How I Secured My Local Server: Ditching VPNs for a Smarter Cloudflare Solution

Published by cneuhaus on

Last Updated 4 weeks by cneuhaus

A few hours back, I had a straightforward problem: I needed to access my local server securely from the internet without opening it up to unwanted access.

What triggered this need was my own app Free Your Photos  – that gets you out of the Google Photo Cloud and hosts your photos on a local server – YOU OWN THEM. Now with this solution I can show my photos on any PC – even without a VPN.

My first instinct was to use a VPN – but this would require a VPN installed on the “browser side”, so I would not be able to access my page from any other computer or phone.

But – what about accessing my local-server from EVERYWHERE without any VPN setup – but still having security?

That’s when I stumbled on the idea of using a reverse proxy with multi-factor authentication (MFA). Instead of opening the whole network like a VPN, a reverse proxy could act as a gatekeeper, allowing access only to the server itself and only to authorized users. I set it up to require Google Authenticator, so even if someone got to the login screen, they’d need a time-based code to get through.

ChatGPT gives a pretty good instructions for all the steps that worked right away for HTTP. But to get HTTPS working I needed some  fine-tuning:

My configuration: Using Pything with Gunicorn and nginx on Ubuntu.

What I needed to do special:

Domain Registration

  • Register a domain on Cloudflare
  • Assure came record is your domain-name and pointing as target to your tunnel, e.g. “345234-1420-4c4e-b8e4-86f8a885ba7a.cfargotunnel.com”
  • Download Origin – Certificates: SSL/TLS->Origin Server – that are used to authenticate the local server against Cloudflare, save them in a folder accessible by nginx web server.

Tunnel Configuration

ZeroTrust – Config => Network => Tunnels => Cloudflared

Type: https, URL: localhost:443
TSL: NO TLS Verify

Nginx Config

       listen 443 ssl http2;
       listen [::]:443 ssl http2;
       server_name <your domain name>;

        ssl_certificate /etc/ssl/certs/cloudflare_cert.pem;      # Path to your SSL certificate
        ssl_certificate_key /etc/ssl/certs/cloudflare_key.pem;  # Path to your private key

        location / {
            include proxy_params;
            proxy_pass http://unix:/home/cneuhaus/FreeYourPhotos/fyp.sock;
        }
    }

Google Authentification

Access should only be for myself, so I wanted to use Google as authentication provider. For simple steps ChatGPT again is your friend.

But I only wanted access for myself – otherwise everybody with google account can login, for this:

Zero Trust=>Settings=>Authentification=>Login Methods, enter App-ID and Client Secret.

Zero Trust=>Application (create new one) =>Policies=>Configure Rules=> add your full Gmail address here
Categories: free-your-photos