2 min read

How I Host My Website Without Port-Forwarding

Here's the situation: When I'm away at university, I live in a student residence, which is just an apartment that you share with other people. In my room I have an access point and Ethernet wall receptacle that grant me access to the building's free internet. But therein lies the issue, how can I host my website on the internet without the ability to configure port-forwarding?

A more traditional solution to this problem may involve renting a VPS to host or proxy the site. But this comes with the potential drawbacks of poor performance, maintenance burden, or unreliability if proxies/VPNs are blocked. So my solution uses Cloudflare instead. While Cloudflare is most commonly known for their CDN and DDoS protection, they also offer a line of application security products under the "Cloudflare Zero Trust" banner. Most of these products offer some form of user access control or traffic inspection, none of which is useful to me. But one product in particular provides exactly what I need. Cloudflare Tunnel is primarily intended to prevent circumvention of Cloudflare's security using a lightweight client to make outbound connections to their network, opposed to requiring the server to be accessible to inbound connections. In my case however, where my server has no way to accept inbound connections, this lets me use Cloudflare's network to do the heavy lifting, and the added security is just a bonus.

How an HTTP request reaches a private application connected with Cloudflare Tunnel (from Cloudflare Docs)

If all I had running on my server was my website, it would be trivial to install Cloudflared and use it to create a public hostname tunnel to the port of my web server application. But in reality, I have dozens of applications running in containers on my server that all require their own public hostnames. Binding a port for each container, and adding a public hostname for each service is an option, but would quickly be unmanageable, and would create unnecessary vendor lock in if I were ever to migrate away from Cloudflare. I won't go into too much detail on how each application is configured, because I plan to do a more in-depth review of what I run on my server and how in a future post. A simplified explanation of how I overcame this challenge is by using a reverse-proxy. Instead of adding the hostnames for each of my applications to Cloudflare, I used a wildcard subdomain that forwards all requests from Cloudflared to a reverse-proxy application running in a container. The reverse-proxy is then able to direct requests to the correct application using only it's name.

So far this solution has been working great for me. I rarely have any issues with Cloudflared itself, and I have the added benefit that when I move back home during the summer, all I need is an internet connection to get my site back online, no additional configuration required. Unfortunately, Cloudflare only supports a limited number of protocols on specific ports. That means DNS, SMB file sharing, and other application-specific protocols are not supported. I plan to explore the solution I use for these services in a future post.