Michael van Tricht

Software Engineer

Fast Reverse Proxy as an alternative to Cloudflare Tunnel

Cloudflare Tunnel is a wonderful (free) product that provides you with a secure way to connect your private (home) server(s) to the internet. This allows you to expose your homelab server to the internet without the need to open any ports on your home network or reveal your home IP address.

While Cloudflare Tunnel works great giving you automatic SSL and all other goodies Cloudflare comes with, it sadly also operates as a man-in-the-middle, routing all traffic through Cloudflare’s servers. This setup raises potential concerns about privacy and data security, as the unencrypted traffic could theoretically be accessed by Cloudflare.

For those seeking an alternative solution, Fast reverse proxy (FRP) is an open-source project that can be self-hosted to replace Cloudflare Tunnel. If I had known about FRP earlier, I would have chosen it from the beginning. FRP offers a different approach by eliminating the need for an intermediary like Cloudflare, allowing you to have direct control over the traffic flow. This grants you the ability to ensure end-to-end encryption, thus mitigating potential security concerns.

If you decide to self-host FRP and replace a Cloudflare Tunnel-like product, you’ll need a publicly available server running FRP as a starting point. The server’s configuration might resemble the following:

bindPort = 7000
auth.method = "token"
auth.token = "<generatedToken>"

This configuration sets FRP to listen on port 7000, enabling communication between the private server and the FRP instance on the public server.

On the client side, the configuration would look like this:

serverAddr = "<ipOfPublicServer>"
serverPort = 7000
token = "<generatedToken>"

[[proxies]]
name = "serviceName"
type = "tcp"
localIP = "172.17.0.1"
localPort = 8080
remotePort = 80
transport.useEncryption = true

With this setup, the client will connect to the publicly available server, exposing the service running on the local port 8080 of the client server to the public server on port 80. In simpler terms, it can be described as a glorified version of an automatic SSH tunnel.

Another option to consider instead of FRP is rathole, which positions itself as a faster alternative. Although rathole is relatively new, it presents an intriguing solution worth exploring.

After configuring FRP, the next step is to add a reverse proxy such as Caddy to handle automatic SSL certifications. While FRP takes care of the traffic routing and encryption between the public and private server, a reverse proxy like Caddy can provide an additional layer of security by automatically obtaining and managing SSL certificates for your services.