this post was submitted on 23 Sep 2025
52 points (98.1% liked)

Selfhosted

52527 readers
522 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

The Wikipedia article says Cloudflare has been used to host hate speech, websites with illegal content and forums connected to all sorts of illegal activities. And I see them being used by a lot of decent webservices but shady ones as well.

So my question, can Cloudflare be used for something alike "bulletproof hosting"? Does anyone know if they collaborate with law enforcement or care once someone sends a mail to the abuse contact? Or if there's a way to find information about a Cloudflare protected server for the public?

Hypothetical question, I'm just curious and I thought maybe someone here has first-hand experience with getting their account terminated or reporting content or doing piracy via them or whatever...

all 22 comments
sorted by: hot top controversial new old
[–] darvocet@infosec.pub 45 points 1 month ago (3 children)

I have experience working in large data centers that provide hosting. What I can tell you is that various government agencies do and will randomly come by the data center with warrants and court orders for things. I've literally had NASA show up (wtf?) and have to pull a server offline while they mirror the hard disk. All very hush hush make excuses to the customer when they open a ticket. Another thing that happens is that the FBI has placed their servers within internal spaces of the network. When they get a court order they can open a ticket with our abuse department and whatever switch port the feds are interested in can be mirrored and sent to their packet capture servers.

[–] darvocet@infosec.pub 17 points 1 month ago (2 children)

I'll add to this that I'm old - these days in a cloud environment they don't even have to come to the data center to image the hard drive.

[–] madasi@lemmy.dbzer0.com 9 points 1 month ago

Exactly. Most cloud virtualization providers you just take a snapshot of the virtual disk and provide that when requested and the customer never has a clue that is happened. I'd get contacted by our legal department, told that my boss was only to be told that I was working for them for now and no other details, and then directed on what they needed a copy of and how to send it to them.

[–] hendrik@palaver.p3x.de 5 points 1 month ago* (last edited 1 month ago) (1 children)

Thanks for your insight. Reading these stories always makes me feel data should stay on own premises with extra security measures. And yes, on my VPS, imaging the storage is one click and I believe it's done online without any interruption of service. Not that I do a lot of illegal stuff on the internet. But with the current situation in the US and the general overboarding surveillance, I think i'd like to keep their government and agencies out of my emails and personal stuff... (And maybe even what I do publicly and within legal limits.)

Though I didn't ask about privacy here, but anonymity. And I guess selfhosting stuff at home isn't an option either. Everyone can tell my ISP and location to like 30km with that. And link the IP to other activities.

[–] FreedomAdvocate@lemmy.net.au 2 points 1 month ago (1 children)

Email? Lol good luck keeping that secure.

[–] hendrik@palaver.p3x.de 1 points 1 month ago

Sure, email is bad and we don't have any worthy successor. I can only deal with the most problematic aspects. Keep my inbox stored somewhere where people can't just easily go through all my stored mails and I guess it's transport encrypted more often than it's not... But yeah, it's only a little bit and "secure" shouldn't be in one sentence with email, I guess 😟

[–] cAUzapNEAGLb@lemmy.world 16 points 1 month ago (2 children)
[–] kambusha@sh.itjust.works 28 points 1 month ago

They wanted their space back

[–] darvocet@infosec.pub 13 points 1 month ago
[–] Auli@lemmy.ca 1 points 1 month ago (1 children)

NASA doesn't make sense NSA?

[–] darvocet@infosec.pub 5 points 1 month ago

Yea that's the point it didn't make sense. The literal "national aeronautics and space adminiatraton" sent tech and security people to a physical data center to copy a hard drive.

[–] _cryptagion@anarchist.nexus 23 points 1 month ago (1 children)

Does anyone know if they collaborate with law enforcement

yes, they do. they aren't there to provide bulletpoof hosting, they are there to make your site resistant to DDoS attacks. as an added bonus, if you are selfhosting they also provide you with a bit of anonymity, in the sense that someone can't just figure out your general location from your ISP.

that doesn't mean people can't figure out who you are from the content you host. and if you are hosting content that is illegal, even if it's illegal in another country, then you are likely to be exposed when their courts subpoena cloudflare. cloudflare isn't going to fight too hard to protect your identity against a government, and honestly I don't blame them for that because they never said that was their mission or purpose. they are DDoS protection, with a few other features that might be useful to you.

[–] FreedomAdvocate@lemmy.net.au 1 points 1 month ago

Calling cloudflare “DDOs protection, with a few other features that might be useful to you” is so insanely downplaying what cloudflare provides.

[–] vhstape@lemmy.sdf.org 17 points 1 month ago

According to W3Techs, Cloudflare is used for 80.9% of all known reverse proxy endpoints which account for 19.8% of the entire Internet. It’s safe to say it’s used to host both legal and illegal content with that broad of a scope.

They are an American company and must cooperate with law enforcement when abuse is reported. If you’re planning on hosting pirated content, that most definitely violates their terms of service and will get you in trouble.

[–] Auli@lemmy.ca 9 points 1 month ago (1 children)

No they do not, and yes they are an American company they have to follow the rules. They also MITM, I wonder how many of the self hosters who use their tunnels realize this. Hosting a password manager behind them would be funny since they can scrape all your passwords.

[–] hendrik@palaver.p3x.de 7 points 1 month ago

Yes, I rarely see this being discussed. Cloudflare terminates the encryption, hopefully re-encrypts it on the way upstream, but they have access to all the content in the forwarded traffic. Not sure about the password managers, though. I believe most of them encrypt stuff on the device itself before sending it over the network, and there are no cleartext passwords transferred or stored on the servers.

[–] DrunkAnRoot@sh.itjust.works 3 points 1 month ago

on its own cloudflare provides anonymity the same way vpns do

[–] Typewar@infosec.pub 3 points 1 month ago* (last edited 1 month ago)

Cloudflare takes a neutral response in general but are not resistant to law enforcement demands.

What you can do is to create a cloudflare account on Tor, buy a privacy-focused VPN that supports port forwarding, connect your server to the VPN and point the DNS record to the VPN ip address. And then create a port rewrite rule in cloudflare settings (because port forwarding supported VPNs rarely support lower than 1024 ports). Atleast in this case, law enforcement notices won't be forwarded to your ISP.. still not bulletproof, but good enough for most stuff if you have concerns.

[–] nuggie_ss@lemmings.world 3 points 1 month ago (1 children)

If you're doing anything risky, then you can't rely on a service like cloudflare.

They are 100% in bed with all of the 3 letter agencies.

If, for whatever reason, someone with power deems your website unpleasant, it will be taken down unceremoniously and any information that links it to you will be used to find and punish you.

[–] FreedomAdvocate@lemmy.net.au 1 points 1 month ago

Just a clarification - theyre not “in bed” with anyone, they just comply with legal orders.

[–] hendrik@palaver.p3x.de 1 points 1 month ago* (last edited 1 month ago)

Edit: I found their Transparency Report: https://www.cloudflare.com/transparency/

Though, I don't know whether those numbers are high or low, considering the large amount of customers they have and the crazy amount of internet traffic they do.