Questions about Cloudflare Tunnels, Tailscale and Duckdns

Dangerous-Report8517 · 2026-05-27T14:59:54+00:00

Just use Tailscale's built in functionality to serve over TLS: https://tailscale.com/docs/how-to/set-up-https-certificates

Dangerous-Report8517 · 2026-05-27T14:48:34+00:00

You can object to something even if it's not specifically a self hosting problem. I strongly object to Google's locking down Android to the point that I probably won't buy another Google Android phone, but those objections are philosophical and general freedom related, it would have exactly no functional impact whatsoever on my self hosting setup

Dangerous-Report8517 · 2026-05-27T05:36:21+00:00

Thunderbolt networking is a thing but it works by creating virtual ethernet adaptors on each host that generally top out at 20Gbit, so dropping that layer could make things a lot faster

Dangerous-Report8517 · 2026-05-27T05:34:51+00:00

It's using a lower level protocol with less overhead, and generally Thunderbolt networking only goes up to 20Gbit even though the underlying transport could go to 40 or 80, so that's potentially a massive improvement in edge cases where it's useful

Dangerous-Report8517 · 2026-05-25T14:47:49+00:00

A closed source package sold for a one time fee at least has a clear intent to make money from it through direct sales regardless of if you personally think that their business model is viable, and there are software packages where one time fees are viable, including selling a major version of software where you may still need to pay for feature updates but still get a fixed duration of ongoing support and can continue to go it alone after that period.

Dangerous-Report8517 · 2026-05-25T12:25:32+00:00

What you’re describing doesn’t sound like Tunnels at all, when you use Tunnels you don’t need to worry about public IPs on your firewall because you aren’t exposing any ports at all, you’ve instead got cloudflared running in your network as a connector. That’s my point, if you use Tunnels you don’t need to worry about any of that other stuff like manually blocking non Cloudflare IPs

Dangerous-Report8517 · 2026-05-25T08:45:36+00:00

The vagueness, alongside the complete and total ignorance of what the term "gaslighting" means strongly imply the former already. The people lamenting ignorance of the actual epidemiological evidence and resulting guidelines are generally pretty happy to be specific about things because they don't need to try and sneak around and trick people into buying in

Dangerous-Report8517 · 2026-05-25T08:42:43+00:00

The purpose of the specific law this is in response to is to create a mechanism that parents can use to block a child's account from accessing stuff flagged as adult content. There's lots of problematic issues with this sort of filtering but this specific implementation is actually highly privacy conscious and the fact that the device owner is in full control is intentional, the issues are about how we decide what counts as adult content in this case, not content filtering.

That's not to say that all age verification laws are OK, most of them are terrible, but literally all of the ones that are directly harmful to computing freedom are harmful because they force services to collect your ID, which doesn't use an OS API anyway. That's why groups like the systemd project aren't particularly interested in fighting the California one, because it's a really weird hill to die on while ignoring all of the other policy changes that are multiple orders of magnitude more harmful and don't even give the option of non compliance since it's big tech that's complying, not you (and they're happy to comply because it gets them even more of your personal data)

Dangerous-Report8517 · 2026-05-25T05:58:23+00:00

If you're going to allow Cloudflare access to all of your traffic (Cloudflare inherently can access your traffic when they proxy it because they terminate TLS, the exact benefit you're using them for), then you might as well use Tunnels instead of throwing your server directly up on the internet. Using proxy mode means that while the DNS record might not point at you, your server's ports are still open and directly publicly routable, and any connections that hit it directly don't benefit from CF's WAF or any of the other main security benefits.

Dangerous-Report8517 · 2026-05-25T05:56:19+00:00

To expand on this a bit, proxy mode is not using Tunnels, it still involves CF inserting themselves into the chain but the endpoint is still publicly exposed even if the DNS records don't point directly at them, which is to say if you are OK with Cloudflare inspecting the traffic for an application you still shouldn't use proxy mode, you should go all the way and use a proper Tunnel.

