<![CDATA[EtherNode]]>https://blog.saikat.inRSS for NodeMon, 27 Apr 2026 14:44:58 GMT60<![CDATA[How I Got gRPC Working Through Cloudflare Tunnel (The Hard Way)]]>https://blog.saikat.in/how-i-got-grpc-working-through-cloudflare-tunnel-the-hard-wayhttps://blog.saikat.in/how-i-got-grpc-working-through-cloudflare-tunnel-the-hard-waySat, 28 Mar 2026 01:25:47 GMT

A complete guide to exposing a Go gRPC backend behind college NAT using Cloudflare Tunnel, Docker Compose, and TLS, including every mistake I made along the way.

Background

I'm a student building Bluppi, a Flutter app with a Go gRPC backend. My server runs on my laptop on college WiFi, behind a NAT I don't control, no port forwarding, no static IP.

My stack:

  • Backend: Go gRPC server (bluppi-api:50051) + Go gRPC gateway (bluppi-gateway:50050) + Python FastAPI (bluppi-audio-api:8000)

  • Infrastructure: Docker Compose

  • Tunnel: Cloudflare Tunnel (cloudflared)

  • Client: Flutter (Android/iOS)

  • Domain: bluppi.saikat.in

What should have been a simple "expose my API to the internet" turned into a 6-hour debugging session. Here's everything I learned.

Part 1: Setting Up Cloudflare Tunnel

Create the tunnel

# Login to Cloudflare
cloudflared tunnel login

# Create tunnel
cloudflared tunnel create bluppi

# Route your domain to the tunnel
cloudflared tunnel route dns bluppi bluppi.saikat.in

# Copy credentials to project
mkdir -p cloudflared
cp ~/.cloudflared/<tunnel-id>.json cloudflared/
cp ~/.cloudflared/cert.pem cloudflared/

Initial config.yml (what I started with)

tunnel: <tunnel-id>
credentials-file: /etc/cloudflared/<tunnel-id>.json

ingress:
  - hostname: bluppi.saikat.in
    path: /api/v2/.*
    service: grpc://bluppi-gateway:50050

  - hostname: bluppi.saikat.in
    path: /api/rest/.*
    service: http://bluppi-audio-api:8000

  - hostname: bluppi.saikat.in
    service: grpc://bluppi-api:50051

  - service: http_status:404

Initial docker-compose.yml tunnel service

tunnel:
  container_name: bluppi-tunnel
  image: cloudflare/cloudflared:latest
  command: tunnel --config /etc/cloudflared/config.yml run
  restart: unless-stopped
  networks:
    - cloudflared
  depends_on:
    - bluppi-api
    - bluppi-gateway
    - audio-api
  volumes:
    - ./cloudflared:/etc/cloudflared:ro

Part 2: The Mistakes (And How to Fix Them)

Mistake 1: Port 7844 blocked (college network)

Symptom:

dial tcp 198.41.192.107:7844: i/o timeout

cloudflared defaults to connecting Cloudflare's edge on TCP port 7844. College networks often block non-standard ports.

Fix: Force HTTP/2 protocol which falls back to port 443:

# docker-compose.yml
command: tunnel --protocol http2 --config /etc/cloudflared/config.yml run

Or in config.yml:

protocol: http2

Mistake 2: Too many HA connections

Symptom:

already connected to this server, trying another address

cloudflared opens 4 parallel connections by default, but the Delhi edge (del03) only had 1-2 distinct IPs reachable from my network.

Fix: Reduce HA connections:

ha-connections: 1

Mistake 3: grpc:// is not a valid cloudflared service protocol

Symptom:

malformed HTTP response "\x00\x00\x06\x04..."

grpc:// is not a recognised protocol in cloudflared. Those bytes are raw HTTP/2 frames being received by cloudflared which expected HTTP/1.x.

Fix: Initially, I changed grpc:// to h2c:// (HTTP/2 cleartext) for internal gRPC services. However, this is a trap. While h2c:// stops this immediate error, it leads you right into Mistake 4 because of Cloudflare's proxy limitations.

Mistake 4: Cloudflare Free plan blocks gRPC on public hostnames

Symptom:

malformed header: missing HTTP content-type

Even with the gRPC toggle enabled in the Cloudflare Dashboard, the Free plan does not fully proxy gRPC through orange-cloud (proxied) hostnames. Cloudflare strips the content-type: application/grpc header.

References:

Fix: This is a fundamental limitation, no simple config change fixes it. You cannot use h2c://. The real solution is adding TLS to your origin server and using https:// (Detailed in Part 3).

