Help Any good self hosting help resources?

Discussion in 'Technical Discussion' started by segamaniac, Apr 8, 2022.

  1. segamaniac

    segamaniac

    Oh chili dogs! Member
    I've scouring the entire web it feels like and it feels as if there's no help on how to self host with your own computer, all I see is how to do self hosting using server hosts, which is not what I'm wanting to do.

    So, does anyone here know some good resources to read from or perhaps maybe give some good advice yourselves please? Btw, here's the stuff I'm using:
    • OS: Linux (Distro is Kubuntu)
    • Server Software: Apache 2
    • ddclient (since I have a dynamic IP address, could especially use help with that)
    • Namecheap (for the domain)
    Thank you in advance!
     
  2. President Zippy

    President Zippy

    Zombies rule Belgium! Member
    71
    38
    18
    Chinaland
    Lightweight LZ4 decoder
    Ahh! I see you and I both use Namecheap as our registrar and ddclient to dynamically update DNS entries.

    Your journey will not vary much past the point where you install Apache, but before that you now have the task of managing your hardware devices, data backups, and security. Keep in mind, by self-hosting you are exposing your entire home network to significantly more risk. Here are a few considerations, please read to the end before doing anything:

    1a. Check the configuration on the home network's firewall and ensure it is LOCKED DOWN. Be sure to block every reserved TCP port (1-1023) except 443 (HTTPS); this includes disallowing plaintext HTTP sessions (port 80). However, if future maintenance on the server must be done from outside the home network, enable port 22, and configure sshd.

    After disabling ports we don't need, enable port forwarding on the router, and set port 443 on your router to forward to whichever port the server listens on (443 unless specified otherwise in the Apache config file). Likewise, if sshd is enabled then forward port 22 on the router to port 22 on the server.

    1b. For extra safety, configure an additional firewall on the server itself using iptables.

    2. Be sure to add cron jobs to start Apache and MySQL on boot, or do it through systemctl (systemd's command-line interface)- either way works. Likewise if SSH is necessary, do so for sshd.

    3. It is important to keep the website's data on a separate filesystem from the root FS, especially since you may find yourself experimenting with new packages and upgrading or taking patches frequently. I would recommend keeping the OS, website, DB, etc on the root FS (hopefully an SSD), and keeping the website's data on an encrypted RAID-1 array (2 hard disks mirrored). While this covers most hardware failures, an off-site backup of the website data (and optionally the OS image) is crucial. An S3-compatible bucket with a cloud is a perfectly good place to commit a weekly backup of everything; it is expensive to download from a bucket, but it is insanely cheap to upload to a bucket, i.e. only under major disaster will you ever need to spend money downloading.

    4. TLS and SSH keys need to be stored someplace safe, should the server ever be compromised or the root filesystem become damaged. I strongly recommend not storing them on any of the local disks, but instead on an encrypted (password-protected) USB flash drive. On startup, Apache and all the other services that need a cert or private key will load them into memory, at which point it is safe to eject the USB drive and put it back in the sock/underwear drawer. Always remember: TLS certs and cryptographic private keys should never leave the house.

    5. Lastly, consider putting Apache Server and MySQL into Docker containers. This will require putting the website data into a Docker volume to access it, and there is some extra work, but it will make testing changes to the website and DB configuration much quicker and easier by virtue of running applications in separate filesystems. Better yet, there may even be good pre-configured Apache and MySQL container images floating around the internet ripe for downloading.​

    I'll follow up with edits if more things occur to me, but the overall theme of this guidance is security, security, security. Whether running a website on-premises or in a cloud server, don't store passwords in unencrypted form and don't allow sensitive data to be exchanged over plaintext HTTP.

    EDIT: A few more things occur to me...

    1. For security purposes, I would strongly recommend using a reverse proxy on a cloud server. For only $5/month, DigitalOcean offers a droplet with 1 virtual CPU core and 1GB of RAM, which is enough to run either nginx or h2o as a reverse proxy. It's also a cheap way to get a static IP address. I don't have much experience with nginx, but h2o uses YAML as its config file format, i.e. it's a standardized format.

    https://h2o.examp1e.net/configure.html

    If you do that, you can then change your Apache config file to only accept connections from your reverse proxy's IP address. If you do this, you don't need to share your home network's IP address with the entire World Wide Web. This will prevent bad actors from DDoS'ing your home network, and better yet conceal all the other information people can obtain about you using your personal IP address.

    As an added bonus, this would also reduce load on your Apache server. Unlike nginx and h2o, Apache spawns a new thread for every new connection (instead of using a small number of thread pools and multiplexing I/O using epoll or kevent), which does not scale well for large numbers of HTTP requests. If there is only 1 connection to Apache (the reverse proxy), you avoid a lot of load on Apache at the expense of just a little load on nginx/h2o.

    2. I know the advice you're looking for is more specific, e.g. giving you example commands and config files, but I can't do that because I don't know anything about the content of your website. I don't know what content it serves and what information users will be posting on it. If you were just doing static hosting, I would strongly urge you to just make a static HTML/CSS/JS site on Neocities for free. You need to spend a lot of time reading documentation for Apache, MySQL, iptables, and anything else you'll end up using. Those tools and everything else I suggested have ample documentation on how to do everything discussed up to this point, as well as example scripts/configs/etc that you can play with and modify to suit your needs.​

    Happy hunting!
     
    Last edited: Apr 24, 2022
    • Informative Informative x 1
    • List