Introduction
This is a new addition to our series of posts on building a Kubernetes Home Lab. In this article we focus on how to expose your Kubernetes home lab to the internet. If you’re just getting started, you can start with the first post, or find all of the series using the Home Lab 101 tag.
In the last post, DIY Cloud Storage: Running Nextcloud on a Kubernetes Home Lab, we discussed what Nextcloud is, why one would consider hosting it and how to install it on your own Kubernetes Home Lab. In this post we are going to take it a step further. If the machines on your infrastructure aren’t public facing, the setup we have so far is only accessible in your network. If you want to access it from anywhere else or share it with someone not on your network, that won’t work. Even if the machines are public facing, your setup would be vulnerable to attacks, since Nextcloud is being served over plain HTTP protocol. This is a great approach for any services you want to expose to the internet from your Kubernetes home lab. Let’s see how you can address that using Cloudflare services.
Overview
There are multiple ways you can expose your home lab services to the internet over HTTPS. In this post we’ll see how you can do it using Cloudflare. Cloudflare is one of the cost-effective domain name providers. It also offers solutions for website security, performance, network security, etc. Many of its services also have a free tier. In this post we will use Cloudflare services to create SSL certificates and to expose my home lab to the internet using the Cloudflare Tunnel. Here’s the list of steps we need to take for the same.
- Get a domain name
- Create SSL certificates
- Install a Cloudflare Tunnel
- Update Nextcloud Apache configuration
- Configure Acorn
Let’s discuss these steps in detail below.
Domain Name
To access our Nextcloud service on the Internet easily, we need a domain name. Since we used Acorn to install Nextcloud, it already provides a free-of-cost URL on Acorn’s domain i.e. on-acorn.io. Although, we need to have a domain managed by Cloudflare in order to use the Cloudflare tunnel. The Cloudflare tunnel helps us expose private instances to the internet. More on that later.
You don’t necessarily need to purchase a domain on Cloudflare though. If you have an existing domain registered on some other provider, you can even transfer it to Cloudflare and start using its services. See the Cloudflare documentation for the process to do the same.
SSL Certificates
SSL certificates are required to encrypt and decrypt the HTTP traffic. There are multiple ways of getting SSL certificates for your site. Some popular options are as follows.
- You can generate self-signed certificates yourself by using utilities like openssl.
- Use Let’s Encrypt to generate CA certified SSL certificates.
- Use the domain provider services to generate CA certified SSL certificates.
The first two options above are free. The third option may need you to pay an additional fee, depending on your domain provider. Cloudflare provides CA certified SSL certificates for free, which are valid for three months at a time. You need to renew the certificates after every three months, which again can be done for free.
I am using the Cloudflare provided SSL certificates for two reasons. They are available for free and they work seamlessly with the Cloudflare tunnel.
To create SSL certificates in Cloudflare, go to SLS/TLS -> Origin Server under your site in the Cloudflare dashboard and click on “create certificate”.
Create a Cloudflare Tunnel
The Cloudflare tunnel helps you expose your services to the Internet, without needing a public (accessible over the internet) IP address. It does so by creating a bi-directional channel between Cloudflare servers and your machine. For a deeper understanding of how it works, you can refer to the Cloudflare tunnel documentation.
Create a Cloudflare Tunnel using the below steps.
- Enable Cloudflare Zero Trust from the Cloudflare dashboard, if not enabled already. Follow these steps in the Cloudflare documentation to do the same.
- Go to Access -> Tunnels in the Cloudflare Zero Trust dashboard and click on “Create a tunnel”.
- Enter a tunnel name and click next.
- Use the commands displayed on the following screen to install the tunneling utility cloudflared and create a tunnel.
- After the tunnel installs successfully and connects to Cloudflare servers, it’ll show up on the dashboard and the next button will be enabled. Click the next button once it is enabled.
- On the third and final screen, click on the “Public Hostname” tab. Choose your domain name where you want to expose your Nextcloud service and optionally enter a subdomain name.
- On the same screen, enter the URL of the service which you want to expose to the Internet.
