The timing of this post is almost comical.
Maybe a bunch of lemmytors read it and went to try, resulting in an unexpected volume.
this post was submitted on 16 Nov 2025
120 points (96.2% liked)
Selfhosted
53057 readers
607 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
It was posted Sunday afternoon.
Today is Tuesday.
Ironic.
I see SO much cloudflare stuff on here, I have to believe they are ads/astroturfing. I can’t understand why so many self-hosting people would tie their services to them. In my mind it completely defeats the point to self hosting in the first place.
I have to believe they are ads/astroturfing.
I recommend what I use. I have no interest in shilling for any company, opensource or closed. I can understand not liking a company. That's fine. The animosity is a bit overboard imho, but with 8.4 billion people on this planet, opinions range widely. It works for what I use it for, and when it no longer does, I'll move on to something else.
shilling or not for something you use is one thing, I made my comment because this post has a guerilla marketing smell to it.
it certainly educated me on their product and even tempted me to use it because of the real-life applications they provided. this is likely the "smell" that makes me distrust it.
top it off, I hate cloudflare because of all the engineers that use it. the unsurmountable percentage of the internet that is entirely dependent on cloudflare staying up is frustratingly apparent (especially recently).
because this post has a guerilla marketing smell to it.
If we were all board execs, maybe you might have a point....I guess. However, we are selfhosters, homelab'ers. As such, no one here will probably be pumping millions of dollars into the Cloudflare machine or attempting to persuade others to do so as well. As I mentioned in another comment, I can only think of around 10 major outages going back 5 years or so. Sure there have been hiccups, glitches, etc. Welcome to the internet. Shit breaks....all of it from time to time.
I stopped using CF tunnels specifically because of shit like today's outage.
I don't trust cloudflare, especially not with stuff like zero trust. They're a terrible company and I think they should fail.
Tbf, I dont this Argo Tunnel has anything to do with zero trust. The product has just been nested under that umbrella.
It seems you're right
Hahhahaha 😄
Would you be willing to share more about your position? I’ve been happy with their service, but want to be fully informed about who I’m doing business with
- You are allowing a large faceless coorporation that has ties to both government and big tech to setup a back door to your network.
- Your data is encrypted to the outside world, but all your packets are unencrypted to cloudflare so they can check them safely, and can be easily analyzed by cloudflare before encrypting them to the outside world.
- Its free so you are the product.
- They protect scammers.
They're protecting scammers and other bad actors, their infra is run by junior DevOps "engineers" and every now and then they find another way to fuck half the internet.
They're part of what's wrong with USA-centric hosting nowadays.
Others posted good articles and thoughts aswell :)
and every now and then they find another way to fuck half the internet.
Like literally today lol, it has been giving me shit all morning.
See, I'm right. 💩
Is there a European equivalent? At the moment I only do ddns with them and they are my registrar but don't use the tunnela
Countless DDNS vendors. You could set up a simple 1€/month ionos.com server and do DDNS yourself or rent DDNS from inwx.de or do.de or something.
This read is a good start:
Looks like a totally legit domain. Much trusting.
I can’t remember the exact technical details of it, but that’s how links are generated for non-Latin languages. If you go to the actual site it will display as the intended url
Normally when i post these links i add a notice, as it seems not too many people know yet, but as suggest by another comment: this is puny code.
It is - that's just how URLs in non-latin fonts look unfortunately. URLs, (and a ton of tech infrastructure) is hugely English/latin script biased.
The URL is Japanese.
It's punycode. Get with the times.
I just asked 2 IT guys "hey, do you know what punycode is?" And the answer I received was "I've heard of it but don't know what it is."
Thank you for informing me, but I'm far from alone in not recognizing it or having knowledge of what punycode is.
just access it through cloudfarse.. you'll be fine!
Could start with the fact that they go down about once a month now and take half the Internet with them.
They're having a major outage as I'm reading this, lol.
I know, after I posted that I was looking at their outages and worrying that my 1/month estimate too much of an exaggeration cause they hadn't had a big one in a bit.
