Personal computing discussed

Moderators: renee, Steel, notfred

 
Arvald
Gerbil Elite
Posts: 761
Joined: Tue Sep 27, 2011 12:14 pm
Location: Gerbil-land, Canada

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:11 am

Glorious wrote:
Even a 5mbit connection is fine for anything non-commercial and non-multimedia. Heck, you could run a Pandora quality "internet Radio" service for 20 users no problem on that, or stream 3 netflix-SD quality videos on that.

I would not say that... I find remote access to my server painful and I have 60/10. I am only using it to grab the occasional document.
 
LoneWolf15
Gerbil Elite
Posts: 963
Joined: Tue Feb 17, 2004 8:36 am
Location: SW Meecheegan

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:12 am

Duct Tape Dude wrote:
Glorious wrote:
So that's the first question: Is this for laughs/personal use, or are you trying to do something serious?
Mostly for personal use.

bthylafh wrote:
IIRC Digital Ocean's bottom-end service is also $5/month and should be similar to Linode's.
Glorious wrote:
I use digitalocean's $5 a month tier and have never had a problem.
I'm on RAMNode's $35/year plan and it's incredible.


I'm disappointed, TR. I did not ask for VPS reviews. Now let's dream for a moment: How would you actually answer my original post?


EDIT: My comments below are based on the idea that you are running non-personal web hosting, for the purpose of business, based on what you sorta-kinda specified in your original post. If that's incorrect, all bets are off. A single personal website, I'd still want a real firewall, but a lot of the redundancies aren't necessary, just power backup and data backup. And I'd want a static IP if other people than you are accessing the site.

I'd answer your post by telling you how much I'll laugh when your ISP does actually disconnect you for violating their ToS. And they might be slow to catch on, but they will eventually.

You're going to need a business grade firewall, not high-end, but you still need one, preferably with intrusion prevention and unified threat protection (read: subscription cost). You should have a second circuit in case your primary goes down. You're going to need static IPs which your ISP may not provide unless you're on the business tier, and you'll probably need more than one (and it's almost guaranteed that at most, you get one if any for a business tier). And no, Dynamic DNS isn't going to cut it, that's Mickey Mouse if you're doing a real business, and I'd never pay you to host me if that's what you were doing and I was smart. You're going to need UPS power gear, and storage for backup in addition to redundant storage for business continuity. And unless I was a small business that didn't know better, I'd ask you basic details (as a client) about what my uptime guarantee is, if you have redundancies (in case a server or a circuit goes down, or your main building gets flooded and takes out a server.

Translation: Using a host you contract to takes all of that out of your hands, doesn't violate an ISP agreement, and makes it easy to sleep at night, while you concentrate on doing the part that utilizes your real skills. Run a business like a business, not a tinkerer's hobby.
i9-9900K @4.7GHz, GIGABYTE Z390 Aorus Pro WiFi, 2 x 16GB G.Skill RipJaws V PC3000
Corsair 650D, Seasonic 1Kw Platinum PSU
2x HP EX920 1TB NVMe, Samsung 850 Pro 512GB 2.5", NEC 7200 DVDRW
Gigabyte RTX 2080 Super Gaming OC, Dell S2719DGF 27" LCD
 
LoneWolf15
Gerbil Elite
Posts: 963
Joined: Tue Feb 17, 2004 8:36 am
Location: SW Meecheegan

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:17 am

Arvald wrote:
Glorious wrote:
Even a 5mbit connection is fine for anything non-commercial and non-multimedia. Heck, you could run a Pandora quality "internet Radio" service for 20 users no problem on that, or stream 3 netflix-SD quality videos on that.

I would not say that... I find remote access to my server painful and I have 60/10. I am only using it to grab the occasional document.


