0:01

Welcome to syntax on this Monday,

0:03

hasty treat. We're going to be

0:05

talking about tunnels, cloudflare

0:07

tunnels, what they're used for,

0:09

why they're neat and we'll just all about

0:11

getting them set up and what you might

0:13

actually consider using a cloud floor tunnel for.

0:15

My name is Scott Tolinski. I'm a developer

0:17

from Denver with me as always is Wes

0:19

Boss. What's up, Wes? Uh,

0:22

I'm excited to talk about this. We've

0:24

done a show on exposing

0:27

your application to the greater

0:29

internet previously, and we've

0:31

went through several of the options

0:34

out there. You know, there's N grok

0:36

and local tunnel and whatnot, but cloudflare

0:39

tunnels is kind

0:41

of an illegal of its own because it does,

0:43

is there's quite a bit more. And quite honestly,

0:45

I think it's, it's the best approach

0:48

to these types of things in terms of like running

0:50

them longterm. Um, especially if you

0:52

have like a local server at your house where you're not

0:54

just like, Oh, I have a local

0:56

dev server that I want to be able to, to

0:58

expose to somebody, but like, no, I run over. I

1:01

want to run this thing full time. Uh,

1:03

so I thought like, let's do a quick little show explaining what

1:05

they are, how to use them, the

1:07

whys and what's, uh, cause they're super

1:09

handy. Yeah. But

1:18

before we do that, let's actually take a

1:20

second to talk about century at century.io perfect

1:22

place to solve, find any of your bugs.

1:24

I know we're, we're doing a lot of

1:26

side projects. Westin and like, I know you're

1:28

working on a bunch of stuff here and

1:30

there. It's always important to know what's going

1:32

on in your apps, whether that is performance,

1:34

whether that is, um, issues

1:36

that it cropped up and

1:38

Hey, I was using some of these new GitHub

1:41

tools to, uh, solve

1:44

GitHub issues with natural, natural text, it

1:46

would be really kind of cool to

1:48

take a century issue, create a GitHub

1:50

issue for it, have GitHub solve that

1:52

thing for you right away. And it's

1:55

like, click, click. All right. Nice and

1:57

done. Here's a bug solve. So, uh,

1:59

check. And

8:00

that's the way I initially get into it. And that's the way

8:02

they give you like a quick start, right? You can type this.

8:04

You can type a couple of commands and immediately have a thing

8:06

running. But I'm going to tell you don't do that because that's

8:09

not great long term. And switching

8:11

to the other approach, which is

8:14

remotely managed, is the best approach.

8:16

So what you do is you

8:18

get the cloud flared

8:21

daemon, or daemon? How do you say

8:23

that? I think we've got to determine it

8:26

was daemon. daemon. You

8:28

get the cloud flared daemon running

8:30

on the box that if it's

8:32

your it might be your local

8:34

server. In my case, I ran

8:36

it in a Docker

8:38

container on my Synology. But then

8:40

you expose it to the network

8:42

on the Synology. Or you

8:44

can just run it like directly on your

8:47

MacBook Pro. And then that daemon is

8:49

always running on your machine. And then

8:52

you simply just go into the cloud

8:54

flared tunnels UI. And you

8:56

can start setting up routes. And

8:58

all I have to do is say star

9:00

dot. I'm pretty sure it's like star dot

9:03

coolify dot west boss dot com. And

9:05

then any applications that hit that

9:08

route are passed to Coolify.

9:10

And then at that point, Coolify picks

9:12

it up. And they have their own

9:14

proxying set up so that it'll say,

9:16

oh, well, someone's requesting it on this

9:18

URL. Pass it to this one. Interesting.

9:21

I've always just done for Coolify. And

9:23

this is kind of a pain is

9:26

just create a second DNS record for

9:28

any subdomain or any subdomain pointing

9:31

to the IP of Coolify

9:33

to get that custom domain going. Interesting.

