Alternative to cloudflare?

I run a NC AIO on my Intel NUC at home, behind an Archer C7 with up-to-date OpenWRT.

My NC points to my personal domain name, which I transferred to Cloudflare for their free DDoS protection and the like. The domain points to my home IP address, etc. Cloudflare blocks any IP outside the US, etc.

Everything works well, except I can’t upload large files, which I know is a known issue.

Are there alternatives to Cloudflare I can use to get around the upload limit? I’m just a little afraid to not use a similar service and have a domain point straight to my router without a similar level of protection.

I have tons of large files that I’d like to upload.

What would ya’ll suggest?

Thanks.

You can upload files on your LAN by some method, if that would work.

Maybe what you need is a better firewall. I also block foreign connections, and that alone cuts out the vast majority of scanning and hacking attempts. You don’t have to have Cloudflare to do that.

@LR88
I sometimes wonder what you expect from a firewall. Do you think you will fall victim to DDoS and if so would it really be that bad? And all other firewall rules are rather useless. You will have to allow the really important and “critical” protocol HTTPS and no service is listening on the other ports. The firewall protects you at most from your own configuration errors if the firewall is not also a complex software or risk Maybe a little bit different on client systems with a “Personal firewall” (outgoing malware, …).

Where do you use Cloudflare then? I do not understand.

Nextcloud offers enough security features. You could use no CDN instead of Cloudflare. I use no CDN and it works great. But maybe you get problems if your provider only gives you an IPv6 and NATted IPv4 (in Germany named DS-Lite).

Why should this be useful. Do you think restricting the internet world increases the security of your Nextcloud? You would be better off pursuing more sensible approaches. Do you expect attacks from other countries? Do you think attackers are so stupid and don’t use VPNs in the US? Maybe you can block also all US-VPNs, too.

Hardening and security guidance (Nextcloud)
Using two-factor authentication

I don’t seem to be able to access my NC AIO locally. I think it locks itself to the domain name I pointed it to during installation, and changing it is an ordeal beyond my ability.

That said, for some reason, I was able to upload larger files yesterday without a problem…idk why, but it suddenly worked.

I learned from some YT videos re: OpenWRT that exposing it directly to the internet was a bad idea, so I only opened the necessary ports for the NC AIO through OpenWRT, but it’s all behind CloudFlare.
In CloudFlare I can see tons of attempts to log in from other countries. My thoughts are that it simply reduces the load on my NC by mitigating most of these attempts.

image2702×795 124 KB

Here is an example of all the bots and stuff that mess with my NC already:

image2560×1820 349 KB

So yesterday I was able to upload larger files without a problem for some reason (largest one was 950 MB), so for whatever reason, it’s all good now.

Glad to hear it’s working, but I’ll add this just for reference. Nextcloud (not specifically AIO) does lock down to the domain name as a security measure. If you aren’t using a domain name it’s configured to trust, it won’t let you in.

You wouldn’t need to change it necessarily. The best solution is a technique called split-horizon DNS where a local DNS server overrides the resulting IP for LAN clients and sends them directly to the LAN IP instead of WAN IP.

On some routers, you can also do hairpin routing/NAT reflection, which is suboptimal from a networking perspective but generally works fine for home users.

In either case, as far as both server and client are concerned, the URL is still the approved one. Only the route it takes to get there is different.

Alternative Fail2Ban?

There is also the nextcloud app “geoblocking”.

To confirm:

Any computer or device needs to translate the url (domain part) to an IP. When hitting that IP it hits on a port. Typically port 80 for HTTP (none encrypted) and port 443 HTTPS (TLS encryption). That will essentially hit a listenning webserver, which (skipping the three way handshake and goes stright to connection established) only at this point, looks at the header to extract the url requested by your browser. Essentially DNS is only translating a domain to an IP.

So:
No matter where you are in the world, cloud.mydom.tld needs to translate into the IP that essentially points to your webserver. Outside your home network, this is your Public IP. This is handled by your registered name servers in the .tld registrant. This COULD be cloudflare, desec.io, opendns, whatever.
When you are on your LAN, your devices will try to ask the DNS server your devices is told to ask. If you have not setup a local DNS on your LAN, this will typically by forwarded to the DNS provider your ISP defines. However to hit LAN addresses, you will have to setup an internal DNS on your lan, which:

1. Has A records for your “local” services like: cloud.mydom.tld A 192.168.1.x
2. Has a forwarding pointer to an external DNS server for anything else: server 8.8.8.8 (google DNS)

Only other alternative is to add this to your local devices hosts file, however this is NOT recommendable for anything portable. Stationary devices never leaving your home: could be in the hosts file. Any other devices will suffer when you brings the device outside your LAN.

To keep it short:
If you use OpenWRT it has very good DNS server capabilities, including DNS intercept. If I am not mistaken, it is using dnsmasq? If so, all you have to do is to activate DNS intercept or define the OpenWRT server/host/routers LAN IP as appointet DNS in your DHCP settings. Up to you. But DNSMASQ “custom config”:

address=/cloud.mydom.tld/192.168.1.X
address=/www.mydom.tld/192.168.1.Y
address=/www.mydom2.tld/192.168.1.Z
server=8.8.8.8
server=8.8.4.4

For server= then add whatever public DNS server you trust. OpenDNS, DeSEC, Google or even one of the root DNS servers from iana.org

Now all devices - even guests - will always go straight to your LAN hosts based on domain names and for all other adresses besides those specifically listed in your dnsmasq config, will work as always.