Options for external access to server

[zackdotgomez]

Hey all, hoping you can help me work through configuring Sharkord. My goal is to self-host it inside my network, no VPS, and allow external access while maintaining reasonable security and obscurity.

• I'm running Sharkord in Docker in a DMZ
• I want to expose it for semi-public access from my home network, ideally without exposing my public IP
• Sharkord requires HTTPS for WebRTC to function, per documentation

I currently have a Caddy reverse proxy for my DMZ handling inbound requests and certificates. It works. However, Cloudflare's free tier only proxies HTTP/S traffic and doesn't forward custom ports. My understanding is that I would need to pay for Cloudflare Spectrum to customize the proxying of non-HTTP traffic:

"Spectrum provides security and acceleration for any TCP ↗ or UDP ↗ based application. Spectrum allows you to route MQTT, email, file transfer, version control, games, and more over TCP or UDP through Cloudflare to mask the origin and protect it from DDoS attacks".

Which could be a viable option depending on cost.
Another option would be to use cloudflared to tunnel Sharkord traffic straight into the proxy.
My understanding is that cloudflared would be A) no-cost to start, B) relatively simple to configure, and C) secure in that it enables strong auth before traffic even hits my application. This would be useful to familiarize myself with.

My question, I suppose, is about ensuring certs still work. In my mind's eye, nothing is actually changing for my proxy in terms of what it does with traffic bound for Sharkord, and nothing is changing in terms of how it requests a HTTP-01 challenge as long as I keep those ports open and the proxied domain name pointed at it.

I don't have a ton of experience exposing and securing services. If anyone with more experience is willing to sanity check me here, I'd really appreciate your time.

TIA,

• ZG

[zackdotgomez]

I ended up forwarding my WebRTC port directly, bypassing my proxy, but keeping the signaling channel over HTTPS behind the Cloudflare proxy. Nobody hitting the Sharkord auth screen is going to know my IP, and my trusted users are allowed to know my IP, so once they're in the proverbial front door it doesn't matter how the WebRTC connection happens.

Closing this discussion.