If you would like to self-host SilverBullet but gain (secure) access to it from outside local network without having to install VPN clients, CloudFlare Zero Trust is a good way to achieve this. For this use case it’s free.
What you will need is a few things:
- A running SilverBullet instance running somewhere. This can be anywhere that is Internet connected. It can be a server on your LAN, a cheap VPS, or even your local laptop (although SB will only work when it is on).
- A domain name you control. Domains are cheap these days, you can purchase one from e.g. namecheap or even from Cloudflare itself.
- A Cloudflare account with a credit card connected to it (you will not be charged, but they do require you to enter a credit card)
Architecturally, this roughly how it works:
You install a tool named cloudeflared on a machine with access to your SilverBullet instance (typically the same machine where SB runs) and register it with Cloudflare. This tool will setup a secure outbound tunnel to the Cloudflare infrastructure.
You then map a subdomain under your domain to a route traffic through this tunnel via cloudflared, which in turns proxies it to SilverBullet.
On top of this the Cloudflare CDN and authentication adds a layer of additional protection and authentication.
Setup
In this guide we’ll assume you own the domain test.com and would like to use silverbullet.test.com to access it.
Step 1: Migrate your domain’s DNS to Cloudflare and Disable Caching
After logging into Cloudflare, select Domains on the left and then click the “Onboard a domain” button. Follow the instructions to move your domain (primarily its DNS records) to Cloudflare. Alternatively, you can also select “Buy a domain” to buy a domain directly from Cloudflare — they are competitively priced.
Cloudflare is primarily a network protection and caching company and therefore really likes to cache things. This is not always great for SilverBullet, so we’ll disable a lot of this behavior.
Under “Domains” select your domain. Then on the left under “Caching” select “Cache Rules” and “Create a new rule”.
Give it a descriptive name like “Bypass cache for SB”. Then select “Custom filter expression” and under “When incoming requests match…” With Field “URI Full” and Operator “wildcard” enter as Value https://silverbullet.test.com/* and under “Cache eligibility” enter “Bypass cache”.
Hit “Save”.
Cloudflare will now disable caching for SilverBullet, which is a bit sub-optimal (many assets can in fact be cached) but will avoid some caching issues you may face otherwise.
Step 2: Setup a tunnel
In the left menu, select “Zero Trust” to enter the Zero Trust area. This is where your configure all your self hosting magic.
Under “Networks” select “Connectors” and then under “Cloudflare Tunnels” click “Create a tunnel” and then “Select Cloudflared”.
Pick a name for your tunnel. Note that you can expose multiple services on a single machine via one tunnel, so it makes sense to name the tunnel after the machine it will be installed on. For example “docker-host”.
In the next step you will be given instructions, different depending on the operating system of the machine where SilverBullet runs. Follow the instructions to setup the tunnel connector.
Once the tunnel is properly connected we can continue.
In the “Route Traffic” stage we can select a subdomain on our configured domain to tunnel to SilverBullet. As mentioned, for this guide we’ll use the hostname silverbullet on the domain test.com.
Therefore, under Subdomain enter “silverbullet” and under Domain “test.com”, leave Path empty.
Under “Service” select Type “HTTP” and URL “localhost:3000” if you are running SilverBullet on port 3000.
At this stage you should be able to access SilverBullet via https://silverbullet.test.com but there is no additional authentication yet.
If you enabled authentication (e.g. with the SB_USER) this setup may be fine for you already. The only risk here is that the Internet is a wild place and bots and scrapers may randomly hit your subdomain, which may result in a lot of traffic to your SB instance that you may not be happy about. To avoid this it’s good to add an additional layer of authentication (provided by Cloudflare itself) to block all this stuff out.
So let’s set this up next.
Step 3: Setup authentication
In the left menu (still in the context of Zero Trust) under “Access controls” select “Applications” and then “Add an application” and then select “Self-hosted”.
Pick an application name, for instance “SilverBullet” and then click “Add public hostname”.
Here select the same Subdomain and Domain combination we set up earlier.
Under “Access policies” click “Create new policy”. This will open a new tab. Give it a descriptive name like “SB access” with Action “Allow” and leave Session duration as it is.
The simplest is to use your own email address as authentication mechanism (a one-time token will be emailed to you to log in). To do this under “Include” use the Selector “Emails” and then enter your e-mail address under Value. Scroll down and hit Save. You will likely now be redirected to your Policies list. Close this tab and go back to your “Add application” tab and choose “Select existing policies” where you can now select your newly created policy. Click Confirm. Then hit Next, Next, Save.
Now when you reload your silverbullet.test.com site you will be prompted to login.
To allow SilverBullet to function properly as a PWA (offline capability, sync), a few routes need to be accessible without authentication, let’s set this up.
Step 4: Setup PWA support
For this we’re going to add a second application. So under Access controls, then Applications select “Add an application” again.
Select “Self-hosted” again.
Name this one something along the lines of “SilverBullet bypass”
Select “Add public hostname”. Select the same Subdomain and Domain as before, but as Path enter service_worker.js
Then click “Add public hostname” again to add a second rule. Enter the same Subdomain and Domain, but as Path enter .client/*
This configuration will allow unauthenticated access to the service worker and client files, which is perfectly secure and a requirement for PWA functionality to work.
Then, create another Access policy with the “Create new policy” button, name it e.g. “SB bypass” As Action select “Bypass” and as Include Selector select “Everyone”. Leave everything else as it is, and hit Save.
Go back to your “Add application” tab and select the new “SB bypass” policy you just created.
Scroll down and hit Next, Next, Save.
Step 5: Profit
You now have:
- A (presumably) cool subdomain on your own domain connected to SilverBullet allowing you to connect to it from anywhere
- Authentication to protect access, making it secure
Enjoy!
Note: This guide is heavily based on previous versions here: https://community.silverbullet.md/t/cloudflare-and-portainer/31and hints here Syncing works, but Image are not loaded - #2 by bmblb3