mindboggle
n3wb
Quick follow-up to my previous post. Since I don't like the idea of port forwarding, I decided to work around it by using a secure tunnel via Cloudflare. This is a free service that opens a tunnel to your local machine via a specified port. The only downside is that you need a domain name in Cloudflare, so that's around $10 a year. I already have a domain, so it's no big deal to me.
Once I created the tunnel, I added a WAF rule for the subdomain serving the tunnel to block any traffic without the token in the URL. Then I gave cloud.openalpr.com the webhook URL with the verification token, effectively making that service the only one that can access the tunnel. All other attempts to access the subdomain without the token are blocked.
To access the webhook processor locally, I continue to use my internal IP address. And since I already run a VPN on my devices, I can access that IP address wherever I need to.
At some point I may see if I can get cloud.openalpr.com running locally (it doesn't seem to work in Docker), but until then, I think this is a good security option.
Here are the steps I took. Thought it might be helpful to someone else out there.
Once I created the tunnel, I added a WAF rule for the subdomain serving the tunnel to block any traffic without the token in the URL. Then I gave cloud.openalpr.com the webhook URL with the verification token, effectively making that service the only one that can access the tunnel. All other attempts to access the subdomain without the token are blocked.
To access the webhook processor locally, I continue to use my internal IP address. And since I already run a VPN on my devices, I can access that IP address wherever I need to.
At some point I may see if I can get cloud.openalpr.com running locally (it doesn't seem to work in Docker), but until then, I think this is a good security option.
Here are the steps I took. Thought it might be helpful to someone else out there.
- Setup a Cloudflare account and associate a domain with it.
- Install cloudflared: Downloads · Cloudflare Zero Trust docs
- Setup a tunnel using this command:
- cloudflared tunnel create your-tunnel-name
- cloudflared tunnel route dns your-tunnel-name yoursubdomain.yourdomain.com
- cloudflared tunnel run --url http://localhost:YOURPORT your-tunnel-name
- Make sure you put in the port for your webhook processor server.
- Run in background:
- Append to the shell script in my previous post: nohup cloudflared tunnel run --url http://localhost:YOURPORT your-tunnel-name &
- For Mac, you can also run as a service: Run as a service on macOS · Cloudflare Zero Trust docs
- Check to make sure everything is running with this command “cloudflared tunnel info your-tunnel-name” or in the Cloudflare dashboard.
- Next, go to your domain in Cloudflare and setup a WAF rule with this expression:
- (http.host eq "yoursubdomain.yourdomain.com" and http.request.uri.query ne "verify=put_a_long_token_here”)
- Have the action set to “Block”
- Go to Login - OpenALPR by Rekor and change your webhook link to:
- Now get something like Tailscale (Tailscale · Best VPN Service for Secure Networks) running. This will allow you to continue going to your localhost (via your internal IP) on any device running Tailscale without getting blocked.
- Final step is to remove the port forwarding on your router.
