Isn't one of Cloudflare's biggest strengths that they have a shitton of servers around the world and can thus provide DDOS resilient caching?
Having a shitton of servers is kind of the antithesis of self hosting.
this post was submitted on 18 Jul 2025
43 points (100.0% liked)
Selfhosted
49551 readers
519 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
If you want DDoS protection you're gonna need to work with someone who can swallow and filter a whole botnet's worth of traffic and keep running. That takes some serious infrastructure.
I recommend Cloudflare for small businesses because their terms of service are actually decent, and blending their traffic into that stream makes their website indistinguishable from larger competition.
The next closest things are Pangolin (https://digpangolin.com/) and WireGuard. You'll need to rent a server somewhere with a public-facing IP to run the server-side software (and DDoS protection is based on the services provided by your datacenter host). Pangolin has a UI similar to Cloudflare, but under the hood, it's just Wireguard, so if you prefer more direct control, you can just set up a Wireguard tunnel by hand.
For myself, and my own needs, I don't need all that. I just use DDNS* to point my DNS records to my home's public ip address & use port forwarding to connect ports 80 & 443 to Nginx Proxy Manager. (When I add Anubis, I'll port forward to Anubis and then have Anubis redirect valid traffic to Nginx Proxy Manager) This setup offers no protection against DDoS, but for what I use it for, I think it's an acceptable risk (I'd either have to get someone's attention and ire or just be cosmically unlucky)
*the server has a cron job to curl the DDNS refresh URL every hour.
If you just want a secure connection, you can use a reverse proxy with certbot and nginx. Plenty of people have already done this and you can find their work on hub.docker.com
One this that's really hard to replace is DDoS protection.
Pangolin as replacement for cloudflare tunnels and more.
Ok now this is interesting.
I'm not knocking anubis but anubis seems very one-note, a single step. Pangolin looks more encompassing.
That is kind of the UNIX philosophy at work and you'll find that in a lot of open-source and self-hosted projects. The goal is to do one very specific thing really well in a small and streamlined package that integrates into other processes in a clear, defined and transparent way, not to be one of these super-convenient but bloated "it does everything and the kitchen sink" behemoths. It's a different style of software development but it's popular in the open source community for a lot of reasons, for example it's a lot more maintainable by a single person or small team with limited time. You'll find most of these large complex open source projects are organized and developed by companies (like Pangolin is), while the smaller UNIX-style projects are often written by individuals or very small teams volunteering their spare time. There are tradeoffs in either direction, but for self-hosting I think following the UNIX philosophy has a lot in common with a typical goal of self-hosting, reducing your dependence on for-profit companies that have a financial incentive to enshittify or otherwise try to squeeze money out of you.
I think you're either looking for a tunnelling solution or a Web Application Firewall. And there are several options. ModSecurity, or SafeLine, BunkerWeb, Coraza, open-appsec. For (AI) crawlers and bad bots we have Anubis, Iocaine... or something like more traditional blocklists or something like OpenResty which is some modified Nginx plus modules...
The tunneling itself can be done with a simple reverse proxy like Nginx, Traefik, Caddy...
I've messed around a bit with ModSecurity. But I'm still looking for something aganist the crawlers.
Cloudflare does a lot of things from DNS to tunnels. Can you describe the part you're interested in?
......asterisk? The proxy everyone uses, the middleware that detects bots and such before letting you through. Their bread and butter. I'm not sure of any formal name.
A bit like this? https://github.com/chaitin/safeline
Only safeline's webui is open source, and the dev is a little odd. Just like tailscale, I don't like closed source reliance. I've been referred to open-appsec as an open alternative, but I'm not sure on them either.
Agreed!