAN. Also I use basic auth for most services.
Drawbacks: DuckDNS hasn’t been as reliable as it used to be for me. Also, it is not ideal that, due to my setup, it directly points to my home IP address. I have never been under a DDOS attack, but there’s always a possibility.
In order to improve my setup (at least the DNS reliability part), I have bought a .org domain from Namecheap and I am planning to transfer to Cloudflare Registrar and use the Cloudflare Managed DNS in the same way as I had with DuckDNS. Even though I have spent a significant amount of time reading the Cloudflare docs and community pages, I have hesitations which way I should go:
I would like to use the Cloudflare proxy (orange cloud icon in UI) in order to benefit from the DDNS protection and also hiding my home IP from all clients. However, I am afraid I do not fully understand the full implications of being proxied. If I understood correctly, Cloudflare would be connecting to my server with HTTP and then serve everything under HTTPS to the actual clients. The HTTP part is a dealbreaker for me.
It seems that using the “Full (strict)” mode would connect to my server using HTTPS (Cloudflare would get the Let’s Encrypt certs that are automatically handled by Caddy). From a security and privacy point of view, can Cloudflare see things like request paths, GET/POST parameters, request headers… ? I understand everything is encrypted on transit but I do not understand if this gets decrypted on Cloudflare’s end before being encrypted again to be sent to the client. I am asking because it seems the Cloudflare proxy will also allow me to use their Web Application Firewall (which would be awesome) but I do not understand how this could work if they are not decrypting the requests coming from my server…
Not using the Cloudflare proxy (gray cloud icon) would then act as a regular DNS (in the same way as I use DuckDNS) but without the Cloudflare goodies.
If it was only me, I would be using Wireguard and access web services only from LAN (this would be too much for my family so I can’t go that route).
Sorry for the long topic and for making lots of questions. I believe others might be in the same situation or got this sorted out already. I guess the question in a nutshell would be "can I trust the ‘Full (strict)’ mode from Cloudflare from privacy point of view? I noticed some people do not use it with Caddy and I wonder if it’s due to privacy or security concerns regarding Cloudflare.
It would also produce a redirect loop with default-configured Caddy, as Caddy will redirect Cloudflare to HTTPS, and Cloudflare will pass it on to the client, who already connected via HTTPS.
Cloudflare will still use their own certs. Cloudflare would require Caddy to have its own validated HTTPS certificates as well, although the client won’t see Caddy’s cert.
This is exactly what Cloudflare’s “orange cloud” is, a man-in-the-middle. The clients talk to Cloudflare, encrypted. Cloudflare talks to your server. Cloudflare takes your server’s response and gives it to the client. Cloudflare sees all aspects of this communication on both sides. This is how their WAF can function.
Yes, you just get a reliable DNS provider, and that’s about it. Most of my personal sites are this way - it’s uncomplicated.
Have you considered installing their VPN clients for them and configuring it as a split tunnel? You could leave them always-on.
What, exactly, are you asking about trusting here?
Can you trust that third parties won’t be able to snoop on your connection? Yes; the client connects securely to Cloudflare, and Cloudflare connects securely to you in this configuration. Nobody outside of that chain should be able to intervene, as long as HTTPS itself remains secure.
Can you trust that Cloudflare can’t see the entire connection? No, Cloudflare will see everything.
Can you trust that Cloudflare won’t do anything untowards with this level of access? …Complicated question. You can trust that they’re not likely to violate your privacy unless it makes business sense for them to do so. You can trust that as a huge enterprise whose business is based partially on reputation, violating that privacy for anything short of extreme circumstances is not likely to make business sense.
@balloon I think you completely misunderstood my message. I know how to keep an A record up to date with my IP address. I have no problems with that.
@Whitestrake Thanks for the input! Couple of comments/clarifications:
Sure (for most people). I am not forwarding port 80 from router to server. Cloudflare would not be able to reach Caddy through HTTP.
I did consider, but I don’t want to to extend the “family IT support” role for their devices.
Sorry that I was not clear enough on this. The trust/privacy question was towards Cloudflare as a company and not about the technical details (the Full strict mode). I have a good idea on the magnitude of Cloudflare and no, they obviously would not care about my humble server at all. I agree their reputation would be really damaged if they were caught snooping around. Nonetheless, I still wanted to make sure I understand correctly what they would be able to see if they really wanted it, and your comments cleared that out really well.
Thank you once again! I’ll use Cloudflare as a regular DNS only. Then all request/responses will be directly between client and home server (and always through HTTPS, of course).