Really? I have 85/12 and over my firewall's VPN, remote access to my server at home and all my network gear is great. I mean, I wouldn't stream HD video over it, but almost everything else I want to do is fine.
i9-9900K @4.7GHz, GIGABYTE Z390 Aorus Pro WiFi, 2 x 16GB G.Skill RipJaws V PC3000
Corsair 650D, Seasonic 1Kw Platinum PSU
2x HP EX920 1TB NVMe, Samsung 850 Pro 512GB 2.5", NEC 7200 DVDRW
Gigabyte RTX 2080 Super Gaming OC, Dell S2719DGF 27" LCD
 
Glorious
Gerbilus Supremus
Posts: 12343
Joined: Tue Aug 27, 2002 6:35 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:24 am

Arvald wrote:
I would not say that... I find remote access to my server painful and I have 60/10. I am only using it to grab the occasional document.


Ok, but you do realize that's literally all a website is: HTTP GET (Document).

Yes, if you want to quickly download a file of substantial size or stream something that requires a lot of bitrate, yeah, you are out of luck. That's not really "hosting a website" though.

LoneWolf15 wrote:
I'd answer your post by telling you how much I'll laugh when your ISP does actually disconnect you for violating their ToS. And they might be slow to catch on, but they will eventually.


This is why I keep pressing for details on what exactly he is trying to do as opposed to exclusively discussing (with pre-qualifications!) how to do it.

Like I warned him at the outset, yup, beyond just the "Mickey Mouse" approach to business he's embarking upon, as you say, he's potentially risking account termination if what he is doing even *looks* commercial.

Yes, they usually warn you a lot first, and/or try to coerce you into a much more expensive business class connection, but they typically aren't absolutely required to do that. You don't want to lose internet abruptly and then have to complain to regulatory authorities. That takes forever, whatever the resolution.
 
cheesyking
Minister of Gerbil Affairs
Posts: 2756
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)
Contact:

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:42 am

Duct Tape Dude wrote:
Ok so here's a revised setup draft I've come up with, yet to be implemented. Anyone care to give thoughts?

--Cloud VPS--
1. Multiple websites or services or APIs or whoknowswhats
2. Firewall
3. nginx reverse proxy, translates each service to a respective port on #5
--Home--
4. Cable modem
5. Firewall + router serving subnets A, B, and C. Inbound requests are routed to a respective server on #6 only if they are from #3.
6. Subnet A: Web server VMs, respond to requests from #5
7. Subnet B: Critical data VMs like databases or backups, respond to requests from #6
8. Subnet C: Home devices/wifi/etc, largely isolated from #6 and #7


The only real reason I can see for doing any of the cloud VPS stuff is if you're going to do caching on it. At least that way you're reducing the strain on your home upload. I suppose a variation on this might be hosting static content on the VPS but sending active content/db requests back to a more powerful server at home. Those would have to be very heavy requests for it to be worth the trouble though.

If you have all sorts of ports blocked by your ISP then having a VPS front everything makes sense as long as you actually need anything more than the VPS gives you anyway. It will probably also hide what you're doing from your ISP.

If I really felt I needed to do something like this then I'd probably use openvpn to connect the home server to the VPS. Setup the VPS to be the server then have the home servers connect as clients. I have run into problems installing openvpn on some VPSs though so you'd have to suck it and see.

You could add a IPS system to the VPS if you wanted extra security from it but then you could add that inside your home network instead, there's no benefit from doing it in a VPS.

The extra storage space at home is a red herring as you'd never be able to upload all of those TBs of stuff.
Fernando!
Your mother ate my dog!
 
LoneWolf15
Gerbil Elite
Posts: 963
Joined: Tue Feb 17, 2004 8:36 am
Location: SW Meecheegan

Re: Safely hosting web services from home

Tue Jul 11, 2017 10:44 am

Glorious wrote:
This is why I keep pressing for details on what exactly he is trying to do as opposed to exclusively discussing (with pre-qualifications!) how to do it.

Like I warned him at the outset, yup, beyond just the "Mickey Mouse" approach to business he's embarking upon, as you say, he's potentially risking account termination if what he is doing even *looks* commercial.

Yes, they usually warn you a lot first, and/or try to coerce you into a much more expensive business class connection, but they typically aren't absolutely required to do that. You don't want to lose internet abruptly and then have to complain to regulatory authorities. That takes forever, whatever the resolution.


