Not sure what “gizmo” means, but cloudflared is is an application you install on your network and it opens a tunnel to cloudflare, very similar to a VPN. All the traffic goes through that and you don’t need to configure an IP or firewall rule, or anything like that.
You didn’t say where you’re planning to run cloudflared (what OS). If it’s a docker container on unraid, the video link above shows step by step instructions. If it’s something else, the URL below is the official documentation
Yeah, I meant an application. I am trying to run cloudflared on Ubuntu 20 box - the same host where PhotoStructure is installed.
I looked at video above and at about 18:40 the guy is changing CNAME from IP address to .cfargotunnel.comcfor his domain. I tried this and got: “An A, AAAA, or CNAME record with that host already exists. (Code: 81053)”.
Just now I realized I should delete A and AAAA records and add my own CNAME record.
I will play with this more today and post here if anything “interesting” happens.
Thanks,
K
OK. I think I got cloudflared working correctly - any request to my own domain got redirected to photostructure that runs on local machine behind NAT. Very nice!
Now, to the caddy basic auth. I have it configured via /etc/caddy/Caddyfile as described here PhotoStructure | How do I access my PhotoStructure Library on other computers?, however it never prompts for any authentication. Restarted caddy few times to make sure it’s running - still no auth prompts.
K
I think you’d want either cloudflared or caddy. Not both.
Caddy and Cloudflare are both essentially https reverse proxies.
If you want to add auth, you’d be better off doing it through cloudflare. Cloudflare has this feature called “Access” which allows much better security than basic auth (although you can do basic auth) with a number of Oauth providers including google. Then you set a policy on who has access - you can whitelist a whole domain or specific email addresses. Youtube is your friend, this video gives a bit of an overview on how it works: How To Use CloudFlare Access to Create 2FA for WordPress Login & Admin - YouTube
For extra credit, setup firewall rules too! I did that to block any attempts to access the app outside of the US.
All free. Thanks cloudflare!
Here is a screenshot of my setup, I use google for OAuth.
Greetings,
While it is great to read of all of the good progress, may I caution you – be sure you don’t have any open ports… In the event that something goes terribly wrong at the cloudflare end, you don’t want to leave your home unprotected.
I have not had time to work on this yet, other than a few basic experiments which I have disabled for now.
That’s the beauty of cloudflare tunnel really. There is no open port / port forwarding done at all on your router/firewall. It’s all done through a VPN-like encrypted tunnel that is initiated from your own server (not from cloudflare’s servers).
Thanks to this I was able to remove ALL my prior port forwarding rules, so I am confident that my network is even more secure than before. I also like I don’t have to “advertise” my home ip address through DNS either.
Agreed - my main interest in the tunnel was to avoid any open ports. But I just wanted to remind anyone that might have previously opened some ports.
I am still hopeful for a less geeky/technical solution going forward – I’d like to recommend PhotoStructure to folks that won’t have the skill-set to set up a cloudflare tunnel.
Well, I would argue that self-hosting a photo site is pretty geeky to begin with, but certainly I agree that on a scale from 1-10, setting up a cloudflared tunnel is a 9.5 
I may be confusing something, but I believe that when this:
Hits, it will make self-hosting more practical without the extra Cloudflare (or other) components.
Personally I’m using Tailscale - open my install only to devices I control - but it’s not really a family wide solution.
Yes, when PS has built-in robust authentication you could conceivably drop cloudflared and go back to poking holes (port forwarding) in your firewall and some sort of dynamic DNS setup pointing to your home IP address. I’d probably still want SSL support to even consider doing this, but that could be achieved with a local caddy/traefik reverse proxy setup.
But authentication is only one of the use cases for the cloudflared tunnel so for me at least, it’s here to stay as long as it stays free.
If PS wanted to make self-hosting truly non-geek friendly, it would have to implement some sort of cloud offering that would essentially do what cloudflared does. Plex, Home Assistant (and quite a few others) all offer something like that as part of their product - usually for a small additional fee.
Their implementation details vary, Plex for example opens a port with UPnP (I am not a fan) and then forces everyone to login through their cloud offering, which then redirects the user to your public IP address (so they don’t actually proxy the content).
Home Assistant will proxy everything through a randomly generated URL on their domain (not a fan of that either). Read more here: Remote UI
I would suggest either approach are well beyond the scope of the previously mentioned multi-user feature request. It could be submitted as its own feature request, but I am not going to do that because I personally don’t care for it
I have PhotoStructure installed on Windows 10 desktop.
I have a domain name pointed to my router (fixed IP). I have forwarded a port and can access PhotoStructure via the domain name. I understand that Port Forwarding might not be the best from a security perspective. I am trying to setup Cloudflare Teams to access the program BUT I am struggling. I have followed several guides. I have setup a Cloudflare domain and account.
I am struggling how to identify the program ( I do know it’s internal local IP and port).
Any guides to how set up Cloudflare Teams on Windows and then access PhotoStructure?
Thanks
Sorry, not yet.
Yes, absolutely. I’m actually bumping that task to the top off my queue: I explained why, and my current thinking around the design, here: Sharing design - Google Docs
I’m assuming you mean the ‘top’ of your queue
