I’ve been a happy Caddy user for a long time and I really appreciate the work put by team and community! My ride has been absolutely painless thus far. However I’d like to get some guidance on the next steps I should be taking with my setup.
As a background, I’m self-hosting several web services (which are reverse proxied by Caddy) for myself and close family members. The server is on my home network and reacheable in LAN and WAN (the router forwards all traffic from port 443 to the server). My ISP gives me a dynamic IP address and I use DuckDNS to point a duckdns subdomain to my home IP. For the cert renewal I use the DNS challenge since port 80 is not open. So far, I haven’t had issues as in random people hitting my server badly, but I get random bots and crawlers knocking the door regularly. I use the ipfilter plugin to only allow access from my country or local LAN. Also I use basic auth for most services.
Drawbacks: DuckDNS hasn’t been as reliable as it used to be for me. Also, it is not ideal that, due to my setup, it directly points to my home IP address. I have never been under a DDOS attack, but there’s always a possibility.
In order to improve my setup (at least the DNS reliability part), I have bought a .org domain from Namecheap and I am planning to transfer to Cloudflare Registrar and use the Cloudflare Managed DNS in the same way as I had with DuckDNS. Even though I have spent a significant amount of time reading the Cloudflare docs and community pages, I have hesitations which way I should go:
- I would like to use the Cloudflare proxy (orange cloud icon in UI) in order to benefit from the DDNS protection and also hiding my home IP from all clients. However, I am afraid I do not fully understand the full implications of being proxied. If I understood correctly, Cloudflare would be connecting to my server with HTTP and then serve everything under HTTPS to the actual clients. The HTTP part is a dealbreaker for me.
- It seems that using the “Full (strict)” mode would connect to my server using HTTPS (Cloudflare would get the Let’s Encrypt certs that are automatically handled by Caddy). From a security and privacy point of view, can Cloudflare see things like request paths, GET/POST parameters, request headers… ? I understand everything is encrypted on transit but I do not understand if this gets decrypted on Cloudflare’s end before being encrypted again to be sent to the client. I am asking because it seems the Cloudflare proxy will also allow me to use their Web Application Firewall (which would be awesome) but I do not understand how this could work if they are not decrypting the requests coming from my server…
- Not using the Cloudflare proxy (gray cloud icon) would then act as a regular DNS (in the same way as I use DuckDNS) but without the Cloudflare goodies.
- If it was only me, I would be using Wireguard and access web services only from LAN (this would be too much for my family so I can’t go that route).
Sorry for the long topic and for making lots of questions. I believe others might be in the same situation or got this sorted out already. I guess the question in a nutshell would be "can I trust the ‘Full (strict)’ mode from Cloudflare from privacy point of view? I noticed some people do not use it with Caddy and I wonder if it’s due to privacy or security concerns regarding Cloudflare.
Thank you in advance!