Part 3: The Real Fix (TLS on the Origin)

Step 1: Generate self-signed certificates

mkdir -p certs
openssl req -x509 -newkey rsa:4096 \
  -keyout certs/server.key \
  -out certs/server.crt \
  -days 365 -nodes \
  -subj "/CN=localhost"

Note on CN: Since we use noTLSVerify: true in cloudflared config, the CN value doesn't matter. localhost works fine.

Step 2: Configure your gRPC Server

Regardless of whether you are using Go, Python, Node, or Rust, you must configure your gRPC server to use the generated server.crt and server.key. Your specific language's gRPC library will handle the TLS implementation.

Step 3: Verify TLS + ALPN on your server

# Check TLS works
openssl s_client -connect localhost:50051

# Check ALPN h2 is advertised (critical for gRPC)
openssl s_client -connect localhost:50051 -alpn h2

You must see:

ALPN protocol: h2

If you see No ALPN negotiated, gRPC will not work through the tunnel. Check your server's TLS configuration.

Key point: grpc-go automatically advertises ALPN: h2 when you use credentials.NewServerTLSFromFile. This is what enables cloudflared to negotiate HTTP/2.

Part 4: Final Working Configuration

docker-compose.yml

Since cloudflared is running on the host, we just need to make sure our backend services expose their ports to localhost.

  tunnel:
    container_name: bluppi-tunnel
    image: cloudflare/cloudflared:latest
    command: tunnel --no-autoupdate --protocol http2 --ha-connections 1 --config /etc/cloudflared/config.yml run
    restart: unless-stopped
    networks:
      - cloudflared
    depends_on:
      - bluppi-api
      - bluppi-gateway
      - audio-api
    volumes:
      - ./cloudflared:/etc/cloudflared:ro

networks:
  cloudflared:
    name: cloudflared

cloudflared/config.yml

tunnel: <tunnel-token>
credentials-file: /etc/cloudflared/<tunnel-id>.json
ha-connections: 1
protocol: http2

ingress:
  # 1. Dedicated REST API
  - hostname: bluppi.saikat.in
    path: /api/rest/.*
    service: http://bluppi-audio-api:8000

  # 2. gRPC Gateway
  - hostname: bluppi.saikat.in
    path: /api/v2/.*
    service: https://bluppi-gateway:50050
    originRequest:
      noTLSVerify: true
      http2Origin: true

  # 3. Pure gRPC API (Catch-All)
  - hostname: bluppi.saikat.in
    service: https://bluppi-api:50051
    originRequest:
      noTLSVerify: true
      http2Origin: true

  - service: http_status:404

Why https:// not h2c://?
cloudflared does NOT support h2c:// (HTTP/2 cleartext) as an origin protocol — see issue #1304. You must use https:// with a TLS-enabled origin, then add noTLSVerify: true to accept the self-signed cert, and http2Origin: true to force HTTP/2 negotiation.

Part 6: Verification

Test gRPC end-to-end with grpcurl

# Install grpcurl (or you can use Postman)

# Test locally (bypassing tunnel) — baseline
grpcurl -plaintext localhost:50051 list
# Expected: Unauthenticated (server is running, auth is rejecting unauthenticated requests) (as I have setup JWT auth)

# Test through Cloudflare tunnel
grpcurl bluppi.saikat.in:443 list
# Expected: same Unauthenticated error = tunnel is fully transparent ✅

Part 7: Complete Mistake Summary

# Symptom Root Cause Fix
1 dial tcp ...:7844: i/o timeout College network blocks port 7844 --protocol http2
2 already connected to this server Del03 has limited edge IPs, 4 connections clash ha-connections: 1
3 malformed HTTP response \x00\x00\x06\x04 grpc:// is not valid in cloudflared Use h2c://
4 use of closed network connection / EOF cloudflared uses HTTP/1.1 to origin by default http2Origin: true
5 No ALPN negotiated gRPC server not advertising h2 during TLS handshake Use credentials.NewServerTLSFromFile in Go
6 QUIC timeout on --token mode cloudflared token mode defaults to QUIC (UDP), also blocked --protocol http2 flag

Key Takeaways

  1. grpc:// is not a valid cloudflared service protocol — use h2c:// or https://

  2. Cloudflare Free plan cannot proxy gRPC on public hostnames — cloudflare's gRPC toggle requires Pro plan to work properly

  3. cloudflared connects to origins using h2 (TLS), not h2c (cleartext) — your gRPC origin MUST serve TLS, even behind a private Docker network

  4. http2Origin: true is mandatory — without it, cloudflared uses HTTP/1.1 to the origin, which gRPC servers reject immediately

  5. noTLSVerify: true is safe inside Docker — the tunnel itself provides encryption; internal self-signed certs are fine

  6. Always test with grpcurl before testing Flutter — if grpcurl bluppi.saikat.in:443 list returns Unauthenticated (same as localhost), your Flutter app will work

  7. College/restricted networks block UDP and non-standard ports — always force --protocol http2 to use TCP 443

References

Written after 6 hours of debugging. Hopefully this saves you the same pain.

