zlacker

>>jakels+(OP)
Never expose your server IP directly to the internet, vps or baremetal.

>>j45+z6
Unless you need it to be reachable from the Internet, at which point it has to be... reachable from the Internet.

>>palata+fb
Public facing services routed through a firewall or waf (cloudflare) always.

Backend access trivial with Tailscale, etc.

>>j45+ND
Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server?

Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home).

>>palata+Pi1
No such thing as a stupid question.

If you plug in a machine at home, it is behind the router, and behind the router's firewall.

If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti

The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine.

If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally.

It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like.