What is Cloudflare?
Cloudflare is a company whose services sit in front of Saxon's websites. Think of them as a security guard and traffic director on the internet.
Saxon used Cloudflare for saxobroko.com — including DNS, protection, tunnels, and hosting for some sites.
What Cloudflare does for Saxon (simple list)
| Job | Plain English |
|---|---|
| DNS | Knows where each *.saxobroko.com name should go |
| HTTPS / SSL | Padlock in the browser — encrypted connections |
| WAF | Blocks hackers and junk traffic; block no aus limits homelab to Australia |
| Tunnel | Safe path from internet to home server without opening router holes |
| Pages | Hosts static sites like docs.saxobroko.com |
| Access | Extra login step for docs — with Authentik |
Two patterns Saxon used
1. Cloudflare Pages (docs and homepage)
Files are built and stored on Cloudflare. No home server required for:
2. Cloudflare Tunnel (homelab apps)
Apps run on TrueNAS at home. A small program cloudflared on the server keeps a connection outbound to Cloudflare. Visitors hit Cloudflare first, then the tunnel.
Examples: vault.saxobroko.com, stream.saxobroko.com, dsm.saxobroko.com.
Why Saxon needed this
Saxon's internet uses CGNAT — he could not simply "forward a port" on the router. Tunnels solve that. See Network doc.
Cloudflare account access
Do not delete the Cloudflare account casually
Losing Cloudflare can break every saxobroko.com address, email routing, and tunnels. Login uses YubiKey — see YubiKey doc and passwords intro.
Ryan should keep paying the domain and any Cloudflare plan if the estate continues the homelab.
Cloudflare Access (docs login)
docs.saxobroko.com asks who you are before showing pages. That is Cloudflare Access, linked to Authentik at auth.saxobroko.com.
Steps: Open the docs site.
If this goes wrong
All public mirrors work but homelab URLs fail
- Tunnel or home internet issue — not necessarily Cloudflare DNS.
Locked out of Cloudflare dashboard
- Need Saxon's account + YubiKey. Do not create a conflicting second account without understanding DNS transfer.
"Blocked" from outside Australia
- block no aus WAF rule — intentional for homelab. Use from Australia or home network.