Security and Cloudflare Tunnel Integration Recommendations

MarianAct

Hello,

I am reaching out to inquire whether anyone has addressed the topic of securely connecting multiple servers across different countries, and if there are any recommendations or best practices regarding this integration.

I have a setup with 4 servers spread across different locations:

A dedicated server in the origin country, where I plan to sell hosting resources.
A VPS in Bulgaria, which serves as a backup server.
A VPS in Germany dedicated to the Enhance.
A VPS in Germany dedicated to WHMCS.

I would appreciate any advice on security best practices, particularly related to securing traffic between these servers, that have been followed in similar setups without encountering issues. Specifically, I am more interested in recommendations regarding securing communication channels, ensuring data integrity, and preventing unauthorized access, rather than basic server hardening steps (such as disabling root login or enforcing key-based SSH authentication).

Additionally, I have been considering using Cloudflare Tunnel and am in the process of configuring communication between the Enhance Panel server and the other servers to be routed exclusively through the Cloudflare Tunnel. Has anyone implemented this approach, or do you have experience that could help me in configuring it properly? Are there any potential limitations or concerns that I should be aware of?

Many thanks,
Cheers.

JohnB

I'd wait until they release their big update that doesn't use docker anymore. Otherwise a lot of your frustration getting this work is likely to be docker related.

According to documentation all ports between servers must be open to those servers. But the firewalls can obviously restrict such traffic to only server IP addresses and block everyone else.

From what others have tried you will run into issues as Enhance has some limitations, however after Docker isn't used it might be easier. If you search the forum for wireguard you will find someone trying to route interserver communication over a wireguard network. It wasn't going so well but it might help you.

Seems like a lot of work for little gain. Enhance already encrypts all channels between servers and uses certificate pinning IIRC + firewall rules. Sure, Cloudflare Tunnel adds another layer of security (and failure/complication) but so does hosting in a nuclear bunker.

ensuring data integrity

What do you mean specifically?

felikz

I’m doing something similar (but with a different goal for me). I had to create my own workarounds for a few things. The short version is that I used private addressing for servers (using ZeroTier) with internal DNS to make Enhance use that internal connectivity. But this way I needed workarounds for anything public. It worked well for me though on a small scale.