There are lots of ways to host a website securely. Originally, I hosted my website on AWS. I used a static S3 site with Route53 for DNS and Cloudfront as a Content Delivery Network(CDN). This worked really well but at the end of the day was static. I couldn’t host services like Authentik.

The solution is simple, get my current cluster on the internet, but doing that securely is hard. My goals: no ongoing cost, end-to-end encryption, and no open ports on my home router.

cloudflared a Cloudflare tunnel client is a great option. It is free, it can run as a pod on my cluster, and I already use Cloudflare to manage my domain. So why not it? Simple - Cloudflare can see the plain text traffic that goes through. This is a giant no-no and breaks one of my requirements. This would be fine for static things but for things like a Wiki or Authentik [anything that has a password] it wouldn’t be secure.

For clarification, Cloudflare isn’t doing anything malicious. Their tunnels work by terminating TLS at their edge. Your traffic is encrypted between the request and Cloudflare, and encrypted again between Cloudflare and your server - but in between, Cloudflare can and does see everything in plain text. For a static blog that’s fine. For anything with authentication, session tokens, or sensitive data, you’re trusting a third party with every request. I didn’t want that.

The solution was to build my own tunnel. I spun up a free-tier Oracle Cloud VM, set up WireGuard between it and my cluster, and configured iptables to forward traffic through. The Oracle VM is a dumb proxy - just forwarding the encrypted traffic. I cover the full setup, config, and iptables rules in How This Blog Is Hosted.

This setup means I own every piece of the path. No vendor sees my traffic in plain text. No Cloudflare outage takes me down. No policy change locks me out. If I want to move domains tomorrow, I update a DNS record and everything still works. The tradeoff is I’m responsible for uptime and patching - but that’s the point.