Agreed. And my first post showed how to do it as a corporate business doing it right, which the OP would probably laugh at; but then again, I didn't find his original post very clear on what he wanted to do; apparently you didn't either.

And if you don't have a static IP and you're running a website for anyone but just you (in which case it isn't corporate, and if it's low traffic, they won't care), you need one, which probably takes the business tier anyway. But based on the OP stating they had all sorts of datacenter grade equipment lying around, I figured they were doing more than just a simple site (heck, you can run IIS on a Windows 7 workstation easy enough). So if someone's using big equipment...it's either business...or they're sharing "files" out to other people, which could be an equally big issue, resulting in ISP service termination.
i9-9900K @4.7GHz, GIGABYTE Z390 Aorus Pro WiFi, 2 x 16GB G.Skill RipJaws V PC3000
Corsair 650D, Seasonic 1Kw Platinum PSU
2x HP EX920 1TB NVMe, Samsung 850 Pro 512GB 2.5", NEC 7200 DVDRW
Gigabyte RTX 2080 Super Gaming OC, Dell S2719DGF 27" LCD
 
Duct Tape Dude
Gerbil Elite
Topic Author
Posts: 721
Joined: Thu May 02, 2013 12:37 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 1:17 pm

Thanks everyone for the responses!! I'm trying to get to them and this will probably be a big post.

EDIT: YOU KNOW WHAT? I AM MAKING A TL;DR:
-I am not hosting any business with this setup
-I am interested in hosting data-based projects and want a frontend for them
-I want to learn good network architecture
-I want to implement good network architecture at a small scale
-I have cheap home internet because I work for my ISP
-I am not hosting any business with this setup
-But I am interested in applying this architecture in a better deployment (ie: not at home, all in the cloud) for a future dream consulting business someday
-I am not hosting any business with this setup

notfred wrote:
You are massively overthinking this. Unless you go around trolling you are not going to be the recipient of a targetted attack. What you are vulnerable to is exploits in your stack on the back end and those are likely to fly straight through your fancy nginx reverse proxy and firewall e.g. Little Bobby Tables

You might as well just host straight raw to step 5.
Perhaps but I'd like the experience of doing it _right_ instead of good enough for once. Also if I skipped to step 5 then I'd have to host on port 80, which is blocked by all ISPs. I could get business-class internet if it came to it.

Arvald wrote:
Well I am going to take a different argument then the rest of these guys.
What is your upstream on your internet?

Most home services are much slower upstream than downstream. i.e. 30/5. a typical business even doing minor hosting is 100/100 or greater.
also hosting on that 30/5 link users accessing data dig into your personal bandwidth.
Then take into account that some ISPs try to limit connections (not as big a deal was it was years ago, they had to loosen this one for modern gaming)

Over all your home internet link is not enough to host a website with more than a few users.
I'm behind 240/20 or something like that. Even if connections were limited, if they're all from the proxy server, wouldn't that be seen as one big connection? Surely there's a way to enable HTTP pipelining or similar. I have no data caps because I am around my ISP's HQ. Also I get discounted internet.

Glorious wrote:
That's way too complicated, and now you have two points of failure: If either your home connection *OR* your VPS is unreachable/kaput, your system doesn't work.

It also does nothing from security, the first 3 steps do *literally* nothing: by running a reverse proxy on a VPS all you are doing is adding a hop and you are adding it on a range of addresses that's guaranteed to get more drive-by brute attempts.

This is the kind of thing where you are going to add a tremendous amount of work for yourself with no benefit, and because it's so complex, you're likely to misconfigure or overlook something that causes you problems or even unnecessary security holes.
Well, that's why this setup is for personal projects. I want to learn how to do it right and maybe start hosting some ideas I've had over the years. I don't understand why a preliminary firewall would do nothing from a security standpoint--sure it adds complexity, but the premise of multiple firewalls is the swiss cheese model of security: maybe there is a hole in one firewall, and a different hole in the second firewall (when using different vendors), but together there's a better chance of the holes not lining up and therefore fewer things will get through. From what I've read the two firewall model is typical for deployments at financial institutions, so why not try and apply it here? Plus, the first one will be backed by massive bandwidth and more DoS protection than the second.

just brew it! wrote:
Unless he's trying to run a commercial site or host a lot of multimedia content, I don't see the bandwidth being a big deal. Not sure what his service is like, but my cable internet (Comcast) service has 25 mbit upload, which should be fine for a low-traffic site.

