Can’t wait for Matter and Thread become more mainstream. Local first (and device level egress blocked by VLAN) for the win.

Cool. So don’t use their app. I’d imagine HomeAssistant usage cannot be tracked as it wouldn’t go through their app.

FWIW, I’m all in on HomeKit, so I only control over Home app for my light switches from another vendor, and I’ve got no skin in the game with Leviton, but same idea applies. No vendor apps means their app based tracking are much less relevant.

Are Lutron and Leviton the same company? I’ve always wondered but never found any definitive confirmation one way or another.

Edit: see, two replies, two answers… shrouded in mystery haha

Seems to be more on the web side of things for affiliate marketing, not necessarily light switch usage patterns? At least the pasted/quoted bit doesn’t suggest that it’d cover interactions with the devices.

Does Wireguard have a centralized server that the server at home connect to in order to expose itself? If not, I don’t see how it’d work for OP, because at this point, based on info shared, I’m inclined to think OP is having trouble exposing ports (be it ISP imposed or knowledge gap) as opposed to having issue with the service / vendor.

521 = Origin server down; I.e. the port is not open and/or the IP address is incorrect all together.

522 = Origin server time out; I.e. the port might be open but no content is being sent back.

If you’re seeing 521, then Cloudflare cannot establish a connection to port 80/443 on your IP address in the A record. Bearing in mind that in order for someone from outside of your LAN (i.e CloudFlare) to have access to your services, they must be able to reach the service, so this value should be your external IP address, not an internal address. Once you have your external address keyed into the record, have someone else not in your home try to access that IP/port combination and see what happens. If they cannot access, then port forwarding is not setup or your ISP is blocking, or you’re behind some CGNAT. If they can access, then something else is at play (origin IP filtering comes to mind).

521 usually means they cannot reach your server properly. Was the router change due to a new ISP, and does the new ISP block port 80/443? Did you re-make all the relevant port forwarding rules? Changing CDN won’t change anything if your ports are closed/not responding as expected.

The biggest fear would be when you’re rebuilding, you’re putting extra stress on the other drives, thereby increasing the risk of them, too, dying.

On the product offering page for Free DDoS Web Protection, the features table shows that “Unmetered DDoS Protection” is available for everyone regardless of tier from Free all the way up to Enterprise. This change was rolled out on 2017-09-25, prior to this, there was a certain amount of throughput depending on price point (though, still very generous for the free tier from what I remembered).

Sometimes, people make up their mind about something and never update their knowledge, and it would appear this is one of those case here.

No problem! I appreciate the civil discussion! Thank you!

The free tier rolled out was specifically to address upstream vendors patching Log4J too slowly. They’re able to monitor the requests and intercept malicious patterns before it hits the server running unpatched (due to upstream unavailable yet) applications. They are updating with more rules for the free tier set as far as they’ve stated. The extras from paid tiers are more extra rulesets and more analytics around what was blocked etc.

At the end of the day though, you do you; the benefit for me may not be benefit for you. I’m not selling their service, and have no benefit what so ever should anyone opt into their services.

The difference in my opinion is that doesn’t matter how fast upstream vendors patch issues, there’s a window between issue being detected, patch being implemented, release getting pushed, notification of release gets received, and then finally update getting deployed. Whereas at least on cloud WAF front, they are able to look at requests across all sites, run analysis, and deploy instantly.

There is a free tier with their basic “Free managed ruleset”, which they’ve deployed for everyone with orange cloud enabled when we saw the Log4J issue couple years back. This protection applies for all applications, not just the ones that were able to turn around quickly with a patch.

If you want more bells and whistles, there’s a fee associated with it, and I understand having fees is not for everyone, though the price point is much lower – you get some more WAF feature on the $25/mn ($20/mn amortized when paid annually) tier as well before having to fork out the full $250/mn ($200/mn when paid annually) tier. There’s a documentation page on all the price points and rulesets available.