9:36

That I like the wildcard approach. That seems

9:38

like way more flexible. It

9:40

also depends on if you're hosting

9:42

Coolify on like a like

9:44

a Hetzner box that is like the IP address

9:46

is already out there. Or if

9:49

you are like I'm running Coolify on my local

9:51

server just in my house. I

9:54

don't have an IP address. Well, I

9:56

do have an IP address. But you should not

9:58

be giving that IP address out. because generally

10:01

it's not a good idea for anyone to

10:03

know the IP address of your server

10:06

because they can go directly to that in

10:09

and give you DDoS. Now you can obviously

10:11

firewall it and only allow in certain IP

10:13

addresses, but it's generally better

10:15

to sort of mask that with something like

10:17

a cloud flare where it will proxy all

10:20

of the traffic for you. Yeah. I

10:23

like raising my hand now. The audio listeners, I raised

10:25

my hand sometimes so we don't talk over West, but

10:27

you don't have to have like a C name for

10:29

these or what? Cause I have to have a C

10:32

name for each sub domain that I

10:34

have, even if it's cloud flare tunnel. Yeah. The

10:36

kind of cool thing is that if your domain

10:38

name is set up with

10:40

cloud flare, uh,

10:42

then cloud flow takes care of all the,

10:44

all the DNS because cloud flare

10:47

is the DNS provider. So when a

10:49

request comes to your server, cloud

10:52

flare, as long as you're proxying it, which is

10:54

orange clouding, cloud flare will know what to do

10:56

with that request and send it to the right,

11:00

um, if they, whether it's, it's a

11:02

cashed asset or if it's actually like a

11:04

tunnel that it needs then forward on to

11:06

you. Okay. Yeah. It's, it's, it's really nice.

11:08

And you can just quickly go and you

11:11

can either add like a

11:14

one off. You say basically

11:16

like jellyfin.bossfamily.net. And

11:18

then that will you say, okay, when

11:20

somebody visits this URL, then point them

11:22

to local host colon four

11:24

two six five, you know, or four

11:26

four nine eight. And what that does

11:28

is it will proxy it through to

11:30

the port. And then you also have

11:33

the benefit of not having to fuss

11:35

with having ports in your URLs. It's

11:37

just like a nice clean, uh,

11:39

URL. You can also do like

11:41

subdomains as well. Like you could

11:43

do like scott, tilinski.com/ jellyfin

11:46

or forward slash, um,

11:48

new blog. However, I find that

11:51

when you do, like subdomains, then you have

11:53

to get into like application specific properties

11:56

that is like, you know, like

11:58

when you try to host a,

12:00

like a reactor, app on a forward

12:02

slash, then you have to tell the router itself what

12:04

the base name is. And then it's a bit of

12:06

a pain. Yeah. For people

12:08

looking for this, it's under on Cloudflare in

12:10

their dashboard. It's under zero trust, by the

12:12

way. It's not like under Cloudflare tunnels on

12:14

the sidebars. It's under zero trust, which then

12:16

has a lot of other features. What's shocking

12:18

about zero trust is that there's no dark

12:20

theme for zero trust. So even if you're

12:23

in dark mode, you go to zero trust

12:25

and it's light mode. Yeah. Trust people that

12:27

use dark mode. It's... Yeah. They're

12:30

hackers. They're hackers. One thing that's really

12:32

cool about these things also

12:34

that we haven't mentioned is that you can

12:36

give a lock to some

12:38

of these routes. So let's say you

12:40

want this to be available, but

12:44

this makes less sense for something like Home

12:46

Assistant where you're giving it a URL in

12:48

the creds and it's locking into that service.

12:51

But if I have a

12:53

service that's a web UI that

12:55

I'm only ever visiting from the

12:57

web, you can put a lock

12:59

on that, which means that only

13:02

certain Cloudflare accounts specifically can access

13:04

that information. And so what happens

13:06

when I visit those URLs, Cloudflare

13:08

actually steps in with its own

13:10

login page and says, you

13:13

must log into Cloudflare to access this. And

13:15

then once I do that, I might still

13:17

get another login screen from the service itself.

13:20

So even though you are exposing

13:23

this functionality to the web, it

13:25

does give a nice bit

13:28

of protection there in terms of who's even

13:30

able to even hit the

13:32

site in general, not just try to log

13:34

in. So Cloudflare's whole

13:36

zero trust thing is this

13:39

massive product that's... It's meant for enterprise,

13:41

which is we have

13:43

stuff that is hosted and

13:46

it needs to be accessible via the

13:49

entire internet. However, it's

13:51

annoying that you have to set up the VPN and you

13:53

have to do that. Oh, are you on the VPN before

13:56

you can reach that? You don't have to do that. simply

14:00

just make access rules to say, all right, anybody

14:02

with this domain is able to access it or

14:04

you can hook up to any

14:06

of the single sign on providers and

14:08

have, or you can simply just give

14:10

somebody a code. Right? Like

14:12

that's one thing is like if you do want

14:15

to expose your local dev server to the internet,

14:17

you probably don't want anyone just like finding that

14:19

while you're working on it because there could be

14:22

sensitive stuff on there. So you could just put

14:24

like a pin code in front of it. And

14:26

if you do need someone to be able to

14:28

access it. It's kind of annoying because if that's

14:30

the case, then you have to write some rules

14:32

for the web hooks to be able to go

14:35

through. But you can lock this

14:37

stuff down as much as you

14:39

want. Even if like Scott

14:41

says, even if your, your applications themselves

14:43

already have the, like

14:45

a login, right? Yeah. Because

14:48

like there's at some point there's going to be some

14:50

sort of security flaw for these

14:52

applications. You know, at some point there's going to

14:54

be some security flaw in

14:58

my photo backup software or home assistant

15:00

or, you know, I don't want anybody

15:02

to access to my home assistant. You

15:04

got cameras in there, right? Like

15:07

I don't have cameras in mind, but yes, I

15:09

don't want to be, I don't want somebody to mess with my lights. Yeah.

