Setting Up Cloudflare Argo and Access on a Raspberry Pi

by erdaltoprak on 11/29/2021, 5:59:34 PM with 19 comments

  • by stavros on 11/29/2021, 6:39:02 PM

    (This post should read "Argo tunnel" instead of just "Argo")

    I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.

    One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.

    Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.

    [1]: https://gitlab.com/stavros/harbormaster

  • by anderspitman on 11/29/2021, 8:40:59 PM

    Cloudflare Tunnel (the service used here) is my current recommendation for most people when it comes to tunneling. Nobody wants to pay for tunnels, and it's the best loss-leader product offered by a reputable company that I'm aware of. The DNS integration is particularly nice.

    My only concern is if it gets popular enough that a lot of self-hosters start using it for things like Plex and Jellyfin, which I believe is against Cloudflare's TOS, they might crack down on that.

    If you prefer a self-hosted tunneling system, I maintain a list here:

    https://github.com/anderspitman/awesome-tunneling

  • by jgrahamc on 11/29/2021, 6:45:12 PM

    A related cool thing you can do with Cloudflare and a Raspberry Pi: https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-... (browser-based SSH to a machine connected using Argo Tunnel).

  • by ericcholis on 11/29/2021, 6:48:14 PM

    Another nice alternative is Tailscale

  • by cyounkins on 11/29/2021, 8:37:35 PM

    Cool! I currently do a self-hosted version using nginx, certbot, and vouch-proxy [1]. Nginx checks with vouch for every HTTP request and redirects to Google for SSO if unauthenticated. It works well for humans in browsers, but not so much for robots. I'm sure I could configure nginx to do token-based auth, just haven't had the need.

    [1] https://github.com/vouch/vouch-proxy

  • by systemvoltage on 11/29/2021, 8:22:45 PM

    I wonder if this would work to self-host on a crusty old T480 with a broken screen? Can Argo tunnel be used sort of like a dyndns? Although my Google Fiber connection at home has had the same IP, but in order to get a static IP, I need to get a Google Fiber Business connection which is 2.5x times more expensive.

  • by erulabs on 11/29/2021, 8:18:54 PM

    So good to see so many home-hosting posts on HN lately! If you're using Kubernetes at home, we bundle all of this up (remote access, web-forwarding) as part of our service at https://kubesail.com

  • by V41frQo1SccpfHI on 11/29/2021, 8:59:15 PM

    Whats the function of "gluetun" in this setup? Would the VPN-Tunnel then also run via Cloudflare Tunnel?