Is Cloudflare Tunnel safe (privacy focused)?

I’ve been following DBTech tutorials to setup a Nextcloud instance and I want to use Cloudflare Tunnel to access it over the internet.

Cloudflare Tunnel provides DDOS protection, firewall and many other features to keep the website safe from external factors, but is the Tunnel private (privacy focused)? Like is it truly encrypted? When I upload a file or use Nextcloud Talk to chat with my friends, is it possible that Cloudflare can view the decrypted contents?

The free plan doesn’t allow usage of any other SSL certificates, you have to use the one provided by Cloudflare, and the origin server can only use SSL certificates from Cloudflare.

I’ve read few posts saying it’s not really private, but the Nextcloud AIO documentation says it can be hosted behind a Cloudflare Tunnel.

Is there a way to harden Cloudflare Tunnel? If it isn’t private, are there any other good alternatives?

I’m new to self hosting, so I’m sorry if these things sound trivial, but I really need to know if the service (Cloudflare Tunnel) is privacy focused before using it.

No. Using solely cloudflare, is not truly privacy safe.

However here is a brief recap of what happens and then what a tunnel is and how it SHOULD be used.

When you writes “new to self hosting” I will automatically assume you have setup a server in your own perimeter (home address), and is looking into using Cloudflare ONLY to provide a publicly reachable interface, so you can reach your Nextcloud from anywhere.

All your data resides on your nextcloud in your home. So far so good. You should ALWAYS use HTTPS, where the TLS trafic terminates at your own premise (on your own network). For this to be possible, there are three options, whereas two is considered truly trustworthy:

1:
Reverse proxy with TLS termination (can be Letsencrypt), proxying through a VPN tunnel to your on premise Nextcloud webserver, setup also with TLS (self signed). NOT truly privacy trustworthy.

2:
Reverse proxy with SSL passthrough through VPN tunnel to your on premnise Nextcloud webserver, setup with TLS (can be Letsencrypt). Considered truly privacy trustworthy.

3:
Cloudflare tunnel using pure TCP port forwarding over the VPN you sets up, it is even better. And this setup is even more simple than a reverse proxy. Considered truly privacy trustworthy.

With option 2 - and especially 3 - it does not matter at all, which frontend service - Cloudflare or even Alibaba - you are using. Even less if you use a service like Letsencrypt, because it uses your On premise Nextcloud webservers own private key, to identify and ensure that there is no middleman trying to disguise like you.

So to recap and answer: Your question as you asks it, makes sense, but the essense does not. It actually depends on how you chooses to configure Cloudflare. The only thing that matters is that you do not terminate the TLS on the Cloudflare end of your infrastructure.

So when you talk about option 3, are you talking about using a zero trust tunnel and setting your SSL/TLS encryption mode to Full?

chrome_ih69sEd3f01160×678 39.3 KB

No.

Skærmbillede fra 2023-01-22 09-56-43869×333 42.3 KB

Here TLS is decrypted on cloudflare, and then cloudflare does a new connection to your own server accepting your own certificate. This is still the first option (Reverse proxy with TLS terminition). Reading cloudflare documentation, it seems they do not support TLS passthrough without termination at all, so cloudflare is only considered truly private and safe, using my last suggested option.

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex. For your privately used Nextcloud, you can probably neglect the risk of DDOS attacks.

There are a lot of nice terms like firewalls, anti-virus, end-to-end encryption etc. and if they effectively decrypt and re-encrypt the traffic at their place, everything passes unencrypted at their place. If they scan (firewall/anti-virus) the content, you can never be sure what happens about it (training-material for something, …)

Just for clearity, real end-to-end encryption means (for me) that you only decrypt the data on your own device. Not even the server sees the real data, just their encrypted form. And for HTTPS traffic to your server, you don’t want anybody else see this traffic unencrypted.

I agree. Additionally is using Cloudflare introducing a lot of drawbacks. See e.g. this list: GitHub - nextcloud/all-in-one: The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Hello,

Cloudflare is going to be the only party within your setup that is not open source (correct me if I am wrong). So their technology (code) is not peer reviewed and there is always a chance that they may be snooping.

However, so far no researcher or security experts have raised any red flags on their service.

Technically speaking, open source products with peer reviewed code can only be the truly private.

But without cloudflare there is that need of your own Dedicated Public IP. It’s been over a decade but world is no where close to a IPv6 INTERNET.

There are only so many v4 addresses.

Imagine if all home users demanded v4 Public IP from their ISP.

