Is Cloudflare Tunnel safe (privacy focused)?

I’ve been following DBTech tutorials to setup a Nextcloud instance and I want to use Cloudflare Tunnel to access it over the internet.

Cloudflare Tunnel provides DDOS protection, firewall and many other features to keep the website safe from external factors, but is the Tunnel private (privacy focused)? Like is it truly encrypted? When I upload a file or use Nextcloud Talk to chat with my friends, is it possible that Cloudflare can view the decrypted contents?

The free plan doesn’t allow usage of any other SSL certificates, you have to use the one provided by Cloudflare, and the origin server can only use SSL certificates from Cloudflare.

I’ve read few posts saying it’s not really private, but the Nextcloud AIO documentation says it can be hosted behind a Cloudflare Tunnel.

Is there a way to harden Cloudflare Tunnel? If it isn’t private, are there any other good alternatives?

I’m new to self hosting, so I’m sorry if these things sound trivial, but I really need to know if the service (Cloudflare Tunnel) is privacy focused before using it.

No. Using solely cloudflare, is not truly privacy safe.

However here is a brief recap of what happens and then what a tunnel is and how it SHOULD be used.

When you writes “new to self hosting” I will automatically assume you have setup a server in your own perimeter (home address), and is looking into using Cloudflare ONLY to provide a publicly reachable interface, so you can reach your Nextcloud from anywhere.

All your data resides on your nextcloud in your home. So far so good. You should ALWAYS use HTTPS, where the TLS trafic terminates at your own premise (on your own network). For this to be possible, there are three options, whereas two is considered truly trustworthy:

1:
Reverse proxy with TLS termination (can be Letsencrypt), proxying through a VPN tunnel to your on premise Nextcloud webserver, setup also with TLS (self signed). NOT truly privacy trustworthy.

2:
Reverse proxy with SSL passthrough through VPN tunnel to your on premnise Nextcloud webserver, setup with TLS (can be Letsencrypt). Considered truly privacy trustworthy.

3:
Cloudflare tunnel using pure TCP port forwarding over the VPN you sets up, it is even better. And this setup is even more simple than a reverse proxy. Considered truly privacy trustworthy.

With option 2 - and especially 3 - it does not matter at all, which frontend service - Cloudflare or even Alibaba - you are using. Even less if you use a service like Letsencrypt, because it uses your On premise Nextcloud webservers own private key, to identify and ensure that there is no middleman trying to disguise like you.

So to recap and answer: Your question as you asks it, makes sense, but the essense does not. It actually depends on how you chooses to configure Cloudflare. The only thing that matters is that you do not terminate the TLS on the Cloudflare end of your infrastructure.

1 Like

So when you talk about option 3, are you talking about using a zero trust tunnel and setting your SSL/TLS encryption mode to Full?

1 Like

No.

Here TLS is decrypted on cloudflare, and then cloudflare does a new connection to your own server accepting your own certificate. This is still the first option (Reverse proxy with TLS terminition). Reading cloudflare documentation, it seems they do not support TLS passthrough without termination at all, so cloudflare is only considered truly private and safe, using my last suggested option.

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex. For your privately used Nextcloud, you can probably neglect the risk of DDOS attacks.

There are a lot of nice terms like firewalls, anti-virus, end-to-end encryption etc. and if they effectively decrypt and re-encrypt the traffic at their place, everything passes unencrypted at their place. If they scan (firewall/anti-virus) the content, you can never be sure what happens about it (training-material for something, …)

Just for clearity, real end-to-end encryption means (for me) that you only decrypt the data on your own device. Not even the server sees the real data, just their encrypted form. And for HTTPS traffic to your server, you don’t want anybody else see this traffic unencrypted.

I agree. Additionally is using Cloudflare introducing a lot of drawbacks. See e.g. this list: GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All In One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Hello,

Cloudflare is going to be the only party within your setup that is not open source (correct me if I am wrong). So their technology (code) is not peer reviewed and there is always a chance that they may be snooping.

However, so far no researcher or security experts have raised any red flags on their service.

Technically speaking, open source products with peer reviewed code can only be the truly private.

But without cloudflare there is that need of your own Dedicated Public IP. It’s been over a decade but world is no where close to a IPv6 INTERNET.

There are only so many v4 addresses.

Imagine if all home users demanded v4 Public IP from their ISP.

Just like Let’s Encrypt made SSL free for all, services like CloudFlare are adding another much needed layer. Along with Free SSL Certificate, doing the Reverse Proxy and Secure Tunneling to allow servers to run over CG-NAT.

Unfortunately, until Internet moves to a true IPv6 setup, cloudflare tunnel is a necessary evil.

Thanks.

If you do not have, nor has the possibility to obtain, your own public IP, then this is the option you has.

I finds the question you asks rather provocative, bordering to arrogant, as it assumes that everyone has access to their own dedicated IP without any consideration that also private households - even students in dorms - has the need for Nextcloud. I do understand what you say about complexity, but do not take it for granted that you “just” has one or several public IP addresses to your disposal, of which you can control all the trafic with your own infrastructure, directly from the interface connected to the public IP range and all the way to your nextcloud instance. For some, there is no way around a public gateway/tunnel/VPN solution. For this Cloudflare is the best option for low cost.

@Kerasit
Unfortunately, IPv4 addresses are distributed very unfairly around the world. The fact that one often loses one’s IPv4 address when the contract is changed is not really comprehensible and should not be at least for those users who would like to keep a real IPv4 address.

Where the real reason is that a pure IPv6 network does not work. Many companies still use only IPv4 on their proxy systems. And then you are simply unreachable without IPv4 or a tunnel to your home.

Many people here now have fiber optics, which means they have a poorer connection than before. They also often pay for bandwidth that they never use anyway.

But that’s not what this was about, or at least it was nowhere mentioned in the original post that there is no public IP available. So it’s more like you assuming that everyone needs to use Cloudflare tunnels, because you don’t have a public IP.

Well that’s your opinion. There are other, more general solutions, like Zerotier or Tailscale, and with the latter you can even self-host your own control server. These solutions are definitely more private by design. And privacy was one of the main concerns in the original post.

Actually that was a fair point. I agree to tthe following to the letter:

There are a lot of nice terms like firewalls, anti-virus, end-to-end encryption etc. and if they effectively decrypt and re-encrypt the traffic at their place, everything passes unencrypted at their place. If they scan (firewall/anti-virus) the content, you can never be sure what happens about it (training-material for something, …)

Just for clearity, real end-to-end encryption means (for me) that you only decrypt the data on your own device. Not even the server sees the real data, just their encrypted form. And for HTTPS traffic to your server, you don’t want anybody else see this traffic unencrypted.

It is this part which for none-corporate or small non profit organisations, is considered very good practice to implement, that I reacts to:

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex. For your privately used Nextcloud, you can probably neglect the risk of DDOS attacks.

After all, then finding end points that answers on standard ports based on geolocation in order to do spray attacks like we see now with the conflict in Ukriane and the activities in cyberspace, is most often automated, hence the robot is indescriment and as long as your IP fits in the scope, you are at equal risk of automated attacks. On top of that, then the comment keeps it very general.

What’s the point of tunneling everything through third-party servers? You add a dependency on this solution, and you make the whole setup more complex.

Well this fits everyone which:

  1. Has no public IP.
  2. Is serious about security. Consider why anyone (and those anyone are MANY) uses Akamai DDoS shield?

This is why I was offended about your comment.