Is it compatible with LNDhub?

[clunktendon]

Hello and thank you very much for your solution! It looks very interesting, especially now that Blue Wallet dropped support for Tor on Android and iOS (see BlueWallet/BlueWallet#5950).

Do you think it would be safe to use Cloudflare to expose LNDhub? Here is what worries me:

• Umbrel doesn't have https yet (it consider the LAN is safe so it's working on http only)

• on Blue Wallet (the client), the URL to access a LNDhub wallet is: lndhub://<username>:<password>@http://<IP_umbrel>:3008 so the credentials are probably sent in clear text over the LAN (because it's using HTTP)

• when going through Cloudflare, I imagine the URL would be lndhub://<username>:<password>@https://<FQDN_pointing_to_cloudflare> (note HTTPS here)

Do you think it would work?

I understand the credentials would be encrypted from Blue Wallet to Cloudflare (because it's HTTPS), and then from Cloudflare to Umbrel (via the tunnel). But if the SSL certificate is managed by Cloudflare, wouldn't they be able to decrypt the traffic and retrieve the credentials?

[Radiokot]

Hello.

I haven't tried exposing LNDhub, but if it is based on HTTP (unlike the Electrum server, for example), then it could work over Cloudflare Tunnel.

Indeed, Cloudflare servers decrypt and process (cache, page rules, etc.) your traffic, as it is essentially a trusted intermediary between your server and the end user. Even if you use the classic Cloudflare DNS setup with strict full SSL – there are still 2 connections with Cloudflare server in the middle doing the same. Whether you trust that no living person is inspecting your unencrypted traffic on Cloudflare's servers is up to you.

[Radiokot]

Alternatively, for $5/month you can get your very own VPS server with a dedicated IP, set up a WireGuard tunnel to it and expose whatever you want – even non-HTTP services, like Electrum server.

[clunktendon]

Alternatively, for $5/month you can get your very own VPS server with a dedicated IP, set up a WireGuard tunnel to it and expose whatever you want – even non-HTTP services, like Electrum server.

Thanks for your answer. I don't think the VPS solution is perfect either as the provider has access to the SSL certificate on the virtual machine (via the host). Even if the disk is encrypted, I understand the key resides in RAM while the machine is ON (decrypted) so it's still possible.

So I imagine the only perfect solution is to install a self-signed SSL certificate on Umbrel. Would it work with Cloudflare? Sorry if the question is stupid, I am just not familiar with Cloudflare...

[Radiokot]

As far as I understand Cloudflare, a self-signed cert will not add any benefit as your traffic to Cloudflare is already encrypted in the WireGuard tunnel.

[Radiokot]

Cloudflare decrypts your traffic anyway.