Is anyone using Cloudflare with their BBS/homelab?

I'd like to use it as a WAF in front of the BBS's web server, as I see a lot of crufty traffic hitting my server. The only problem is that I use all of my services off of one hostname - and Cloudflare is only handling 80/443.

It looks like their might be a way to use SRV records to define alternate hosts for different ports - does anyone do that to, say, route binkp/binkps traffic around the WAF to your home server?
--- SBBSecho 3.33-Win32
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

poindexter FORTRAN wrote to All <=-

It looks like their might be a way to use SRV records to define
alternate hosts for different ports - does anyone do that to, say,
route binkp/binkps traffic around the WAF to your home server?

replying to myself, always a bad sign... :)

I realize I could create seprate host names, but bbs.realitycheckbbs.org
is a mouthful. Would like everything to be under one hostname if
possible.



--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

On 03 Mar 2026, poindexter FORTRAN said the following...

poindexter FORTRAN wrote to All <=-

It looks like their might be a way to use SRV records to define alternate hosts for different ports - does anyone do that to, say, route binkp/binkps traffic around the WAF to your home server?

replying to myself, always a bad sign... :)

I realize I could create seprate host names, but bbs.realitycheckbbs.org is a mouthful. Would like everything to be under one hostname if
possible.

If you're pointing the domain to your BBS host, then you'll have to handle the webserver on that host also, if you want to use the WAF, then you could hand off the domain to CF, but then you'd have to either assign a subdomain to the BBS, or you could use a CF connector which is like a reverse ssh tunnel.

---
|14Best regards,
|11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw

|07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
|07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

... A truly wise man never argues with a Unicorn

--- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
* Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)

If you have a homelab, you possibly have docker? Just get NPM (Nginx Proxy Manager) and you can route all the HTTP traffic you want. You can still use ClownFlare if you really want to, but using NPM will give you more control in the future.

You can use a combination of your firewall NAT+NPM and have incoming ports going to hosts, services in docker, physical etc. Firewall them upstream, and have NPM handle all HTTP/S services as the router for that traffic.

NPM also does Streams (TCP) and some other fun little features to keep it all in one nice managed interface such as handling all of your TLS certificates/renewals and such using Lets Encrypt.

Throw in some block lists at the firewall level, and nginx block lists into NPM and you have a nice little setup.

--- Mystic BBS v1.12 A49 2024/05/29 (Windows/32)
* Origin: Archaic Binary * bbs.archaicbinary.net (1337:3/159)

MeaTLoTioN wrote to poindexter FORTRAN <=-

If you're pointing the domain to your BBS host, then you'll have to
handle the webserver on that host also, if you want to use the WAF,
then you could hand off the domain to CF, but then you'd have to either assign a subdomain to the BBS, or you could use a CF connector which is like a reverse ssh tunnel.

Yeah, I thought so. I do like the idea of running tunnels for non-web
traffic back to the BBS and will look into it.





--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

zharvek wrote to poindexter FORTRAN <=-

If you have a homelab, you possibly have docker? Just get NPM (Nginx
Proxy Manager) and you can route all the HTTP traffic you want. You can still use ClownFlare if you really want to, but using NPM will give you more control in the future.

I am running NPM now, but didn't see any way to include SPI or a way to
include block lists.

I did see NPMplus, which supports openappsec block lists - that seems
like an interesting solution. What I really want is something to block
traffic based on behavior, Apparently NPM can support them, too - I
need to read up on it. I'm using Proxmox, which supports LXC
containers. I do have a docker host, set up on a Debian VM.

Throw in some block lists at the firewall level, and nginx block lists into NPM and you have a nice little setup.

I'd like either to be able to handle externally managed block lists
instead of managing them myself. Openappsec.io looks interesting for
that.





--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

Re: Re: Cloudflare and BBSes?
By: poindexter FORTRAN to zharvek on Thu Mar 05 2026 07:26:22

I am running NPM now, but didn't see any way to include SPI or a way to include block lists.
I did see NPMplus, which supports openappsec block lists - that seems like an interesting solution. What I really want is something to block traffic based on behavior, Apparently NPM can support them, too - I need to read up on it. I'm using Proxmox, which supports LXC containers. I do have a docker host, set up on a Debian VM.
I'd like either to be able to handle externally managed block lists instead of managing them myself. Openappsec.io looks interesting for that.

i just switched from NPM to NPM+ on my homeserver setup and have just activated the GeopIP2 feature with a free maxmind account. That seems to work really well so far. For a special usecase i will also use NPM+ with a script to whitelist a specific dyndns host ip.

But i don't use it for synchronet. synchronet bbs connects directly to my home internet router.
Anyone using NPM+ with synchronet? I think that can't work if you are using all the features of synchronet like webserver, mailserver, letsencrypt etc pp. I am on a dyndns and would like to see if someone managed running all services through NPM+

Mindsurfer
--- SBBSecho 3.37-Linux
* Origin: FuNToPiA BBS - telnet://funtopia.synchro.net:3023 (1337:1/104)

Mindsurfer wrote to poindexter FORTRAN <=-

But i don't use it for synchronet. synchronet bbs connects directly to
my home internet router. Anyone using NPM+ with synchronet? I think
that can't work if you are using all the features of synchronet like webserver, mailserver, letsencrypt etc pp. I am on a dyndns and would
like to see if someone managed running all services through NPM+

Yeah, my plan is to use port forwarding for non-web services and let
Synchronet handle any IP blocking, but to proxy web access to Synchronet
and to my home lab with NPM+ doing the blocking and WAF.