Just like Let’s Encrypt made SSL free for all, services like CloudFlare are adding another much needed layer. Along with Free SSL Certificate, doing the Reverse Proxy and Secure Tunneling to allow servers to run over CG-NAT.

Unfortunately, until Internet moves to a true IPv6 setup, cloudflare tunnel is a necessary evil.

Thanks.

If you do not have, nor has the possibility to obtain, your own public IP, then this is the option you has.

I finds the question you asks rather provocative, bordering to arrogant, as it assumes that everyone has access to their own dedicated IP without any consideration that also private households - even students in dorms - has the need for Nextcloud. I do understand what you say about complexity, but do not take it for granted that you “just” has one or several public IP addresses to your disposal, of which you can control all the trafic with your own infrastructure, directly from the interface connected to the public IP range and all the way to your nextcloud instance. For some, there is no way around a public gateway/tunnel/VPN solution. For this Cloudflare is the best option for low cost.

@Kerasit
Unfortunately, IPv4 addresses are distributed very unfairly around the world. The fact that one often loses one’s IPv4 address when the contract is changed is not really comprehensible and should not be at least for those users who would like to keep a real IPv4 address.

Where the real reason is that a pure IPv6 network does not work. Many companies still use only IPv4 on their proxy systems. And then you are simply unreachable without IPv4 or a tunnel to your home.

Many people here now have fiber optics, which means they have a poorer connection than before. They also often pay for bandwidth that they never use anyway.

But that’s not what this was about, or at least it was nowhere mentioned in the original post that there is no public IP available. So it’s more like you assuming that everyone needs to use Cloudflare tunnels, because you don’t have a public IP.

Well that’s your opinion. There are other, more general solutions, like Zerotier or Tailscale, and with the latter you can even self-host your own control server. These solutions are definitely more private by design. And privacy was one of the main concerns in the original post.

Actually that was a fair point. I agree to tthe following to the letter:

There are a lot of nice terms like firewalls, anti-virus, end-to-end encryption etc. and if they effectively decrypt and re-encrypt the traffic at their place, everything passes unencrypted at their place. If they scan (firewall/anti-virus) the content, you can never be sure what happens about it (training-material for something, …)

Just for clearity, real end-to-end encryption means (for me) that you only decrypt the data on your own device. Not even the server sees the real data, just their encrypted form. And for HTTPS traffic to your server, you don’t want anybody else see this traffic unencrypted.

It is this part which for none-corporate or small non profit organisations, is considered very good practice to implement, that I reacts to:

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex. For your privately used Nextcloud, you can probably neglect the risk of DDOS attacks.

After all, then finding end points that answers on standard ports based on geolocation in order to do spray attacks like we see now with the conflict in Ukriane and the activities in cyberspace, is most often automated, hence the robot is indescriment and as long as your IP fits in the scope, you are at equal risk of automated attacks. On top of that, then the comment keeps it very general.

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex.

Well this fits everyone which:

1. Has no public IP.
2. Is serious about security. Consider why anyone (and those anyone are MANY) uses Akamai DDoS shield?

This is why I was offended about your comment.

@Kerasit Can you expand on how option #3 would actually be implemented? As far as I know only their enterprise plan offers custom ports. Thank you

I do not know if it custom port or not. However if they do not offer port forwarding, then the free tier offering of cloudflare, is not fully privacy-by-design, and there is no privacy guarantees at all.

Maybe you can simple check the TLS/SSL certificates. If the TLS/SSL certificates are terminated at Cloudflare than i think they can read all the content. Transport Layer Security - Wikipedia

We already established this fact. Cloudflare does not offer any SNI_Preread/TLS pass-through in their free tier. Unfortunately.

Yes. then they can read the encrypted data in clear text. Unfortunately.

interception (or HTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a “transparent proxy”: the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.

https://en.wikipedia.org/wiki/Transport_Layer_Security

Is Cloudflare Tunnel safe (privacy focused)?

I think not on focus on TLS. Goal of TLS (end to end) is not implemented. But maybe they are the good guys and do not analyse your normally end-to-end encrypted data on their systems. However, it cannot be proven. Security through trust not IT functions.

I set up nextcloud mainly for the aspect of privacy. That is, files I send/receive are stored at a location I have control over and not privy to snooping entities (google, microsoft, dropbox, or any other cloud based storage platform). Only I and intended recipients have access to what ever files are stored on nextcloud.

By using the cloudflare tunnel (or anything similar), as indicated above, client connection terminates at cloudflare so they have full access to decrypted data. This is counter to the purpose of running one’s own cloud in the first place.