Ah OK, so when you said “terrible company” you meant performance? I’ve had great performance with them so far fortunately
For me it's reliability and generally scummy business practices.
They protect scammers and sell big data centres solutions that protect from DoS attacks 🤡
I wasn't the original person that replied.
That's less a problem with cloud flare it self and more just a issue of anything the scope and scale of what they have become. Even a better company would face the same issues.
It's fair to argue that they we should spread things out more to make them more resilient.
But that's more a knock against centralization than the service at hand. It's also fair to show that they're good enough that they were able to reach this point. Or more accurately. Everyone else was worse so they reached this point.
It always feels like blaming cloudford at this point is much like blaming the horse for its Rider.
It's not really "zero trust", though, right?
Isn't CF still terminating TLS?
I only started using Cloudflare tunnels recently, but I'm now using the self hosted alternative Pangolin on a VPS for private services, and I keep the Cloudflare tunnel for public web hosting, i.e WordPress. This also allows easy restriction to the WordPress login page for other users via Google auth etc which is something very simple with CF.
Having split up my private/public services to seperate tunnels also means I don't stand the chance of taking the public services offline with my constant tinkering of Pangolin and the VPS it runs on.
I have pushed the CF tunnel for file transfers occasionally (which is against their terms), but it hits remarkable speeds for a 'free' service.
Do you have any solution for services that aren't over a browser? I've been using Tailscale but I'm looking for alternatives. Pangolin only seems to work for either browser-based services or opening ports to the Internet, unless I'm missing something.
Ex. How do I connect a client app on my phone to my subsonic server for music without opening my home server to the net?
Pangolin is a reverse proxy, so it can forward a URL to any backend service on any port. But you're right in that you have to be signed in on the browser you access it on. Therefore an app won't directly work without prior login. You can create a 'shareable link' in Pangolin, which I use for the Immich app. This gives me header tokens that the Immich app can take in its advanced settings, and that's how that one works.
I've recently moved away from dedicated apps for mobile services and toward web-based access for most things (I use Music Assistant in browser). This isn't perfect for everything and everyone, but I realise now with your question that it's worked well for me transitioning to Pangolin (and at least Immich app works).
Is there a reason not to use pangolin for the public stuff too?
I'm just about to make the switch from CloudFlare to pangolin on VPS, and I wanna make sure I'm not missing anything
If today's outage is anything to go by, you're better off not using Cloudflare!!
I have continued to use it for public websites so that, in my thinking, at least the Cloudflare network is scrutinising who is accessing my webpages in case of attacks etc.
Pangolin is a simpler cloud reverse proxy, whereas Cloudflare has more bells 'n whistles for quick-set security. You just need to harden your VPS that Pangolin runs on. You can activate Crowdsec etc on it as well.
I run mine on a Hetzner VPS which has a nice firewall feature in the control panel securing the VPS ports for SSH and Pangolin tunnel to my home IP. Then it's only ports 80 & 443 exposed. And I think from memory Pangolin doesn't play nicely with UFW (well, Traefik doesn't).
Outside of VPS firewalls settings and fail2ban, is there anything else you'd recommend to harden the VPS?
Not my expertise I'm afraid. Geoip blocking is straightforward with traefik (and Pangolin docs), Crowdsec is a little more complicated, and with the external firewall into the VPS, there isn't much more I can think to do.
It's likely more a factor of how secure Pangolin itself is at that stage.
I'm interested to know if anyone is using a Cloudflare tunnel to stream audio? It breaks their terms but I've read that they tend to ignore it.
Idk about audio but they rate limit video pretty quickly. Audio might be low enough bandwidth for them to not care, but be cautious
I access my Navidrome and Invideous instance without any issues. I am the only user on my network, so that would be a consideration if a lot of people were using your streaming services.
I run audio and video through tunnels just fine. Last I checked they dropped the requirements for HTML only content and as long as you don't abuse the service and cache too much data you're OK with video and audio content.
I run audiobookshelf through it and it works flawlessly.