It's more a matter of what he expects to gain from this. If the required storage is less than what comes with a cheap VPS, then just host everything on a VPS and be done with it. If dynamic IP is acceptable and bandwidth needs will be modest, hosting it directly (without the extra VPS hop) makes sense.

The sort of thing he's proposing could make sense if he wants the fixed IP, and has a lot of content which he wants to make available, but which will be infrequently accessed (and therefore won't chew up his upstream bandwidth). Yes, it's a pretty narrow use case.
I'm definitely not trying to run YouTube, just some sites as APIs or a front-end for big little data work :)
At the end of it all I expect to gain:
1) Some semblance of what setting up a properly secured and configured infrastructure is like (for low load, to start).
2) Networking experience because I suck at networking.
3) Lots of judgemental gerbils because no matter, what I did it wrong.

So far #3 is going great!

VPS or otherwise, it's just a server. I want to use the VPS to obfuscate my home IP, and as a frontline defense around DoS attacks, because VPSs are set up better for that than my little cable modem. I could just as easily move everything from home into more VPSs or everything from VPS to home with various tradeoffs, but unless someone can convince me otherwise, I'm becoming increasingly stubborn about drawing the line between cloud and home there.

You guys do drive a good point home about large static content. Much better to add a caching layer or refer to a proper CDN in case of large pictures etc. But the point of hosting from home for now is to use more powerful servers cheaply that I can crunch/fetch data on and spit out the results to a web-based front-end (API or website). I'm sure a JPEG here or there will be fine. But here's the other thing: I'm not running anything cool like TechReport, instead I'd be running low-load sites.

roncat wrote:
I agree... if your goal is to be more secure, the first 3 steps
1) create more attack surface
2) get you a crazy amount of "drive-by brute force attempts", likely multiple per minute, 24/7. You won't believe how many friends you have in China.
3) will make you maintain IPtable filters regardless
I agree there's more attack surface here but I'd argue the surface is more layered. Suppose one of my domains was found by some botnet. I'd rather have the botnet try and take out the VPS than my poor cable modem! I'd rather maintain IPTables primarily on my VPS than my home internet.

Besides, if it all went south and I gave up, I could just kill the VPS and go back to being a happy home internet user instead of swatting away bots from home.

Glorious wrote:
roncat wrote:
You won't believe how many friends you have in China.

It turns out that "root" is a REALLY common name over there!
And depite lucky 8s, they really like port 22...

LoneWolf15 wrote:
EDIT: My comments below are based on the idea that you are running non-personal web hosting, for the purpose of business, based on what you sorta-kinda specified in your original post. If that's incorrect, all bets are off. A single personal website, I'd still want a real firewall, but a lot of the redundancies aren't necessary, just power backup and data backup. And I'd want a static IP if other people than you are accessing the site.

I'd answer your post by telling you how much I'll laugh when your ISP does actually disconnect you for violating their ToS. And they might be slow to catch on, but they will eventually.

You're going to need a business grade firewall, not high-end, but you still need one, preferably with intrusion prevention and unified threat protection (read: subscription cost). You should have a second circuit in case your primary goes down. You're going to need static IPs which your ISP may not provide unless you're on the business tier, and you'll probably need more than one (and it's almost guaranteed that at most, you get one if any for a business tier). And no, Dynamic DNS isn't going to cut it, that's Mickey Mouse if you're doing a real business, and I'd never pay you to host me if that's what you were doing and I was smart. You're going to need UPS power gear, and storage for backup in addition to redundant storage for business continuity. And unless I was a small business that didn't know better, I'd ask you basic details (as a client) about what my uptime guarantee is, if you have redundancies (in case a server or a circuit goes down, or your main building gets flooded and takes out a server.

