Using Cloudflare tunnel with PhotoStructure

My photostructure server is behind my home network which has a dynamic IP address and various NAT routers

I set up the ‘caddy’ reverse proxy and the basic authentication – see elsewhere on the photostructure documentation

Once I tested caddy, then I added cloudflare tunnel.

Note: you will need your own domain name, and will need to be able to point it to the cloudflare domain nameservers

These instructions should get you started:

Next you will need to install the ‘cloudflared’ program, and configure it. Here are the instructions I followed:

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps

My system is Ubuntu, and ‘caddy’ is listening on port 1234

Here are the commands I typed to get the ‘cloudflare tunnel’ up and running.

sudo dpkg -i cloudflared-stable-linux-amd64.deb  # installs the program
cd ~/.cloudflared/
cloudflared tunnel login # one-time authorization
cloudflared tunnel create photos # create your tunnel and give it a name
cloudflared tunnel route dns photos photos.mydomain.com # adds the dns entry.

create the two-line config.yml file

  url: http://0.0.0.0:1234
  logfile: ./cloudflared.log

and then run

cloudflared tunnel run photos

that is all!

Thanks for taking the time to write this down, @bvwelch !

I took the liberty of adding a couple markdown tweaks to your post (and linking up the example caddyfile), hope you don’t mind.

1 Like

I would welcome some help with my next step, which is SSL… I know nothing about this topic, other than I probably should be using SSL with photostructure…

Here is what I am reading now:

Suggestions welcome!

Cloudflare supports letsencrypt certs, but getting the letsencrypt certbot to renew isn’t trivial (especially compared to caddy without a cloudflare proxy in the way).

This is from the caddy forum:

and this seems like a reasonable writeup:

https://sammckenzie.be/en/blog/using-caddy-with-cloudflare/

(fwiw, I’ve used a Cloudflare issued origin CA certificate, but it means you must use cloudflare’s proxy).

The Cloudflare article mentions “full” would allow a self-signed certificate at my end. Would that be a bad idea? thanks.

And by the way, why wouldn’t I want to use cloudflare’s proxy?

And if there is a better/simpler solution without cloudflare, please advise.

I’m certainly not an SSL or Cloudflare expert: but I’d assume that as long as Cloudflare is exposing your site with a high quality certificate, the certificate you present to Cloudflare shouldn’t matter.

(There are a ton of free SSL checkers online, like SSL Server Test (Powered by Qualys SSL Labs) )

Cloudflare’s cache handling is aggressive: I can’t put this forum behind Cloudflare, for example, as it breaks Discourse.

I haven’t tested PhotoStructure libraries behind Cloudflare, but if you find issues, tell me and I’ll try to get the issues sorted.

My interest in cloudflare is the tunnel – no need to open ports here. It is possible to turn off their proxy – change the orange flag to grey – and still use the tunnel and also run a script to update the dns when your ip changes.

But I will likely just wait for your official recommendations for sharing a self-hosted photostructure. Until then we are excited to just use photostructure while at home.

I use cloudflare with my photostructure instance and i’ll explain what i do.
I use cloudflare tunnel which by itself securely presents photostructure to my domain.
Using cloudflare flexible ssl works perfectly, as the data is already encrypted between the server and cloudflare
I then use cloudflare access which prevents all attempts at accessing the domain with a login page, this means that no contact with your server is allowed until, you are signed in.

All this requires no editing of anything locally, apart from the cloudflare tunnel.

I do similar to @Saxo_Broko in that I have a Traefik container reverse proxying all of my docker containers, including PhotoStructure. I also have two helper containers that keep my CNAME entries up to date, and my IP up to date, within cloudflare (cf companion and cf ddns) so that my subdomain for PhotoStructure (among others) always lands me in the correct place.

Traefik handles the Caddy/Nginx piece of reverse proxy as well as automatically keeping LetsEncrypt certs up to date.

Everything runs over 443 with Cloudflare.

Thanks guys for your insights in using the cloudflare tunnel – may I ask – what/which sort of cloudflare accounts are you using, and what about authorization?

I’d like, for example, to be able to send a link, via text, to some specific photo. Without having to do any setup on their end? maybe a one-time-password?

At the moment I am just using the free account at cloudflare.

thanks for any suggestions.