I do that now with NPM, mostly so my devices can renew LetsEncrypt
certs without me needing to change port forwarding manually.



... AVOID GIMBLE LOCK.
--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

Re: Re: Cloudflare and BBSes?
By: poindexter FORTRAN to Mindsurfer on Fri Mar 06 2026 07:20:01

Yeah, my plan is to use port forwarding for non-web services and let Synchronet handle any IP blocking, but to proxy web access to Synchronet and to my home lab with NPM+ doing the blocking and WAF.

i was searching for a solution to give just one specific IP (wich would be a dynamic IP) access to a specific ProxyHost of npm+. And since there is no direct solution build into npm+, i sat down with claude ai to create a script that pulls the IP from a dydns domain and inserts it into the nginx extended field of a proxy host as a deny all but one IP rule.
You also can have multiple dyndns hosts linked to multiple npm+ proxy hosts.

still testing it, but if you are interessted in such a bash script, let me know =)

I do that now with NPM, mostly so my devices can renew LetsEncrypt certs without me needing to change port forwarding manually.

its nice that you can give that all to npm+ and it takes care of renewing the certs isn't it? btw, it seems most people were a bit surprised. by default the letsencrypt certs of npm+ are renewed every 6 or 7 days.so, very shortlived.

now that i know i can have a *.mydomain.de certificate from letsencrypt and use it for all my internal service webinterfaces, that are usually available via LAN-IP:Port only, i have defined a zone in my own dns server for all those local host webinterfaces that routes them to my local npm+ and can use them with the *.mydomain.de cert. It is amazing once you understand npm+, letsencrypt and split horizon dns.
this way i can have myrouter.mydomain.de instead of 192.168.178.1:56232 using a LTS connection via letsencrypt certificate. No more selfsigned certs crap!

Sorry for babbeling. i am just so exited about it =)

Mindsurfer
--- SBBSecho 3.37-Linux
* Origin: FuNToPiA BBS - telnet://funtopia.synchro.net:3023 (1337:1/104)

Mindsurfer wrote to poindexter FORTRAN <=-

now that i know i can have a *.mydomain.de certificate from letsencrypt and use it for all my internal service webinterfaces, that are usually available via LAN-IP:Port only, i have defined a zone in my own dns
server for all those local host webinterfaces that routes them to my
local npm+ and can use them with the *.mydomain.de cert. It is amazing once you understand npm+, letsencrypt and split horizon dns. this way i can have myrouter.mydomain.de instead of 192.168.178.1:56232 using a
LTS connection via letsencrypt certificate. No more selfsigned certs
crap!

I played with self-signed certs for a while. For a network the size of
mine, it makes sense -- but it feels like the easy way out, and part of
the reason I'm doing this is to learn and keep up with skills I can use
in the workplace.

What DNS service are you using that lets you do wildcard domains? I'm
on Namecheap, and they only allow API access for wildcards if you have
10+ domains. I'd love to be able to set up a wildcard domain or
subdomain.


--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (1337:3/178)

Re: Re: Cloudflare and BBSes?
By: poindexter FORTRAN to Mindsurfer on Sun Mar 08 2026 08:56:11

What DNS service are you using that lets you do wildcard domains? I'm on Namecheap, and they only allow API access for wildcards if you have 10+ domains. I'd love to be able to set up a wildcard domain or subdomain.

All my local subdomains to mydomain.de exist only on my local dns server (technitiumDNS). i have the mydomain.de domain hosted at all-inkl.com. they allow letsencrypt certbot access to their dns settings via api

npm+ > certificates > add certificate > *.mydomain.de > provider from the list "all-inkl" and in the textfield below

dns_kas_user = your_kas_user
dns_kas_password = your_kas_password

that creates the *.mydomain.de certificate that is valid also for all my local only subdomains of mydomain.de
npm+ has just added something like that to the all-inkl dns server for mydomain.de:
_acme-challenge TXT SJXtqwELgEOVcQ74O2g3GnW-wfr-ZHeW6CFwZfwsQW_X

The technitiumDNS has a mydomain.de zone where the @ type A entry points to the real all-inkl dns server IP and proxmox.mydomain.de etc points with a type A record to the LAN IP of npm+
In npm+ the proxmox.mydomain.de points to the actual proxmox webinterface LAN-IP:port

So it appears that i ave access to all my local services via internet urls like servicename.mydomain.de. No need of using IP:port anymore. no need for self signed certs. Of course the domains are not reachable from the internet. It stays all local due to technitiumDNS and npm+

i still can access a real this.mydomain.de added via all-inkl.com server interface, cause the local technitiumDNS sends those dns requests for subdomains it does not know to the actual all-inkl.com dns server.

Mindsurfer
--- SBBSecho 3.37-Linux
* Origin: FuNToPiA BBS - telnet://funtopia.synchro.net:3023 (1337:1/104)

Mindsurfer wrote to poindexter FORTRAN <=-

What DNS service are you using that lets you do wildcard domains? I'm
on Namecheap, and they only allow API access for wildcards if you have
10+ domains. I'd love to be able to set up a wildcard domain or
subdomain.

I use No-IP and they allow subdomains. I've got bbs.shsbbs.net as well as radio.shsbbs.net and tv.shsbbs.net that point to actual URLs.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,999)


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (1337:3/185)