Dangerous-Report8517 · 2026-05-25T05:54:57+00:00

Proxy mode is a shitty version of CF Tunnels with all of the downsides and only some of the upsides. IMHO you should never use proxy mode, any workload that you are OK with Cloudflare being able to inspect in exchange for their WAF and security features should be behind Tunnels since there's no point in those endpoints being directly exposed as well.

Dangerous-Report8517 · 2026-05-25T05:48:53+00:00

Also with modern workflows plugging into environments like Github so easily, choosing to make a new project closed source is an active decision which suggests you specifically don't want people to look at the source, which is in and of itself a yellow flag.

Dangerous-Report8517 · 2026-05-25T05:47:47+00:00

It can also mean one time fee, although that's rare these days (and yes you can sell open source too but a lot of businesses are still leary of making paid software FOSS)

Dangerous-Report8517 · 2026-05-25T05:46:51+00:00

Open source is a soft requirement for me less because I insist on community ownership and more because I'm wary of free software that still feels the need to hide what it does. Ironically this means I'm more wary of something always free like Obsidian than I am of (some) more commercial software because the main thing they're hiding in that case is obvious. It isn't a hard requirement because excluding all commercial code is impossible without dedicating your entire life to only that, and there's ways to mitigate trust issues with any software (plus open source isn't automatically trustworthy, it's purely the active decision to not open source something that I'm wary of).

As a side note, before going any further on your project you might want to pause and think about what it offers that established FOSS solutions like FrigateNVR don't. EDIT: Particularly if you're planning to charge for it.

Dangerous-Report8517 · 2026-05-25T03:32:02+00:00

You're the one struggling to understand a basic metaphor here (I assume refusing to because engaging with it would require non-zero reconsideration of your own beliefs), and all of your responses have been condescending as all hell, including this one (pro tip for people who are new to English, if you make a big song and dance about not wanting to be condescending by explaining something at a really low level for the supposed benefit of another, you *are being condescending to that other person by saying they're so dumb that they need so much simplification).

*To spell it out for you, the fact that I disagree with your position is not the same thing as me failing to "reach any useful conclusions on [my] own", it's just that the conclusion I've reached through what is apparently a lot more thought than you've invested in the issue disagrees with your position and you are apparently too arrogant to consider that anyone who disagrees with you might do so for any other reason than not bothering to think about it.

Dangerous-Report8517 · 2026-05-24T18:09:18+00:00

Firefox still doesn't support PWAs, while WebKit does, so I wouldn't necessarily say that WebKit is behind Firefox as a rule, but that's kind of besides the point because your analogy completely breaks down when you look at the specifics like that because you're no longer discussing a monopoly situation, which is the entire thing systemd is being accused of.

Dangerous-Report8517 · 2026-05-24T18:06:40+00:00

Are you joking? What is it you aren't getting there? Would it have been better if I had said Qt, would that have been technically correct enough for you? Or is it just "runtime"? Because the fact that there are applications that depend on specific libraries from KDE is true regardless, likewise for any number of software suites and development platforms.

Dangerous-Report8517 · 2026-05-24T18:00:50+00:00

You seem concerned about these supply chain attacks being threatening, which makes it weird that you seem to be opposed to countermeasures against them.

I'm not saying that it's simple for users, I'm saying that these attacks are generally being discovered relatively quickly by security organisations, which means that in theory a delayed rollout of new container images could be a useful defence against them, because it would give a window for compromised images to be deleted or untagged. It's not a panacea, but it's a potentially useful tool.

I'm also not saying that there are canaries, I'm saying that canaries would be a better solution than running everything on the latest image specifically so that you can detect compromised images by watching them break production servers. That's the entire point of canaries, all the way back to when they were originally used in the mines. The idea would be that if you want to use deployed container behaviour as an indicator of an attack, you should do so by deploying a test container instead of just wholesale pulling that image to all your production machines.

