I wanted to share a setup that eliminates public-facing ports entirely while keeping full Hestia functionality.
The problem with standard setups:
· Ports 80/443 are open
· Control panel is publicly reachable
· Origin IP is exposed
· DDoS hits your server directly
My solution:
1. Cloudflare Tunnel
· cloudflared runs on my server, creates outbound-only connection to Cloudflare
· Zero open inbound ports
· Origin IP is hidden — DDoS hits Cloudflare, not me
2. Cloudflare Access
· Applied to pma.artzone.biz and my Hestia panel URL
· MFA (email OTP) required BEFORE anyone sees the login page
· Brute force? They never reach the panel
3. CSF firewall
· Replaced Hestia’s built-in firewall
· Drops all direct-to-origin traffic on ports 80/443
· Even if origin IP leaks, packets get dropped
4. PHP-FPM isolation (already in Hestia)
· Each site/user has its own socket
· Compromised client site can’t reach panel or other sites
The one Hestia tweak needed:
Change the default nginx template to listen on 127.0.0.1:80 instead of 0.0.0.0:80. That’s it.
Results:
· No open ports
· No direct IP access
· Admin panels require MFA through Cloudflare
· DDoS protection at Cloudflare edge
· Client sites stay isolated
Is anyone else running Hestia behind a tunnel? Happy to share configs.