]]><![CDATA[Firebase Draining Your Wallet? Here's How to Stop Paying for Every Single Read.]]>https://blog.saikat.in/firebase-draining-your-wallet-here-s-how-to-stop-paying-for-every-single-readhttps://blog.saikat.in/firebase-draining-your-wallet-here-s-how-to-stop-paying-for-every-single-readSat, 14 Mar 2026 22:46:36 GMT
In this blog, we’ll focus on using Dart/Flutter for our code examples, but keep in mind that you can apply these methods in any programming language. The key here is to focus on the techniques, not just the language!

If you're here, you probably already know that Firebase is great for building apps with real-time data. However, many developers run into a big issue—Firebase costs can quickly get out of hand due to too many read operations.

In 2018, a startup in Colombia faced this exact problem when they scaled up to 2 million daily active users (DAUs). A small, but costly mistake in their code ended up leaving them with a $30,356.56 bill from Google Clouds in just 72 hours. Why? Because that tiny error caused 2 million users to each trigger 16,000 document reads, leading to over 40 billion requests to Firestore in less than 48 hours. Read the full article

You can avoid such excessive costs by optimizing your reads. In this blog, we'll dive into specific strategies to stop paying for every single read without sacrificing app performance.

Understanding Firebase Read Costs

Firebase's pricing model is simple. In Firestore, you are charged based on the number of documents you read. Each time a document is read from the database—whether through a query, real-time listener, or a simple fetch—it counts as a read.

Check out the Firestore Pricing here.

Before jumping into solutions, it’s important to understand where things can go wrong.

  • Fetching unnecessary data: For instance, if you’re retrieving large collections when you only need a few documents, you’re paying for extra reads.

  • Inefficient queries: Poor query structuring can result in pulling unnecessary data or performing repeated reads.

  • Overuse of real-time syncing: Real-time listeners are great, but they can result in multiple reads as they sync data even when it’s not needed immediately.

Strategies to Reduce Firebase Read Costs

Optimize Your Data Structure

A well-organized database can greatly cut down the number of reads. If your Firestore database isn't structured efficiently, it can cause you to fetch more data than needed, leading to extra read costs.

Choosing when to use nested data vs flattened data is crucial for reducing unnecessary reads in Firestore.

Nested Data Flattened Data
If you often need to access both parent and child data at the same time, using a nested structure lets you fetch them with just one read. Use this structure when you expect many related items, such as comments, tasks, or messages, that can quickly exceed document size limits.
💡
Split data into multiple collections to avoid reading large, unnecessary datasets.

Example: Instead of storing all user posts in one collection, divide them into smaller subcollections by category or user ID.

Query Optimization

Firestore is a NoSQL database, and it's important to use its indexing features. Writing efficient queries can help lower the number of documents read.

Firestore automatically indexes each document by its document ID. But for complex queries, like filtering on several fields, you might need to create composite indexes.

Example: If you want to query users by both age and city, you'll need a composite index for age and city.

Filtering documents with where() clauses retrieves only the necessary data.

final QuerySnapshot querySnapshot = await FirebaseFirestore.instance
      .collection('users')
      .where('age', isGreaterThanOrEqualTo: 18)
      .where('city', isEqualTo: 'New York')
      .get();

Make sure to combine filters that make sense together to reduce the number of reads.

Implement Pagination Using limit() for Efficient Data Retrieval

final int pageSize = 10;
DocumentSnapshot? lastVisible;

Future<void> getPosts() async {
  final query = FirebaseFirestore.instance
      .collection('posts')
      .orderBy('createdAt')
      .limit(pageSize)
      .startAfterDocument(lastVisible!);
  
  final querySnapshot = await query.get();

  querySnapshot.docs.forEach((doc) => print(doc.data()));
  lastVisible = querySnapshot.docs.isNotEmpty ? querySnapshot.docs.last : null;
}

Limiting documents can significantly reduce costs and improve performance, especially when dealing with large datasets.