Translation: Using a host you contract to takes all of that out of your hands, doesn't violate an ISP agreement, and makes it easy to sleep at night, while you concentrate on doing the part that utilizes your real skills. Run a business like a business, not a tinkerer's hobby.
If traffic is low I'm sure they won't mind. If I have to downgrade to business internet that's ok too.
I thank you for your recommendations and I totally agree! But I'm not hosting anyone else, and if I were, I would totally get on board with a business-class firewall and static addresses for all front-facing infrastructure. The goal of this setup is to learn and implement a solid network architecture, each part of which could be upgraded as needed if transitioning to a critical business setup, but each part's function is the same. A paid firewall with intrusion prevention and threat protection is a definite step up from a simple free firewall. But the purpose of that part in the architecture remains the same: filter traffic.

Your caveats and recommendations are sound. Thank you!

Glorious wrote:
Ok, but you do realize that's literally all a website is: HTTP GET (Document).

Yes, if you want to quickly download a file of substantial size or stream something that requires a lot of bitrate, yeah, you are out of luck. That's not really "hosting a website" though.

This is why I keep pressing for details on what exactly he is trying to do as opposed to exclusively discussing (with pre-qualifications!) how to do it.

Like I warned him at the outset, yup, beyond just the "Mickey Mouse" approach to business he's embarking upon, as you say, he's potentially risking account termination if what he is doing even *looks* commercial.

Yes, they usually warn you a lot first, and/or try to coerce you into a much more expensive business class connection, but they typically aren't absolutely required to do that. You don't want to lose internet abruptly and then have to complain to regulatory authorities. That takes forever, whatever the resolution.
No business, no money earned, just personal little data projects and a sandbox. I'd like this to be an architecture I could emulate if I did do a consulting business though (with upgrades as necessary, like LoneWolf15 pointed out). This is the rehearsal, not production.

cheesyking wrote:
The only real reason I can see for doing any of the cloud VPS stuff is if you're going to do caching on it. At least that way you're reducing the strain on your home upload. I suppose a variation on this might be hosting static content on the VPS but sending active content/db requests back to a more powerful server at home. Those would have to be very heavy requests for it to be worth the trouble though.

If you have all sorts of ports blocked by your ISP then having a VPS front everything makes sense as long as you actually need anything more than the VPS gives you anyway. It will probably also hide what you're doing from your ISP.

If I really felt I needed to do something like this then I'd probably use openvpn to connect the home server to the VPS. Setup the VPS to be the server then have the home servers connect as clients. I have run into problems installing openvpn on some VPSs though so you'd have to suck it and see.

You could add a IPS system to the VPS if you wanted extra security from it but then you could add that inside your home network instead, there's no benefit from doing it in a VPS.

The extra storage space at home is a red herring as you'd never be able to upload all of those TBs of stuff.
You have a point about OpenVPN. Maybe that would be a better alternative to this setup, I'd have to draft that out.
Also on some VPSs you need to enable access to creating virtual NICs. I ran into similar issues hosting a Neorouter server on my VPS for those times when mom calls asking how to make her desktop icons smaller and I need to remote in. Love you, mom.

Totally get that a CDN should be used if I'm hosting Linux ISOs or RAW photos. I don't plan on uploading many TBs of stuff, just the results of aggregating arbitrary amounts of data. As pointed out, for small-scale sites I don't mind taking the risk of doing light obfuscation for my ISP to get around port 80 limitations.
LoneWolf15 wrote:
Agreed. And my first post showed how to do it as a corporate business doing it right, which the OP would probably laugh at; but then again, I didn't find his original post very clear on what he wanted to do; apparently you didn't either.

And if you don't have a static IP and you're running a website for anyone but just you (in which case it isn't corporate, and if it's low traffic, they won't care), you need one, which probably takes the business tier anyway. But based on the OP stating they had all sorts of datacenter grade equipment lying around, I figured they were doing more than just a simple site (heck, you can run IIS on a Windows 7 workstation easy enough). So if someone's using big equipment...it's either business...or they're sharing "files" out to other people, which could be an equally big issue, resulting in ISP service termination.
I think all along I probably should have asked "how do corporations secure themselves and what's a way to scale down that architecture enough to host a personal site?" I probably don't need 10tbps of DoS protection or heuristic threat analysis firewalls or fancy load balancers, but lesser versions of each might suit me just fine.