15:12

Or even simply know when you are home,

15:14

right? They could see your, all that info.

15:17

So yeah, you could, you could lock that down

15:19

a little further to get

15:22

access to it. So it's, it's a really cool

15:24

product. I'm, it's really

15:27

amazing that at a very low level,

15:29

just like a guy like me can use it

15:32

to give cool domain names to

15:34

my servers. And then it

15:36

spans all the way to like

15:38

enterprise network, it locking

15:41

things down and doing custom routing. Yeah,

15:44

I know it's, it's, it's a

15:46

cool one. It's a cool product that works

15:48

well, but it's also, it feels

15:50

secure when you use it. I

15:53

think for me personally, when I first

15:55

started looking into making

15:57

things like my MB server.

15:59

available off network and

16:01

it freaked me out. I'm going to be honest with

16:04

you because like once you get into opening ports and

16:06

I'm not a mud as

16:08

much as a network admin that like,

16:10

I know that I'm making the right

16:13

choices on everything. So being able to

16:15

use cloud flare tunnels to me has

16:17

been a really just a

16:19

big, big, nice little boost for me,

16:21

feeling more secure about what I'm doing

16:23

here. So yeah, it's a, it's a

16:25

cool product. You should see

16:27

like when I log into my Synology, it

16:30

shows you when people are trying to log

16:32

in and it's,

16:35

it's probably, I don't know, like,

16:37

like a hundred a day. Uh,

16:40

login attempts. Yeah. Yeah. It's, it's nuts.

16:43

Um, I don't think my, simply there's just

16:45

bots out there. If you do a search,

16:47

just everybody's yeah, there's just bots out there

16:49

looking for Synology login

16:52

pages and looking for unsecured, you

16:54

know, there's bots everywhere. And

16:57

they will try admin admin and

16:59

admin puppy and all these things,

17:02

uh, which is, is pretty, pretty

17:04

wild. Um, and obviously they never get in

17:06

because I have like two factor authentication and

17:08

whatnot, but I kind of would

17:10

like them to not even

17:12

try because like, you know, that our

17:15

request is coming into my home and

17:17

trying to access it. You know, I

17:20

know that freaks me out. And then if you

17:22

have like the, uh, like the tunnel

17:24

lock to make sure that like somebody has to

17:26

hit a log in before they hit that, then

17:28

they're not even getting to your home. Um,

17:31

and, and that to me feels, it feels great. Yeah. I,

17:34

yeah, that, that whole Synology thing is

17:36

freaky to me as well. Um,

17:39

but yeah, if I could have, that's like one of

17:41

the services, if I could have three FA on it

17:43

for FA, just give me like all the FAs I

17:45

would do it. Yeah. Doesn't it? Yeah. I don't need

17:47

the inconvenience. It does not matter to me. Um,

17:50

I just don't want somebody getting into my, my NAS

17:52

and deleting all my stuff. Yeah. Yeah.

17:55

All right. Uh, I think that's all we have.

17:57

Certainly check them out. Grab a cloud flare tunnel,

17:59

try it again. get a setup

18:01

like a local dot whatever even buy

18:04

like a whole new domain name. There's

18:06

an excuse for you can buy a new

18:08

domain name, but yes, buy a domain name

18:10

for your projects. And then just try set

18:12

up like a local one. You

18:15

can also just proxy other applications

18:17

as well, right? It doesn't have to be something

18:20

locally hosted. It could be an actual

18:22

application that's on a server

18:24

somewhere as well. Yeah. Except that you

18:27

would just have to have cloud flared

18:29

demon running. That's that's the only thing.

18:31

Yeah, you have to have that running

18:33

on your box. Yep. Word.

18:36

Cool. Well, I hope you found this

18:38

interesting and let us know what you're hosting on cloud floor tunnels. If

18:41

you use something different like something else or just not

18:43

convinced, let us know in the comments down below, smash

18:45

that subscribe button, all that good stuff. And we'll see

18:47

you in the next one. Bye.