Compliance Discussion of Reverse Proxy in Home Networks
Exploring potential compliance issues and solutions when using reverse-proxy services on home broadband
Categories:
Background
About 90 days ago, I encountered an IPv6 connectivity issue with China Telecom Hubei. After long-term observation and analysis, here are the findings.
Problem Analysis
Two initial suspected causes:
-
PCDN usage detection
- No active use of PCDN
- Only a small amount of BitTorrent downloads
- Upload throttling has been applied, yet the problem persists
-
Home server acting as blog origin
- Uses Cloudflare origin rules specifying a port
- May be deemed “commercial behavior” by the ISP
After three months of validation, the issue is more likely triggered by exposing HTTP/HTTPS service ports to the public Internet.
Specific Symptoms
-
IPv6 anomalies:
- /56 prefix is assigned
- Devices receive global IPv6 addresses
- Yet external network access fails
- Only the router in bridge mode behind the optical modem retains normal IPv6
-
Tailscale connection anomalies:
- The source server reports direct connectivity but with excessive latency (~400 ms)
- Other devices go through relays and obtain lower latency (~80 ms)
ISP Policy Analysis
Telecom carriers in certain regions apply service degradation to inbound-heavy HTTP/HTTPS connections:
-
IPv6 service downgrade
- Addresses are still assigned
- Routing tables are missing
- Effective Internet access is blocked
-
P2P connection throttling
- Tailscale shows direct connections
- Actual latency is abnormally high
- Bandwidth is restricted
Solutions
-
Disable reverse-proxy services:
- Deactivate Cloudflare/Alibaba Cloud ESA reverse proxies
- After multiple router reboots, connectivity returns to normal
-
Prevent domain scanning: Avoid these common sub-domains:
- home.example.com - ddns.example.com - dev.example.com - test.example.com -
Best practices:
- Use a GUID to generate random sub-domains
- Refrain from predictable or common sub-domain naming
- Rotate domains periodically to reduce scanning risk