----

THANK YOU GERBILS. SORRY FOR THE WALL OF TEXT BUT YOU'RE ALL THE GREATEST. I really appreciate the critiques.
Also I swear _next_ year I am attending the BBQ. Wife works this BBQ weekend :(
 
captaintrav
Gerbil First Class
Posts: 178
Joined: Thu Dec 12, 2013 12:51 pm
Location: Saskatchewan, Canada

Re: Safely hosting web services from home

Tue Jul 11, 2017 1:51 pm

I will admit to not even reading all of the TLDR. I will put my two cents in regarding my experience, it's anecdotal evidence, which is obviously the best kind.

I run the most basic LAMP/Wordpress sites hosted at home, and have yet to be pwned. It's on Ubuntu, been upgraded a few times, automatic updates are turned on. I have no firewall outside of my basic home router, just port 80 forwarded to the Linux box. I have SSH enabled, but it's on a non-standard port, not because I necessarily think it's 'more secure', but just to relieve the noise in the logs from failed attempted logins from all around the world. So far going on probably 10 years without incident. I don't even have a static IP or dynamic DNS of any sort, when my outside IP has happened to change I just have to update my DNS records manually and suffer with the sites being down. :lol:
 
Glorious
Gerbilus Supremus
Posts: 12343
Joined: Tue Aug 27, 2002 6:35 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 1:56 pm

Duct Tape Dude wrote:
Also if I skipped to step 5 then I'd have to host on port 80, which is blocked by all ISPs.


No it isn't.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Safely hosting web services from home

Tue Jul 11, 2017 3:34 pm

Duct Tape Dude wrote:
-But I am interested in applying this architecture in a better deployment (ie: not at home, all in the cloud) for a future dream consulting business someday

But if you were doing this all in the cloud you wouldn't be using this architecture. A lot of your architecture (and the bulk of the resulting headaches setting this up) is a result of the weird "cloud front end plus home server back end talking over residential broadband" setup you're insisting on. So a lot of the experience you'd gain doing this won't even be relevant to your potential future consulting business.

Given that I now have a better picture of what you're trying to do, my advice would be to do the initial learning/experimentation on your LAN, with local access only. Then move the whole thing to a cloud server when you're ready to make it publicly available.
Nostalgia isn't what it used to be.
 
Duct Tape Dude
Gerbil Elite
Topic Author
Posts: 721
Joined: Thu May 02, 2013 12:37 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 4:18 pm

captaintrav wrote:
I will admit to not even reading all of the TLDR. I will put my two cents in regarding my experience, it's anecdotal evidence, which is obviously the best kind.

I run the most basic LAMP/Wordpress sites hosted at home, and have yet to be pwned. It's on Ubuntu, been upgraded a few times, automatic updates are turned on. I have no firewall outside of my basic home router, just port 80 forwarded to the Linux box. I have SSH enabled, but it's on a non-standard port, not because I necessarily think it's 'more secure', but just to relieve the noise in the logs from failed attempted logins from all around the world. So far going on probably 10 years without incident. I don't even have a static IP or dynamic DNS of any sort, when my outside IP has happened to change I just have to update my DNS records manually and suffer with the sites being down. :lol:
Haha, I still appreciate the reply though! Nothing wrong with doing what works. You bring up a good point about "dynamic IPs:" they don't really change very often these days (compared with the dialup days).
just brew it! wrote:
But if you were doing this all in the cloud you wouldn't be using this architecture. A lot of your architecture (and the bulk of the resulting headaches setting this up) is a result of the weird "cloud front end plus home server back end talking over residential broadband" setup you're insisting on. So a lot of the experience you'd gain doing this won't even be relevant to your potential future consulting business.