💡
Full collection scans occur when you don't use indexes, making Firestore read every document in a collection. To avoid this, always use indexed fields in your queries.

Avoid Unnecessary Real-time Listeners

Real-time listeners are powerful but expensive if used without careful consideration. In many cases, you don't need real-time updates for every piece of data.

Manual Refreshing: Instead of relying on real-time updates, users can manually trigger a refresh to load the latest data.

💡
Firestore offers offline persistence, enabling data to be cached on the client and synchronized later when the app reconnects. This feature can significantly reduce the number of reads, minimizing network calls during offline usage.

In this blog, we will look at advanced caching methods that can greatly reduce your Firestore costs. These strategies are more than just basic offline caching and can save you a lot of money while improving your app's performance.

Advanced Strategies to Reduce Firebase Costs

You can use SharedPreferences to store small pieces of data that are frequently accessed, like user info or settings. This works well for data that doesn’t change much. However, SharedPreferences is only suitable for small amounts of data. If you store too much, it can slow down your app, use more memory, and hit storage limits.

import 'package:shared_preferences/shared_preferences.dart';

Future<void> saveUserInfo(String name, int age, String email) async {
  final SharedPreferences prefs = await SharedPreferences.getInstance();
  await prefs.setString('userName', name);
  await prefs.setInt('userAge', age);
  await prefs.setString('userEmail', email);
}

For example, you can store user information in SharedPreferences as small chunks of data that are repeatedly used throughout your application.

Use Provider for efficient state management to reduce Firestore reads.

Without proper state management, your app might request the same data from Firestore multiple times, increasing the number of reads unnecessarily. By using Provider, once data is fetched from Firestore, it can be stored and accessed efficiently throughout the app without additional Firestore calls.

import 'package:flutter/material.dart';
import 'package:cloud_firestore/cloud_firestore.dart';

class UserProvider extends ChangeNotifier {
  Map<String, dynamic>? _userData;
  Map<String, dynamic>? get userData => _userData;

  Future<void> fetchUserData(String userId) async {
    if (_userData != null) return; // Skip fetching if data is already loaded

    try {
      final doc = await FirebaseFirestore.instance.collection('users').doc(userId).get();
      _userData = doc.data();
    } catch (e) {
      print('Error fetching user data: $e');
    } 
      
    notifyListeners();
  }
}

Don’t forget to add the Provider class to the main.dart file and then use it in the UI. This ensures the data is fetched only once when the app starts and is shared efficiently across all UI components, screens, and pages.

If you know that the data is not going to change frequently, you can save it on the client side, essentially caching the data. This can be achieved through various methods, such as using Hive, SQLite, or path_provider, each serving a different purpose.

Hive SQLite path_provider
NoSQL, key-value pairs Relational (SQL queries) File system access (no database)
Simple setup, fast for small data Complex setup, powerful for large datasets Minimal setup, no querying or relations
💡
Although path_provider is easy to set up, it is not efficient for storing JSON data, as it requires serializing and de-serializing the data into your model, which can be a heavy task. Therefore, Hive is often used instead.

Server-Side Optimization for Cost Reduction

If all the users are requesting the same data from your Firebase database, it can unnecessarily increase your reads. To avoid this, you can use the Firebase Admin SDK to create bundles, request the data only once, store it in those bundles, and send the bundles to the clients. This will reduce Firebase reads and improve your app's performance, as it only needs to request the data once.

from google.cloud import firestore
from google.cloud.firestore_bundle import FirestoreBundle

db = firestore.Client()
bundle = FirestoreBundle("bundle-name")

for user in db.collection("users").stream():
    bundle.add_document(user.get())
    
    for post in db.collection("posts").where("user_id", "==", user.id).stream():
        bundle.add_document(post.get())

bundle_buffer = bundle.build()

with open("cacheBundle.bin", "wb") as file:
    file.wrtie(bundle_buffer)

The above code snippet might not be entirely correct as I forgot the exact syntax, but it was something similar to this. Check Docs

Once you've created the Firestore bundle and serialized it, you can save the bundle as a file (e.g., cacheBundle.bin) and send it to all of your clients via HTTP or upload it to Firebase Cloud Storage. This way, clients can access the cached data from the bundle without repeatedly making requests to Firebase Database.

Conclusion

Optimizing Firebase reads can help you save costs and improve app performance. By structuring your data efficiently, optimizing queries, minimizing real-time listeners, and using caching strategies, you can reduce unnecessary reads without sacrificing performance.

Feel free to share your own methods or any corrections in the comments below. Happy coding, and may your Firebase costs stay low while your app thrives!

]]>