Luckylinux's Self-Hosted Universe

This is a local self-hosted server used for learning, experimentation, and running real production services. The infrastructure provides hands-on experience with system administration, networking, and DevOps practices while serving actual applications to users.

Services are exposed securely to the internet using Cloudflare Tunnel without opening any inbound ports on the router or firewall. This eliminates the need for port forwarding and provides an additional layer of security through Cloudflare's edge network.

The request flow follows this path: Users → Cloudflare Edge → Cloudflare Tunnel → Nginx Reverse Proxy → Internal Services

Cloudflare acts as the public-facing endpoint, routing requests through an encrypted tunnel to the local server. Nginx then handles internal routing to appropriate services based on hostname and path.

Cloudflare Tunnel (cloudflared) is configured to map multiple subdomains to internal services. The tunnel daemon runs locally and maintains persistent connections to Cloudflare's edge network, eliminating the need for publicly exposed IP addresses or open inbound ports.

Most hostnames terminate at localhost:443, where Nginx handles reverse proxying based on the Host header. Some services connect directly to their specific ports for performance or compatibility reasons.

Note: This configuration is a real-world but sanitized example showing how subdomains are mapped to internal services.

ingress:
  - hostname: server.luckylinux.dev
    service: https://localhost:443
  - hostname: railsplit-server.luckylinux.dev
    service: http://127.0.0.1:3108
  - hostname: n8n.luckylinux.dev
    service: https://localhost:443
  - hostname: chronocare-server.luckylinux.dev
    service: http://127.0.0.1:3102
  - hostname: code.luckylinux.dev
    service: https://localhost:443
  - hostname: analytics.luckylinux.dev
    service: https://localhost:443
  - hostname: ssh.luckylinux.dev
    service: ssh://localhost:22 #(secured)
  - hostname: openwisp2.luckylinux.dev
    service: http://127.0.0.1:80
  - hostname: cloud.luckylinux.dev
    service: https://localhost:443
  - service: http_status:404

Internal routing to specific applications is handled by Nginx, not by cloudflared. The tunnel daemon simply forwards requests to the appropriate local port.

Nginx acts as the single entry point for HTTPS traffic from the Cloudflare Tunnel. It routes requests to internal services and applications based on the Host header, enabling multiple services to share the same external port (443).

Example server block structure:

# Reverse proxy hardening (excerpt)
server_tokens off;

# Preserve real client IP from Cloudflare Tunnel
real_ip_header CF-Connecting-IP;

# Basic rate limiting
limit_req_zone $binary_remote_addr zone=global:20m rate=10r/s;

# TLS termination at Nginx (origin)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

Cloudflare CA Origin Certificates are used to secure the connection between Cloudflare and the local server. Public TLS termination occurs at Cloudflare's edge, with origin certificates securing the tunnel-to-Nginx connection.

This setup provides end-to-end encryption: Browser → Cloudflare (public cert) → Tunnel (encrypted) → Nginx (origin cert) → Services