Given that I now have a better picture of what you're trying to do, my advice would be to do the initial learning/experimentation on your LAN, with local access only. Then move the whole thing to a cloud server when you're ready to make it publicly available.
I'm a bit confused by your reply because your first paragraph infers this is not a good architecture even 100% in the cloud, but your second paragraph infers it is good enough if I move to 100% cloud. I agree 100% cloud would be good for future endeavors, but the point is to prototype something worthwhile. What would be a superior cloud network layout? Shouldn't the fact that some servers sit in-house (in my case, literally) be nothing more than a configuration change? The arch should be the same.

Maybe you are right and I should hold off on my dreams for a publicly facing prototype arch in the first place. It seems less fun but it's probably more sensible.

After poking around a few more sample diagrams of dual firewall deployments I think the architecture I've ended up with is quite similar. I spoke briefly with someone in the financial sector and at his company they did the following:

1. Firewall
2. Load balancers/proxies
3. Second firewall from a different vendor
4. Application servers
5. Database servers

I really don't see much difference between this and what I outlined earlier if we assume the connections between 3, 4, and 5 have appropriate routing rules. Though maybe I don't need load balancing! :)
Last edited by Duct Tape Dude on Tue Jul 11, 2017 4:24 pm, edited 1 time in total.
 
Duct Tape Dude
Gerbil Elite
Topic Author
Posts: 721
Joined: Thu May 02, 2013 12:37 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 4:23 pm

Apologies for 2 things:
1. This double post
2. Pulling a whm and stream of consciousness-ing my latest revelations but I did just find this: http://www.opensecurityarchitecture.org ... web-server

Maybe I should print this out and take some scissors to whatever I don't want to implement. Oh and draw my house on one of the boxes.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Safely hosting web services from home

Tue Jul 11, 2017 4:37 pm

Duct Tape Dude wrote:
just brew it! wrote:
But if you were doing this all in the cloud you wouldn't be using this architecture. A lot of your architecture (and the bulk of the resulting headaches setting this up) is a result of the weird "cloud front end plus home server back end talking over residential broadband" setup you're insisting on. So a lot of the experience you'd gain doing this won't even be relevant to your potential future consulting business.

Given that I now have a better picture of what you're trying to do, my advice would be to do the initial learning/experimentation on your LAN, with local access only. Then move the whole thing to a cloud server when you're ready to make it publicly available.
I'm a bit confused by your reply because your first paragraph infers this is not a good architecture even 100% in the cloud, but your second paragraph infers it is good enough if I move to 100% cloud. I agree 100% cloud would be good for future endeavors, but the point is to prototype something worthwhile. What would be a superior cloud network layout? Shouldn't the fact that some servers sit in-house (in my case, literally) be nothing more than a configuration change? The arch should be the same.

I was referring to the need to set up some sort of VPN/tunnel/proxy/whatever to get the connection from the front end to the server, and the extra security measures to make sure your home network doesn't get p0wned if someone compromises the back end server.

As far as setting up load balancers, application servers, database servers, etc. goes, yeah that'll be essentially the same. But you can just do all of that on your LAN (or even in VMs with virtual network connections) until you're confident enough to stand it up in the Cloud and allow outside traffic.

Unless you're dealing with a really high-traffic site, you're probably going to run all of it on the same box or VPS anyway. No load balancers, no separate application/back-end servers. Just one system that does everything (i.e., the application front end will talk to the back-end services over a localhost connection).
Nostalgia isn't what it used to be.
 
Duct Tape Dude
Gerbil Elite
Topic Author
Posts: 721
Joined: Thu May 02, 2013 12:37 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 5:01 pm

just brew it! wrote:
I was referring to the need to set up some sort of VPN/tunnel/proxy/whatever to get the connection from the front end to the server, and the extra security measures to make sure your home network doesn't get p0wned if someone compromises the back end server.

As far as setting up load balancers, application servers, database servers, etc. goes, yeah that'll be essentially the same. But you can just do all of that on your LAN (or even in VMs with virtual network connections) until you're confident enough to stand it up in the Cloud and allow outside traffic.

