In response to the discussion on a recent thread about whether to trust Cloudflare, as some people are not very comfortable with it terminates HTTPS (MITM).
There is this thing called Fast Reverse Proxy (FRP) https://github.com/fatedier/frp
It’s open source, very lightweight and I have used it in multiple instances. Frankly there doesn’t seem to be a lot of people know/use it here. The idea is you deploy this on a VPS with public IP, and have your server at home connect to it. It is pretty much like your own Cloudflare tunnel, only you have much more control over it (ports, TCP/UDP/HTTP, auth, etc).
I use it on the cheapest VPS ($5) I can find close to where I live. It acts as a simple TCP reverse proxy to my server, where Nginx Proxy Manager handles the actual HTTPS. (You can let FRP handle HTTPS but then you need to think about if you trust the VPS and also keep the certs updated there, so nah.)
It’s developed by a Chinese dude as it is pretty much a necessity for selfhosters (mostly minecraft servers) in China, since Public IP is scarce there and most people live behind CGNATs.
Frp is a pretty cool tool, I mostly use Tailscale with a Reverse Proxy on a VPS for my remote access, but I tunnel my Minecraft Servers using frp, since it’s lower latency and more stable than Tailscale. For Websites I couldn’t notice a difference, and Tailscale + Caddy worked easier for me than frp
from Colin Percival empire we present “spiped”:
https://github.com/Tarsnap/spiped
https://www.daemonology.net/blog/2012-08-30-protecting-sshd-using-spiped.html
https://www.daemonology.net/blog/2011-07-04-spiped-secure-pipe-daemon.html
yes, it’s true and it’s not black magic…if you understand the simple technology behind…and yes it’s a magic bullet
enjoy
I use this and cloudflare. For my normal self hosted app’s cloudflare works great but for stuff that needs a lot of data (Plex) or custom ports I route I through FRP.
This type of tool is interesting, and provides some of the functionality that Cloudflare Tunnel does, but with frp, a vulnerability in your app (or its login screen) could be more easily exploited since you don’t have the traffic protection features that Cloudflare provides, right? Maybe combining this with fail2ban (or is there another similar self-hosted tool) would not only act as a proxy but also help protect your app to a degree like Cloudflare does?
Personally, when I used to route my home services through a VPS- I used a simple VPN tunnel from my VPS to my home network, which my home router would establish (dynamic IP).
From there, my firewall dictated what was actually allowed to enter through the tunnel… and the reverse proxy, did its thing.
Why do you really need this ?
Why not just set up a VPS and deploy the NginxProxyManager to it together with a wireguard tunnel to your home system.
You really dont need 2 proxies…
Or if you want to keep the NPM localy on your home server, then you just setup wireguard on VPS with NAT and port forward to your tunnel.
It does the same as haproxy but haproxy is better
This is just the kind of tool to get me back to this
Have you seen this list? Lots of services like this.
Interesting, so is this like a uPNP in this case?
I think a lot of proxy servers have that functionality, HAproxy definitely has… With nginx you need the “plus” Version to proxy tcp.
I use a SSH tunnel. Doesn’t need more then a barebones VPS running with OpenSSH.
I just use a vpn
I’m assuming the benefit over say Caddy + Authelia is that you don’t need to open any local ports such as 80 and 443?
I run an oracle free vps with caddy reverse proxy to route traffic to my home server over wireguard/tailscale. Been running this setup from last 4-5 years with zero issues.