CDN vs Zerotrust tunnel hostname for website
Hi, I want to compare the 2 setup options for a website that is hosted at an VPS with a public ip with a domain name at Cloudflare:
1) turn on proxy at DNS settings, so the website is proxied by Cloudflare CDN
2) setup a tunnel at the VPS (install cloudflared), and create a public hostname for https://localhost:443 and allowing everyone to access it
Is there any functional/performance differece to the above 2 setups?
5 Replies
1) Unless you enable authenticated origin pulls anyone who finds out the ip of your server will be able to bypass the protections of cloudflare
2) this effectively disables public access to your domain (unless through cloudflare)
Cloudflare Docs
Authenticated Origin Pulls (mTLS) | Cloudflare SSL/TLS docs
Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network.
cloudflared is much more secure in every regard but it comes with its own pitfalls
for setup 2), I understand it usually a setup for internal use, like inside an orgainaztion. However, for http service if I setup the public hostname and don't setup any access restrictions, the hostname is indeed open to public access. Also cloudflared looks like a persistant connection to Cloudflare network, while with setup 1) the Cloudflare need to activly pull from the orgin. Therefore, for a public website, look like setting up a cloudfalred channel and enable public hostname is better than using the DNS proxy in everyway?
Yes, until you start hitting the ratelimits of the tunnel
Yeah, that is true. Thank you. The free plan is so generous that I always forgot about the limits.