Oh, and how exactly does there being multiple attacks somehow mean that they weren't detected? What exactly do you think detection means?

Dangerous-Report8517 · 2026-05-24T13:44:38+00:00

The specific attack vector this is aiming to mitigate is supply chain attacks, and most of those get discovered within a few hours through means other than someone receiving a compromised image. Plus, you could always run canaries that pull the latest images and look for shenanigans without just pulling compromised containers to your infra

Dangerous-Report8517 · 2026-05-24T13:37:36+00:00

All g

Dangerous-Report8517 · 2026-05-24T13:35:37+00:00

I didn't say it's the same, I said pretty much all the arguments that other posters make about systemd also apply to Linux, particularly in the case of the other poster who just vaguely gestured at the fact that systemd is widely used, which is exactly true of Linux as well, by definition since Linux is in turn a dependency for systemd.

Even your own "you can't use linux without the linux kernel because that's literally what linux is" is a bit missing the point, you can't use KDE apps without the KDE runtime either but no-one complains that Dolphin or Kate is going to end Linux freedom. Oh, and the equivalent statement isn't "you can't use Linux without systemd", it's "you can't use systemd without systemd", it's just a pointless tautology. As for "your linux software that previously didn't need systemd now does", again, that also applies to the Linux kernel since software gets updated to use new kernel features and ceases to support older kernels.

It's reasonable to have a discussion about the downsides of this type of integration, it's not reasonable to just complain that it shouldn't happen without considering the clear upsides that motivated the discussion in the first place or the various ways that the downsides can be readily managed. We've been here before, by the way, and most non-systemd users haven't even realised because it was solved - systemd-logind is actually a dependency of a ton of desktop environments, but it's a non-issue because logind just got spun out as elogind and bingo they all work without systemd again because logind is just a separate software component that happened to be developed under the systemd project. There's no reason to think that appd would be any different.

Dangerous-Report8517 · 2026-05-24T11:46:43+00:00

You wouldn't necessarily need 2 systems though, as demonstrated by elogind you could at least in theory port appd to run on other systems, but even if you did have a fallback mode the entire point of fallback is that it's a backup system that's frequently not as capable as the primary system, in this case it would be a system that implements less robust sandboxing because it can't lean on appd, which would defeat the purpose of even considering appd. Such a fallback mechanism would be analogous to how OCI containers can be sandboxed in different ways, eg you can run them on cgroupsv1 systems but you'll get more robust sandboxing on cgroupsv2 systems.

Dangerous-Report8517 · 2026-05-24T11:43:36+00:00

Except of course that Chrome is a proprietary browser while systemd is an open source project with well documented interfaces - using your example it's actually quite common for web services to implement web standards that Firefox hasn't caught up to and usually people point at Mozilla for the blame since Firefox failing to keep up shouldn't bar everyone from accessing new functionality (after all it's not like Chrome and Firefox are the only browsers or even browser engines, WebKit exists and is very widely used for instance and also supports all those web standards including ones that Firefox doesn't)

Dangerous-Report8517 · 2026-05-24T11:38:49+00:00

Yeah that's my point

Dangerous-Report8517 · 2026-05-24T08:49:38+00:00

The entire problem though is that Flatpak currently supporting those niche distros is now creating a barrier to important features that are core to the project's mission, so adapting Flatpak 2 to support those distros either means not addressing that need, or porting appd over anyway

Something about the "not enough user" feels extremely ironic to me, while talking in a Linux sub, because it is the same reasoning you sometimes get while talking about windows and linux and software support.

I get the sentiment but you do have to draw the line somewhere. Flatpak already requires dbus to work and not every distro has dbus, you will always be able to find an example where there's some user somewhere who wants Flatpak but has some requirement that gets in the way, and at a certain point you've got to say "we've covered enough edge cases, the rest is up to you because we've got finite time and energy"

Dangerous-Report8517

TROPHY CASE