Building a peer-to-peer alternative to Cloudflare Tunnels with edge TLS certs
a day ago
- #reverse proxy
- #privacy
- #peer-to-peer
- Standard reverse proxies terminate SSL at the server level and expose services to the public internet.
- Cloud-brokered reverse proxies like Cloudflare Tunnels or Ngrok decrypt SSL in the cloud, breaking compliance for sensitive data like HIPAA.
- Standard reverse proxies leave internal sites discoverable, vulnerable to exploitation even with authentication.
- A peer-to-peer VPN combined with an edge reverse proxy cloaks services from the public internet by using private DNS and tunneling.
- Pangolin provides both cloud-based and peer-to-peer VPN solutions with a lightweight site connector.
- Private HTTPS in Pangolin involves hijacking DNS at the OS level to prevent leaks and map domains to logical overlay addresses.
- Traffic is routed through peer-to-peer tunnels with health probes for optimal site selection and failover.
- Automated SSL certificates are issued centrally and pushed to edge connectors via websocket for valid TLS without public exposure.
- An embedded reverse proxy at the edge terminates SSL and forwards decrypted HTTP requests to internal resources.
- Browser DNS caching can cause issues by ignoring local DNS servers until caches expire or are manually cleared.
- This architecture ensures zero-trust convenience without sacrificing data privacy or regulatory compliance.