You can use frp to do the same thing a CloudFlare tunnel does without giving them your unencrypted data.

https://github.com/fatedier/frp

NAT translation, i use my openwrt router for that

Your stuff is more likely to get scanned sitting in a VPS with no firewall than behind a firewall on a home network

They are a plague with how prevalent they have become.

The internet shouldn’t put all its eggs into one basket.

It’s just another centralized entity which will lead to monopolized power. It goes against what we are trying to do with federated networks like Lemmy and mastodon.

What are you running?

If it is http based use a reverse proxy like Caddy

This attack targets end users, not Cloudflare tunnel operators (i.e. self-hosters). It abuses Cloudflare Tunnels as a delivery mechanism for malware payloads, not as a method to compromise or attack people who are self-hosting their own services through Cloudflare Tunnels.

Dude above you over is under the perception that it requires 100% uptime or other users to to be classified, which is wrong. You are definitely self hosting, albeit only for yourself I assume. Which is fine

Yep, sharing stuff for others requires more expertise, as I'll get responsible for other people's experience. If I screw something up now, only I will be affected.

What are you running?

If it is http based use a reverse proxy like Caddy

I'm pretty new to selfhosting and homelabs, and I would appreciate a simple-worded explanation here. Details are always welcome!

So, I have a home network with a dynamic external IP address. I already have my Synology NAS exposed to the Internet with DDNS - this was done using the interface, so didn't require much technical knowledge.

Now, I would like to add another server (currently testing with Raspberry Pi) in the same LAN that would also be externally reachable, either through a subdomain (preferable), or through specific ports. How do I go about it?

P.S. Apparently, what I've tried on the router does work, it's just that my NAS was sitting in the DMZ. Now it works!

Dude above you over is under the perception that it requires 100% uptime or other users to to be classified, which is wrong. You are definitely self hosting, albeit only for yourself I assume. Which is fine

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.

And you are self-sufficient, or whatever the word is. But that's the key thing for me, not having to rely on others for my services

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.

For now just some experiments alongside NAS

Planning to host Bitwarden, Wallabag and other niceties on the server, and then when I get something more powerful, spin up Minecraft server and stuff

I'll be honest, if you aren't planning on sharing with others, I'd recommend switching to something like wireguard to connect back into your house instead of exposing everything publicly. Some firewalls have wireguard built in, so you can setup the VPN easily. But then all you have to do is keep your VPN endpoint safe to keep your internal network protected from the Internet, instead of having to worry about the security of everything you expose.

That's a good piece of advice, but due to several considerations (extreme censorship interrupting VPN connections, family using NAS for automatic backups, and some others) I cannot go that route.

There's nothing saying you can't have ports forwarded for the NAS, and have a VPN for everything else. Censorship may be a problem, but those more often block VPN services like NordVPN, not protocols. So running your own is less likely to be stopped. That said, of course comply with local laws, I don't know where you live or what's legal there.

If you really want multiple things exposed at the same time, you have two options(which can be used in combination if needed/wanted):

1. A reverse proxy. I use caddy. I give it a config file that says what address and port binds to what hostname, and I forward port 443/80 to it. That works great for web content.
2. Use custom ports for everything. I saw someone else walking you through that. It works, but is a little harder to remember, so good notes will be important.

I still recommend against forwarding a lot of ports as a beginner. It's very common for software and web apps to have security vulnerabilities, and unless you are really on top of it, you could get hit. Not only does that put all your internal devices at risk, not just the one that was original breached, it also will likely become part of a botnet, so your local devices will be used to attack other people. I'd recommend getting confident with your ability to maintain your services and hardening your environment first.

It's definitely not the same thing.
I do understand reservations behind usage free-tier services from Big Bad Corp., but I don't understand malicious reduction of valid arguments for usage of those services.

Update: tried Caddy, love it, dead simple, super fast, and absolutely works!