←back to thread

Self-Hosting like it's 2025

(kiranet.org)
221 points finnlab | 2 comments | 01 Apr 25 10:11 UTC | HN request time: 0s | source
Show context
0xEF ◴[01 Apr 25 11:51 UTC] No.43545644[source]
I love the idea of self-hosting, especially since I keep a number of very tiny websites/projects going at any given time, so resources would not really be too much of an issue for me.

What stops me is security. I simply do not know enough about securing a self-hosted site on real hardware in my home and despite actively continuing to learn, it seems like the more I learn about it, the more questions I have. My identity is fairly public at this point, so if I say the wrong thing to the wrong person on HN or whatever, do I need to worry about someone much smarter than me setting up camp on my home network and ruining my life? That may sound really stupid to many of you, but this is the type of anxiety that stops the under-informed from trying stuff like this and turning to services like Akamai/Linode or DO that make things fairly painless in terms of setup, monitoring and protection.

That said, I'm 110% open to reading/watching any resources people have that help teach newbies how to protect their assets when self-hosting.

replies(13): >>43545681 #>>43545687 #>>43545733 #>>43545739 #>>43546101 #>>43546191 #>>43546239 #>>43546265 #>>43546590 #>>43552531 #>>43555038 #>>43555405 #>>43556435 #
doublerabbit ◴[01 Apr 25 11:55 UTC] No.43545681[source]
A VPS with a software firewall is more than enough.

Block port 22, secure SSH with certificates only. Allow port 443 and configure your web server as a reverse proxy with a private backend.

You don't need an IDS, you don't need a WAF and you don't need Cloudflare.

Unless you become the next Facebook that's when you start to become concerned about security.

replies(3): >>43545715 #>>43545717 #>>43545744 #
palata ◴[01 Apr 25 12:00 UTC] No.43545717[source]
> A VPS with a software firewall is more than enough.

So you don't self-host at home, right?

I have been considering setting up a physical DMZ at home, with two routers (each with its own firewall), such that my LAN stays unmodified and my server can run between both routers. Then it feels like it would be similar to having a VPS in terms of security, maybe?

replies(1): >>43545723 #
doublerabbit ◴[01 Apr 25 12:01 UTC] No.43545723[source]
I colocate four servers in two DCs all running FreeBSD with PF. My main host is running a jail that hosts a bHyve VM

With four jails, each running their own bHyve VMs they run another FreeBSD OS allowing me to host jails for different services. Email, web and game servers.

I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly. So I use bridges, I have two bridges an outer and inner.

Services requiring outbound internet access are tapped to the outer bridge which are throttled and if required can then load balance between and the inner bridge which is under control of deny all, allow some. To my own set of home IPs.

The outer bridge cannot contact services in the inner but the inner can contact the outer but can only host internally.

This all done with PF within each jail as each jail provides you with its own vnet adapter which can be applied to a bridge.

If you wish to learn further that is what you work up too But for the personal user who wishes self-host and to have internet presence a firewall is just fine.

replies(1): >>43546716 #
1. palata ◴[01 Apr 25 13:45 UTC] No.43546716[source]
This is very interesting! Have you considered writing a blog post explaining that kind of setup? I would love that! In the meantime, thanks a lot for the insights, that's a good starting point!

> I'm not a fan of DMZ as they get messy as you then have to ensure your host is protected correctly.

Could you elaborate on that? Specifically in my case I would have a perimeter router to which I would connect both my server and the inner router. My LAN would stay behind the inner router, so my understanding is that it still strictly has the same security as when my inner router was connected to the ISP; I just add a layer with the perimeter router.

Then the perimeter router opens the server (probably just chosen ports) to the public Internet, so that the server is reachable.

Wouldn't that mean that my host is protected correctly?

replies(1): >>43551315 #
2. doublerabbit ◴[01 Apr 25 21:03 UTC] No.43551315[source]
That sounds pretty reasonable.

While home routers tend to set their rules as outbound allow and inbound denied. My DC just provides me with a network cable to the big pond of data.

How I secure that for my home network is using my personal rig with multiple network ports.

One port acts as a public bridge. And the 3rd and 4th network ports then are then assigned to the private bridges

The 2nd port then sits in a middle bridge where it communicates to both the public and private bridge.