I'm trying to securely set up port 443 on a server located in a DMZ, and I'm looking for a way to better control how it's exposed to the public. I've already explored using Cloudflare Tunnel, and while it has some great features like user whitelisting and hiding my public IP, it also routes encrypted traffic through their edge servers. This raises concerns for me because I can't allow any unencrypted data to be transmitted outside of my control. I just want to connect a few select external users to my file sharing service securely. Any advice on whether I should be looking into reverse proxies or something else?
4 Answers
If you want to avoid having your traffic decrypted by the provider, you would need to set up your own Web Application Firewall (WAF). There are tools available for this purpose that can give you more control over your traffic security.
Have you tried looking into Netbird? It's another option to consider for your setup.
You're not really looking for a traditional reverse proxy. Since you don’t want anyone besides you and the authorized clients to handle TLS termination, you might be better off going for a private method like VPN, ZTNA, or mTLS-gated access before serving your file app. Reverse proxies and Cloudflare-style services generally help when you're okay with offloading some of the security.
When you mention not wanting data traffic to be unencrypted, are you worried about the keys being accessible to Cloudflare, or do you mean the data itself can't be unencrypted during transit? If it's the latter, consider generating an origin certificate from Cloudflare for your server. You could also set up IP tables to only allow their traffic and block the rest. It creates a pretty neat and clean setup for secure data flow without concerns about decryption by third parties.
Sounds like a solid plan! I’d definitely look into keeping everything encrypted on your end.
Definitely worth checking out, that might just fit your requirements!