Using Cloudflare tunnel with PhotoStructure

My photostructure server is behind my home network which has a dynamic IP address and various NAT routers

I set up the ‘caddy’ reverse proxy and the basic authentication – see elsewhere on the photostructure documentation

Once I tested caddy, then I added cloudflare tunnel.

Note: you will need your own domain name, and will need to be able to point it to the cloudflare domain nameservers

These instructions should get you started:

Next you will need to install the ‘cloudflared’ program, and configure it. Here are the instructions I followed:

My system is Ubuntu, and ‘caddy’ is listening on port 1234

Here are the commands I typed to get the ‘cloudflare tunnel’ up and running.

sudo dpkg -i cloudflared-stable-linux-amd64.deb  # installs the program
cd ~/.cloudflared/
cloudflared tunnel login # one-time authorization
cloudflared tunnel create photos # create your tunnel and give it a name
cloudflared tunnel route dns photos # adds the dns entry.

create the two-line config.yml file

  logfile: ./cloudflared.log

and then run

cloudflared tunnel run photos

that is all!

Thanks for taking the time to write this down, @bvwelch !

I took the liberty of adding a couple markdown tweaks to your post (and linking up the example caddyfile), hope you don’t mind.

1 Like

I would welcome some help with my next step, which is SSL… I know nothing about this topic, other than I probably should be using SSL with photostructure…

Here is what I am reading now:

Suggestions welcome!

Cloudflare supports letsencrypt certs, but getting the letsencrypt certbot to renew isn’t trivial (especially compared to caddy without a cloudflare proxy in the way).

This is from the caddy forum:

and this seems like a reasonable writeup:

(fwiw, I’ve used a Cloudflare issued origin CA certificate, but it means you must use cloudflare’s proxy).

The Cloudflare article mentions “full” would allow a self-signed certificate at my end. Would that be a bad idea? thanks.

And by the way, why wouldn’t I want to use cloudflare’s proxy?

And if there is a better/simpler solution without cloudflare, please advise.

I’m certainly not an SSL or Cloudflare expert: but I’d assume that as long as Cloudflare is exposing your site with a high quality certificate, the certificate you present to Cloudflare shouldn’t matter.

(There are a ton of free SSL checkers online, like SSL Server Test (Powered by Qualys SSL Labs) )

Cloudflare’s cache handling is aggressive: I can’t put this forum behind Cloudflare, for example, as it breaks Discourse.

I haven’t tested PhotoStructure libraries behind Cloudflare, but if you find issues, tell me and I’ll try to get the issues sorted.

My interest in cloudflare is the tunnel – no need to open ports here. It is possible to turn off their proxy – change the orange flag to grey – and still use the tunnel and also run a script to update the dns when your ip changes.

But I will likely just wait for your official recommendations for sharing a self-hosted photostructure. Until then we are excited to just use photostructure while at home.

I use cloudflare with my photostructure instance and i’ll explain what i do.
I use cloudflare tunnel which by itself securely presents photostructure to my domain.
Using cloudflare flexible ssl works perfectly, as the data is already encrypted between the server and cloudflare
I then use cloudflare access which prevents all attempts at accessing the domain with a login page, this means that no contact with your server is allowed until, you are signed in.

All this requires no editing of anything locally, apart from the cloudflare tunnel.

I do similar to @Saxo_Broko in that I have a Traefik container reverse proxying all of my docker containers, including PhotoStructure. I also have two helper containers that keep my CNAME entries up to date, and my IP up to date, within cloudflare (cf companion and cf ddns) so that my subdomain for PhotoStructure (among others) always lands me in the correct place.

Traefik handles the Caddy/Nginx piece of reverse proxy as well as automatically keeping LetsEncrypt certs up to date.

Everything runs over 443 with Cloudflare.

Thanks guys for your insights in using the cloudflare tunnel – may I ask – what/which sort of cloudflare accounts are you using, and what about authorization?

I’d like, for example, to be able to send a link, via text, to some specific photo. Without having to do any setup on their end? maybe a one-time-password?

At the moment I am just using the free account at cloudflare.

thanks for any suggestions.

Thanks guys for your insights in using the cloudflare tunnel – may I ask – what/which sort of cloudflare accounts are you using – free account or paid?

I use a free cloudflare account for personal use, fwiw.

I just set this up yesterday. I was already hosting DNS for my domain with them (free). I setup a cloudflared
container on my unraid to point to my traefik reverse proxy. This video was a great step by step to do this. (also free)

Then I took it a step further, and setup cloudflare access with a Google as the authenticator, so all my apps are secured by my google account. (this too is free!) I didn’t follow a guide, but it’s pretty intuitive and cloudflare itself walks you through all the steps to setup the authenticator.

So, let me see if I understand – just by itself, the tunnel will provide encryption between cloudflare and any/all services provided at the self-hosted end of the tunnel.

And the ‘Flexible SSL’ from cloudflare, will provide encryption between a visitor’s web browser and cloudflare.

In addition, assuming that everyone is willing to share the same google login/credentials, you can use the cloudflare ‘access’ to authenticate visitors to your photostructure server.

It doesnt seem necessary to use Let’s Encrypt for anything…

thank you for any further suggestions/corrections,

You don’t need to share google credentials. You can have up to 50 users on cloudflare’s Access free tier. So that’s up to 50 distinct email addresses that you can grant access to. More than enough for most families…

You’re also not limited to google as an identity/email provider. Heck, you don’t even need an identity provider at all, you can use the “one-time pin” option that will email a pin each time someone logs in.

So I need to read up on cloudflare ‘access’ – I didn’t realize that visitors could have their own credentials, and yet share a common resource like a photostructure web site. thanks.

*Edit: I see avdp has already beaten me to the punch. I didn’t click on his link until I had already posted. Good on ya.

Here is a video tutorial on using Unraid and a Cloudflare Argo tunnel with a domain.

Here is another on creating an authentication portal using LDAP:

1 Like

I like the idea a lot, but is there maybe a more informative walkthrough for the uninitiated to reverse proxies?

I installed Caddy, followed the photostructure steps to configure but I’m left with a few questions for @bvwelch

How did you test it? Did you do some port forwarding? Did you visit :2019? 2019 seems to be some default port, I’m still using 1787 for PS though. Should I be able to “see” the RP somehow working on my internet network?

My goal is to setup a domain (say and point that to Cloudflares DNS servers and then that will talk with my local PS server without any port forwarding on my part via a tunnel. Am I getting the gist here?

Why do we need caddy at all? RPs are usually used to protect the internal webserver from being directly exposed to the internet IIRC, so are we using this for rudimentary authentication and TLS?

The only reason to use a reverse proxy like caddy or Traefik is to either provide SSL (https) and/or add authentication which would be absolutely required if you were exposing photostructure through your firewall (i.e. port forwarding).

But since cloudflared essentially works like a VPN tunnel, and you can encrypt and secure through cloudflare access, then it’s strictly not necessary to implement a reverse proxy. I kept mine (Traefik) in place because I had already set it up and I like the idea of the traffic inside my network to also be encrypted.

1 Like

I am trying to setup remote access with caddy and cloudflared “gizmo”. Photostructure host is behind NAT and I am getting dynamic IPs from my ISP. I opened account with Cloudflare, changed some records on my domain registrar (1&1) to point to Cloudflare DNS. I don’t have website on that domain hosted anywhere, I just have domain name. Now, how do I “tell” Cloudflare to point traffic directed to my domain to the IP behind my router? I assume this is done via Cloudflare tunnel, but I can’t figure it out. It also should go around router’s firewall, as I am not supposed to open any ports on the router to allow tunnel to work…

Any help is appreciated.