(This post should read "Argo tunnel" instead of just "Argo")
I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.
One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.
Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.
Cloudflare Tunnel (the service used here) is my current recommendation for most people when it comes to tunneling. Nobody wants to pay for tunnels, and it's the best loss-leader product offered by a reputable company that I'm aware of. The DNS integration is particularly nice.
My only concern is if it gets popular enough that a lot of self-hosters start using it for things like Plex and Jellyfin, which I believe is against Cloudflare's TOS, they might crack down on that.
If you prefer a self-hosted tunneling system, I maintain a list here:
I use ZeroTier for this too, although Tailscale would work just as well. To avoid port forwarding out of my local network (irrational fears), I have a $5 droplet running Pomerium (a SSO proxy, similar to self-hosted Cloudflare Access) and it sits on my ZeroTier network along with the boxes at my house, proxying requests (once they are authenticated) through ZeroTier to the boxes on the private network.
It works very well. Pomerium is easy-ish to configure (especially because it takes care of certs for you), and I can log into stuff on my LAN without having to boot up the ZeroTier client which takes a minute to connect on iOS (or from devices that don't have ZeroTier installed). I would've used Cloudflare Access + Argo Tunnel, but at the time they were still charging for tunneled bandwidth (like $10/GB or something outrageous), so this ended up cheaper.
Cool! I currently do a self-hosted version using nginx, certbot, and vouch-proxy [1]. Nginx checks with vouch for every HTTP request and redirects to Google for SSO if unauthenticated. It works well for humans in browsers, but not so much for robots. I'm sure I could configure nginx to do token-based auth, just haven't had the need.
I wonder if this would work to self-host on a crusty old T480 with a broken screen? Can Argo tunnel be used sort of like a dyndns? Although my Google Fiber connection at home has had the same IP, but in order to get a static IP, I need to get a Google Fiber Business connection which is 2.5x times more expensive.
Yep it should work great. If you have the expertise and inclination to set up port forwarding and dyndns, you'll get better performance with that, but IMO tunneling is the best solution for self-hosting for most people until IPv6 takes over.
I do have a firewall at home and I can open up a port and forward that to the laptop. Just that I don't want to spend money on DynDNS services and was trying to find a free solution. Thanks for confirming!
Self-hosting is so so cool. Nothing more satisfying that hosting your own website from scrappy ol equipment :-)
I used namecheap to register my domain, and they have an option for dynamic DNS without ongoing fees (besides domain fees, I guess). I would be surprised if other registrars didn't have something similar.
So good to see so many home-hosting posts on HN lately! If you're using Kubernetes at home, we bundle all of this up (remote access, web-forwarding) as part of our service at https://kubesail.com
I did the same to enable secure access to services via SSO at work. I used Harbormaster[1] to deploy Compose files, but it's otherwise the same setup.
One of the big advantages this has is that the services can't be accessed any other way (not even from the same host, as they only listen inside the Docker network). That makes it hard to forget some port exposed because you listened to 0.0.0.0 instead of localhost.
Cloudflare access is very easy to set up SSO with, as well. I'd recommend this setup if you need it, though for home usage I usually just set up Caddy as a reverse proxy with basic auth, as I'll be the only person using this and I don't want Cloudflare MITMing my personal stuff.
[1]: https://gitlab.com/stavros/harbormaster