Unless you're dealing with a really high-traffic site, you're probably going to run all of it on the same box or VPS anyway. No load balancers, no separate application/back-end servers. Just one system that does everything (i.e., the application front end will talk to the back-end services over a localhost connection).
Ah, I see. I think I would use a secured link between every server regardless if it's cloud or home, so that if anything is compromised little is left to chance. Maybe I will end up running it on the same box anyway via VM or docker. Not like I'm compiling Linux kernels all day on each box... who would want to do that? :P
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Safely hosting web services from home

Tue Jul 11, 2017 6:08 pm

Duct Tape Dude wrote:
Ah, I see. I think I would use a secured link between every server regardless if it's cloud or home, so that if anything is compromised little is left to chance. Maybe I will end up running it on the same box anyway via VM or docker. Not like I'm compiling Linux kernels all day on each box... who would want to do that? :P

I'm not sure what you think you'd be "leaving to chance" here.

Modern switched Ethernet is effectively point-to-point, so compromising a local network link would require either compromising one of the servers (in which case "game over" whether the link between them is secured or not), or a network router/switch (in which case an encrypted link would protect that connection from snooping, but this scenario is much less likely).

If the site is busy enough that you're considering a multi-server setup to spread the load, you're probably not going to be thrilled with incurring the encryption overhead just to shuffle internal traffic around...
Nostalgia isn't what it used to be.
 
Duct Tape Dude
Gerbil Elite
Topic Author
Posts: 721
Joined: Thu May 02, 2013 12:37 pm

Re: Safely hosting web services from home

Tue Jul 11, 2017 6:19 pm

just brew it! wrote:
I'm not sure what you think you'd be "leaving to chance" here.

Modern switched Ethernet is effectively point-to-point, so compromising a local network link would require either compromising one of the servers (in which case "game over" whether the link between them is secured or not), or a network router/switch (in which case an encrypted link would protect that connection from snooping, but this scenario is much less likely).

If the site is busy enough that you're considering a multi-server setup to spread the load, you're probably not going to be thrilled with incurring the encryption overhead just to shuffle internal traffic around...
I'm talking about protocols and open ports rather than the PHY layer. I didn't mean to infer that I wanted load balancing--I don't have use for that. I understand encryption is CPU-heavy.
 
notfred
Maximum Gerbil
Posts: 4610
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Safely hosting web services from home

Tue Jul 11, 2017 6:38 pm

Encryption USED to be CPU heavy. Modern CPUs with modern instruction sets (e.g. AES-NI, SHA extensions) can do staggering amounts of crypto throughput. Even without those instruction sets, the modern vector instructions still give a huge performance improvement.

https://www.keycdn.com/blog/https-performance-overhead/
a peak increase in CPU usage of only 2%. In January 2010, Gmail switched to using HTTPS for everything by default. They didn’t deploy any additional machines or special hardware and on their frontend machines, SSL/TLS accounted for less than 1% of the CPU load.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Safely hosting web services from home

Tue Jul 11, 2017 6:53 pm

Duct Tape Dude wrote:
I'm talking about protocols and open ports rather than the PHY layer. I didn't mean to infer that I wanted load balancing--I don't have use for that. I understand encryption is CPU-heavy.

The rule is pretty simple: Disable or block all unnecessary protocols and services, and (for back-end systems) limit the connections to whitelisted IPs.

80 and 443 should be the only incoming ports open on the front-end server. Back-end servers (if any) should only open ports needed by the protocol used to communicate with the front-end, and should only accept connections which originate from the front-end server's IP.

Plus whatever port(s) you use for maintenance, of course. You can require that those maintenance connections go through a single "jump" server (which could be the same system as your front-end) to minimize the number of systems directly exposed to the internet.
Nostalgia isn't what it used to be.
 
trackerben
Minister of Gerbil Affairs
Posts: 2188
Joined: Mon Jun 15, 2009 12:28 am
Location: 'Tween oceans...

Re: Safely hosting web services from home

Mon Jul 17, 2017 8:38 am

Does anyone have experience with Windscribe, PureVPN, VPN Unlimited, etc. and their current lifetime subscription deals? I'm thinking of stashing me some spare connections for traveling.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On