In my case the Nextcloud installation is exposed via the Traefik Ingress controller on my K3s cluster. Since Traefik exposes its services using the Load balancer available over port 80 on all k3s cluster machines, I can just use the http://localhost URL in the last step.
This will create a tunnel between your machine and the Cloudflare tunnel servers. It will then route any traffic for the selected public hostname to the selected service URL on your machine. It will also configure the SSL certificates you created in the previous step to secure your service.
Update Nextcloud Config.php
The Nextcloud image that we used in the previous post, has an inbuilt Apache web server. It serves the pages over HTTP protocol, by default. Since we’ve now configured our Cloudflare tunnel to serve the Nextcloud service on HTTPS, we need to update the same in the Apache configuration as well.
As you can see in our Acornfile for the Nextcloud deployment, the Apache config directory is mounted as a volume. The volume name for that is nextcloud-pvc-nfs-data and the configuration is mounted under a subpath named config.
Hence navigate to the NFS volume share location -> config and edit the file config.php. Add the below line in the configuration.
'overwriteprotocol' => 'https',Configure Acorn
When we run an application using Acorn, it packages the application according to the Acornfile, runs it and returns a URL for the application http ports. The URLs returned use the Acorn’s domain i.e. “on-acorn.io”, by default. It does this by creating a DNS record for the specific URL and by creating a Kubernetes Ingress object. The Ingress object contains a rule used by the Ingress controller to route all the traffic from the mentioned hostname to the particular application.
Since we now have our own domain name to use with our application, we need to configure Acorn to use specific hostnames instead of the default generated ones. We can do this by specifying the cluster domain and the Acorn Endpoint Patterns on the Acorn installation.
We’d also like Acorn to leave the DNS management to us by disabling the Acorn DNS feature.
Run the following command to update Acorn configuration.
$ acorn install --acorn-dns disabled \
--cluster-domain sameerkulkarni.in \
--http-endpoint-pattern "{{.Container}}.{{.ClusterDomain}}"You need not uninstall the existing Acorn installation to run this command or stop/remove any running applications. This command will not only reconfigure the existing Acorn installation, but also update the ingress objects to use the new cluster domain and the endpoint pattern.
Run the below command to ensure that Acorn has updated the URL of our Nextcloud application.
Once this is done, you can now access your Nextcloud instance from anywhere over a secure connection.
Below image shows that I can access my Nextcloud instance on my smartphone even when I’m not connected to my home WIFI.
Closing Thoughts
In this post I have covered how you can expose your Home Lab to the Internet over HTTPS using Cloudflare services, using Nextcloud as an example. Of course there are other options available as well, to do what we did in each step. For example you can use Let’s Encrypt and cert manager to create and configure SSL certificates Or use ngrok for creating a tunnel instead of cloudflared Or use machines with public IP addresses. The approach followed in this post is one of the easiest ways you could achieve this seamlessly with free-tier services, but it’s not the only way.
Acorn also has Let’s Encrypt Integration to seamless generate and configure certificates. You can go through the post Securing Acorn App Endpoints with TLS Certificates, to see how to use it with your application.
Conclusion
In this post we went over all the steps you’d need to take in order to expose your Nextcloud instance securely over the Internet. You can install a fresh instance of Nextcloud, by going through the previous post i.e. DIY Cloud Storage: The Fast and Easy Way to Install Nextcloud.
This was the eighth post in our series on home labs for If you haven’t checked out the other posts in this series you can go through them using the list below.
- Building a Kubernetes Home Lab from the Ground Up
- Hardware and Networking Setup for My Home Lab
- Software Setup for My Home Lab
- Hosting Plex Media Server On My Home Lab
- Hosting Pi-hole on My Home Lab
- Creating an Application Dashboard for your Home Lab
- DIY Cloud Storage: Running Nextcloud on a Kubernetes Home Lab
If you want to learn more about Acorn you can go through the Acorn documentation or join an upcoming Acorn training class.
Sameer Kulkarni is a software engineer with 14+ years of experience and is working as a Principal Engineer at InfraCloud. You can chat with him on Twitter and read more of his work on Medium.