Self-Hosting like it's 2025

(kiranet.org)

221 points finnlab | 1 comments | 01 Apr 25 10:11 UTC | HN request time: 0.29s | source

Show context

0xEF ◴[01 Apr 25 11:51 UTC] No.43545644[source]▶

I love the idea of self-hosting, especially since I keep a number of very tiny websites/projects going at any given time, so resources would not really be too much of an issue for me.

What stops me is security. I simply do not know enough about securing a self-hosted site on real hardware in my home and despite actively continuing to learn, it seems like the more I learn about it, the more questions I have. My identity is fairly public at this point, so if I say the wrong thing to the wrong person on HN or whatever, do I need to worry about someone much smarter than me setting up camp on my home network and ruining my life? That may sound really stupid to many of you, but this is the type of anxiety that stops the under-informed from trying stuff like this and turning to services like Akamai/Linode or DO that make things fairly painless in terms of setup, monitoring and protection.

That said, I'm 110% open to reading/watching any resources people have that help teach newbies how to protect their assets when self-hosting.

replies(13): >>43545681 #>>43545687 #>>43545733 #>>43545739 #>>43546101 #>>43546191 #>>43546239 #>>43546265 #>>43546590 #>>43552531 #>>43555038 #>>43555405 #>>43556435 #

fm2606 ◴[01 Apr 25 12:04 UTC] No.43545739[source]▶

>>43545644 #

I'm right there with you, except at times I have thrown caution to the wind and made my sites available.

My current setup is to rent a cheap $5/month VPS running nginx. I then reverse ssh from my home to the vps, with each app on a different port. It works great until my electric goes out and comes back on the apps become unavailable. I haven't gotten the restart script to work 100% of the time.

But, I'd love to hear thoughts on security of reverse SSH from those that know.

replies(3): >>43545787 #>>43546006 #>>43546477 #

the_snooze ◴[01 Apr 25 12:34 UTC] No.43546006[source]▶

>>43545739 #

I do something similar with my home server, but with a WireGuard split tunnel. Much easier to set up and keep active all the time (i.e., on my phone).

Nginx handles proxying and TLSing all HTTP traffic. It also enforces access rules: my services can only be reached from my home subnet or VPN subnet. Everywhere else gets a 403.

replies(1): >>43552562 #

1. Karrot_Kream ◴[02 Apr 25 00:11 UTC] No.43552562[source]▶

>>43546006 #

Why not just have nginx listen on the Wireguard interface itself? That way you drop all traffic coming inbound from sources not on your Wireguard network and you don't even have to send packets in response nor let external actors know you have a listener on that port.

↑