It’d be a challenge to keep up — 0 days aren’t going to be added to self hosted solution faster than they could be detected and deployed on a massively leveraged system. Economy of scales at full display.

Security.

Cloudflare handles a very large amount of traffic and sees many different types of attacks (thinks CSRF, injections, etc.). It is unlikely that you or me will be individually targeted, but drive-bys are a thing, and thanks to the amount of traffic they monitor, the WAF will more likely block out anything and patch before I’m able to update my apps on 0 days.

Also, while WAF is a paid feature, other free features, such as free DDOS attack protection, help prevent other attacks.

It’s a trade off, sure; they’re technically MITM’ing your traffic, but frankly, I don’t care. Much like no one cares to target/attack me individually, they aren’t going to look at my content individually.

Additionally, it also makes accessing things much easier. Also, it is much more likely I’d find a SME using Cloudflare than some janky custom self hosted tunnel setup. So from a using homelab as a learning for professional experience point of view, it is much more applicable as well.

Self hosting email on non-mission critical domain for learning purposes might be okay if your intention is to get into the industry. Self hosting email for others on more production like setting you’re going to find yourself in a world of pain.

All it takes is one missed email (be it not making into their intended recipient’s inbox, or them not receiving an important notice in their inbox) and you’re never going to hear the end of it.

You’d also be liable for content your users send out from your servers — and I don’t mean the spam type, though if you get your IP blacklisted, your provider may want to have a word with you.

I’d strongly advise against going down this path, but if you do, be sure to have ways to legally shield yourself from any sort of potential liabilities.

There’s a vocal handful group of people disliking CloudFlare because of their irrelevant “privacy” concern here — you can absolutely use the registrar without using their CDN features. Also, reality check: with CloudFlare’s market reach, there’s zero chance nothing they do online isn’t already MITM’ed already. Having said that, Cloudflare uses their registrar as loss leader, so they give their wholesale price to end users registering, and as such you’ll have the cheapest price available for the domain extensions they support. You can then just set your DNS without their orange cloud and traffic on your domain aren’t going to flow through their CDN.

Although most providers do over provision, due to mostly bursty nature of most services, you’re probably less likely going to notice the shared aspect as opposed to the general age of the system. So it may be a good idea to take a quick peek at your VPS’s processor and compare that against what you’d be auctioning for. 1 older core (I.e. E5-2687W) is not going to be able to put up same amount of work against 1 newer core (I.e. AMD EPYC 7763) — brands and actual models are less relevant, just the idea of age gap that’s more important.

If you want to be absolutely sure, it may be just a good idea to budget for some duration where you’d pay for both services (you’d need some time to migrate everything anyway), and run benchmarks on both systems to see what you’d get out of each, then decide which one to keep.

You could use just a simple Apache (or even some simpler static file server) with no authentication what so ever, but only accessible to your own network. Then, add a Reverse Proxy Gateway such as Traefik, Caddy or whatever else, and add Authentik as a Middleware. User heads to the site (I.e.: https://files.yourdomain.ext/), Reverse Proxy Gateway bounces the request to the Middleware (I.e. Authentik), requires the SSO via whatever authority you’ve got setup, gets bounced back, and then your Reverse Proxy Gateway serves up the static content via the internal network without authentication (i.e.: http://172.16.10.3/).

Check out Forward Auth section of Authentik docs here: https://goauthentik.io/docs/providers/proxy/forward_auth

Also aim for non-networked TVs or they might be doing ACR and phoning home, even if you’re watching your own physical content. A former coworker on ad selling side mentioned before ACR on smart TVs, companies like Nielsen and alike would track content using digital fingerprints hidden in the overscan part of your TV. So there’s all sorts of creepy tracking tech all over.

If privacy is the concern, you should really read the breakdown from Mozilla someone shared. Can’t miss it, large wall of text in this thread. Apple ecosystem is much better than others in the privacy department. The other players are much worse when it comes to personal data collection and selling.