The post is strange (even if not serious). Like, what do you expect?

If the provider deletes data in this situation, people complain. If the provider hosts data for free, there are people who still complain (even accuse the provider with dark patterns). Perhaps that’s why the focus is becoming enterprise customers.

> Like, what do you expect?

Fewer empty threats. A lot fewer.

Who is complaining that their storage provider kept a promise to not delete customer data?

I’m curious how secure is TLS client authentication if the database is exposed to the internet?

What are you talking about?

public key cryptography is well understood and used everywhere: HTTPS, SSH, Signal, etc.

See: https://en.wikipedia.org/wiki/Public-key_cryptography

In postgres specifically: https://www.postgresql.org/docs/16/ssl-tcp.html and https://www.postgresql.org/docs/16/runtime-config-connection...

You can enforce TLSv1.3 on all network connections using `ssl_min_protocol_version`(postgres.conf) and `hostssl`(in pg_hba.conf)

This puts you ahead of most web servers which often still allow TLSv1.1.

You can make Postgres secure or not, your call. Just like with everything else.

I would note that, although obviously the confidentiality in TLS is based on public key cryptography, authentication by mTLS doesn’t reach the cryptography part.

The process starts with a client and server hello. Then the server sends its certificate to the client, and the client sends its certificate to the server. The server verifies that the client’s certificate is signed by a certificate authority in its trust store. That’s the authentication part. The client’s private key is not used.

The confidentiality comes next if authentication is successful.

I asked because X509 certificates are complex and difficult to securely parse. Also mTLS is rarely used.

Your suggested solution Cloudflare Tunnels man in the middles the traffic and it’s not an end to end tunnel. It’s a tunnel to Cloudflare! The users should be warned about this!

You could put Authentik in front. It does Cloudflare stuff on VPS.

No ACLs in front. I don’t know how much that could be done, but at least IP filtering.

Tailscale, Caddy.

Does not have ACL in front of funnel, can be rate limited since it goes through relays, and probably can’t use a custom domain.

The problem is, since the reverse proxy and authentication system face the internet, you are responsible for maintaining its security.

Software has vulnerabilities. Like nginx proxy manager had vulnerabilities and the developer didn’t patch some.

With a cloud based proxy, a third party handles authentication. But then, they shouldn’t access data.

For purely personal stuff which I only access from my devices, I use SSL client certificates in front of normal auth. The rest of services are mostly public anyway.

It’s a great product, but unfortunately they terminate the TLS and scan the traffic. It’s same as hosting the data on google or Microsoft (except you pay for hardware also). It should not be considered self hosted.

Is there a reverse proxy where the client makes a TLS connection to the proxy, proves their identity, if successful is allowed by proxy to initiate a new TLS connection to the server at home with the certificate of that server?

I would add QubesOS like sandboxing with micro kernels.