I’ve been using Cloudflare Tunnels to host my synology photos application for both photo sharing and mobile backup applications for about 6 months now. I’ve gathered some learnings (good and bad) and this is a compiled list of them. I’m hoping to share knowledge as well as get feedback / ideas on the set-up.
The Set-up
- CloudFlare tunnel docker running in synology - https://hub.docker.com/r/cloudflare/cloudflared
- CloudFlare zero-trust domain Pro plan
- Caching rules for photo sharing
- Tried video sharing but had to remove this because the requests for video are for specific bit ranges and that is in the header, not the query string. To cache based on headers (or cookies) I need to enterprise cloudflare plan, which is about $1.8k more… so nah
- Security warning with photo sharing - remember that once cached the url will be open for anyone on the internet to view whether they are logged in or not. This is why I only set up caching for shared photos.
- The way Synology implements pw protection is it is just a hash of the password in a query parameter in the url, so the cache will still contain pictures that are password protected that are public to the internet until the TTL expires
- Security with CloudFlare WAF - standard OWASP protection
- Bots blocking - CloudFlare detects and mitigates bots
- Cloudflare Geo Lock - I allow-listed only my home country
Pros
-
Customized domain name. I use CloudFlare DNS, which then hooks up the tunnel running in synology to proxy requests over to the correct ports in my nas. I can customize exactly which ports to open for traffic coming from cloudflare without ever exposing the IP address of my nas.
-
Security - I want to be able to share photos with a link, but I don’t want to have viewers log in or view the annoying quick-connect transition. This means some part of the nas needs to be exposed to the internet, so I tried adding as much security ahead of that as possible and to reduce the area of the nas that is exposed to the internet with cloudflare tunnel.
- Geo locking blocks requests outside my home country—though this isn’t 100% fool-proof
- CloudFlare WAF uses managed rules to block bots and known attack vectors
-
Caching - sharing photos is pretty instantaneous after first load. Users can see the photos quickly thanks to CloudFlare’s CDN (content delivery network). This means to view a photo the request doesn’t have to come all the way to my nas, but can be served instead by the closest edge server to the user that cloudflare owns.
-
Analytics / logs - CloudFlare tunnels have live logs for any traffic going to your source (synology nas). This makes it easy to debug if you set up caching or security correctly, or if anything isn’t working
Cons
Biggest con is that CloudFlare only supports post requests up to 100 mb in size… this sucks because videos won’t upload if they’re larger than like 30 seconds. source: https://community.cloudflare.com/t/uploading-large-files/627287
I experienced this issue uploading videos and it was a pain to come to the root-cause of it. Mobile Backup would pretend the video uploaded because it was getting an error from cloudfront, but it wasn’t checking the error correctly so it just pretended everything was fine. It got to a weird state where it was no longer in the upload queue but in the album it said it was uploading. I tried opening a ticket with Synology to see if they could chunk uploads through their apps, but they said they couldn’t help with that, so I opened a feature request with their product team.
Another place where the upload limit is an issue is with photo request. Users will be allowed to upload photos, but if the upload is larger than 100mb then they will also get an error (which is frustrating after they spent the time selecting all the photos they want to upload). I haven’t tried if it is 100mb for all uploaded photos combined or only per photo, but with cloudflare photo request rarely works in practical situations…
Finally, and connected to the first issue, is that adding this tunnel is another point of complexity and another area you have to explore when something isn’t working. Especially when you’re adding caching and security rules you need to ask: is it a DSM issue, is it a tunnel issue, is it a home network issue, is it a bad cache rule, is it a bad traffic rule? There’s a lot there and I got to a comfortable point after a while for using CloudFlares tools for debugging this (you can build and trace request, see live logs, see specific events). However, there’s no denying that quick connect is just plain easier even if it is slower.
Feedback
Hopefully this was useful to some of you! I would love feedback in this approach as I don’t think I will continue using this for my photos app in general because I can’t upload videos or files larger than 100mb and because photo request isn’t working for 70% of the use-cases I need. If you have any recommendations please comment!
Also, I’ve been thinking to try to connect AWS CloudFront to a VPC which has access to my NAS. I don’t know for sure that I can actually add my NAS to an AWS VPC, but if I can then that might be another way to get WAF (web application firewall), geo-locking, and caching without exposing my nas ip. If you’ve tried this, please send some pointers!