Every weekend there is football, if you have a household server with Home automation, Plex, a news reader, a private cloud with NextCloud, a VPN, or any other service, and you have it inside the cloudflare CND to protect you from computer attacks, you can use it. The reason: you know it, LaLiga’s fight against illegal emissions in Spain. Tired of this, users have begun to mount their own infrastructure to the proof of these blockages. And one of them has struck us especially: Own Trust.
Under the motto “Your Infrastructure, Your Rules”, Own Trust seeks to be a kind of alternative to the cloudflare Zero Trust. But, instead of depending on this CDN, everything is processed and executed within your own server. In this way, you only depend on Cloudflare as DNS, being impossible for your servers to block on weekends (unless they go directly against your IP, something that, if they have no reason, cannot do).
What offers Own Trust
Own Trust is still an advanced configuration of a reverse proxy, but taken to the end of simplicity so that anyone, for few knowledge that you have, can do it. The first thing this project does is help you configure Wildcard certificates. These, in addition to providing HTTPs services, hide the subdomains so that no one can find out.
Then, secondly, configure an inverse proxy with Traefik. It could also be done with NGINX, but Tradefik is more complete, especially when configuring the middleware, which is what interests us most. Thanks to them, we can implement in our NAS or home server advanced security functions such as Cloudflare, such as:
- Rate Limiting
- Modify Request/Response Header
- Geo-blocking
- Redirect Rules
- URL Rewrites
- IP Access Rules
Thanks to these security layers, we can directly block all the traffic that comes from outside the countries that do not interest us (Russia, China, etc), or allow only the traffic of Spain, blocking by default all other connections. We also have a basic protection against ddos, brute force attacks, and even in front of XSS attacks.
And, to the elderly, it allows us to set up another Middleware called «Authelia». This what it does is act as a login to our entire intranet. Before arriving (and exposing) any service, we have to log in to authelia, and keep the cookie on our computer, or, otherwise, we will not be able to enter anything. This layer protects, in case they guess any of our services, of possible attacks against vulnerabilities. In addition, it supports double authentication for even more robust security.
Limitations
Of course, we must take into account some limitations. In addition to the most advanced protections offered by the CDN (especially in order to mitigate massive ddos attacks, improve performance with the http cache or the Application Firewall website), Own Trust Requires a real public IPso if your Internet operator has you under a CGNat, forget about using it.
The developer has assured that he is working on new security measures, such as a captcha system to better block brute force attacks in Authelia, or a Fail2ban system to block all the IPS that they try, for example, to carry out an attack.
Be that as it may, it is not a Trust Zero like the one that offers Cloudflare. But if you have a server or nas at home, or a small business, and LaLiga blocks are affecting you, it can be a solution. After all, these blockages go for long.
