Cloudflare
What is Cloudflare? According to their website:
Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.
We use a bunch of Cloudflare's services to protect the network and services at a very low to no cost.
Websites
Currently, as of 5/2023, SABTS owns sabts.org, .net, .live, .cloud, .dev, and sabts-cloud.com All but .org and .net are connected through Cloudflare and purchased through Google Domains. SABTS.Live is accelerated through Cloudflare's Edge to make it quick, .dev hosts an attempt at making a new website for the church as well as Home Assistant on ha.sabts.dev, .cloud redirects to sabts-cloud.com because the .cloud ending broke the Nextcloud app. Frigate is also on .cloud at frigate.sabts.cloud
Connecting domain names to Cloudflare, or just buying them through Cloudflare let's you proxy their traffic through Cloudflare's Edge to protect sites from DDOS attacks and allows for more granular access control, including bot protection, blocking countries from accessing the sites, and Access login walls.
Stream
An experiment that sort of morphed into a permanent solution to a mostly non-existent problem, but useful nonetheless, SABTS.Live is made possible by Stream. When we livestream on Sundays, we send the stream to Cloudflare first, which then forwards it on to YouTube and shows the stream on SABTS.Live.
Stream is pretty low cost and works well enough.
Stream and SABTS.Live are relatively high maintenence - after or during each service, a new post has to be made on SABTS.Live and the stream code embedded in the post. And since we pay for storage, videos need to be transitioned from Stream to YouTube embeds after a few months to keep costs low. As is we pay $40 a month for the website and Stream storage and viewing.
Zero Trust
Cloudflare's Zero Trust suite of tools is super useful. If you're reading this, you've interacted with it!
Access
Access protects most of the services hosted on campus as well as this site. As mentioned above, to get onto the site, you had to authenticate through an Access login page. Access protects SABTS Docs and Frigate.
Access also includes Tunnels. Tunnels are installed on a host machine, and then through the cloudflare dashboard, you can set up a tunnel to connect a domain name to a local IP address and tunnel all of the traffic through to Cloudflare's Edge which then allows public access, all while keeping the local network secure. We use Tunnels for Home Assistant and Frigate.
Normally, if you wanted to host a website, you would have to open a port on your network, basically punching a hole into which traffic from the internet can flow. Normal networks only allow internal clients to open connections to the outside internet, not the other way around. Tunnels allow you to bypass punching holes in the network and let's Cloudflare s servers handle securely connecting to your website as well as protecting it.
Gateway
Gateway adds an additional layer of protection and control over the network. The Dream Machine Pro's DNS settings point to Cloudflare's Gateway DNS servers. So all DNS queries from on campus route through Cloudflare, and Gateway policies block known malware, ads, and as of recently, is now blocking the .zip, .pdf and .mov domain name endings due to their similarity to file endings.
As of 5/2023, the .zip, .pdf, and .mov TLDs (domain endings, like .com) are available. The issue is that those TLDs conflict with file formats, which makes it's very easy for files to be disguised as links and vice versa, as well as making links to file downloads that look legitimate to actually take you somewhere else. This is why Gateway is now blocking those TLDs. This protects all networks on campus and anyone actively using the Warp client connected to our Zero Trust organization.
Warp Client
The warp client should not be necessary for anyone and will cause problems with SABTS.Cloud when accesing it on campus. I (Alton) ditched it in favor of not breaking things and then needing to fix them remotely. That being said, Warp is a free VPN from Cloudflare, and if connected to our Cloudflare organization (sabts) adds the same campus wide protections to your device, anywhere you go, as well as allowing you to acces the main internal network anywhere. Do note that once connected to Zero Trust, it can't be closed. It can be turned off, but the actual program will not close, it just sits in the taskbar on your desktop.
Pages
Cloudflare Pages is a static website hosting service that integrates with Github. It's free, and it's what's hosting this site. It integrates with Cloudflare Access so that only authorized emails can access this site.