Thanks everyone for the responses!! I'm trying to get to them and this will probably be a big post.
EDIT: YOU KNOW WHAT? I AM MAKING A TL;DR:
-I am not hosting any business with this setup
-I am interested in hosting data-based projects and want a frontend for them
-I want to learn good network architecture
-I want to implement good network architecture at a small scale
-I have cheap home internet because I work for my ISP
-I am not hosting any business with this setup
-But I am interested in applying this architecture in a better deployment (ie: not at home, all in the cloud) for a future dream consulting business someday
-I am not hosting any business with this setup
You are massively overthinking this. Unless you go around trolling you are not going to be the recipient of a targetted attack. What you are vulnerable to is exploits in your stack on the back end and those are likely to fly straight through your fancy nginx reverse proxy and firewall e.g. Little Bobby Tables
You might as well just host straight raw to step 5.
Perhaps but I'd like the experience of doing it _right_ instead of good enough for once. Also if I skipped to step 5 then I'd have to host on port 80, which is blocked by all ISPs. I could get business-class internet if it came to it.
Well I am going to take a different argument then the rest of these guys.
What is your upstream on your internet?
Most home services are much slower upstream than downstream. i.e. 30/5. a typical business even doing minor hosting is 100/100 or greater.
also hosting on that 30/5 link users accessing data dig into your personal bandwidth.
Then take into account that some ISPs try to limit connections (not as big a deal was it was years ago, they had to loosen this one for modern gaming)
Over all your home internet link is not enough to host a website with more than a few users.
I'm behind 240/20 or something like that. Even if connections were limited, if they're all from the proxy server, wouldn't that be seen as one big connection? Surely there's a way to enable HTTP pipelining or similar. I have no data caps because I am around my ISP's HQ. Also I get discounted internet.
That's way too complicated, and now you have two points of failure: If either your home connection *OR* your VPS is unreachable/kaput, your system doesn't work.
It also does nothing from security, the first 3 steps do *literally* nothing: by running a reverse proxy on a VPS all you are doing is adding a hop and you are adding it on a range of addresses that's guaranteed to get more drive-by brute attempts.
This is the kind of thing where you are going to add a tremendous amount of work for yourself with no benefit, and because it's so complex, you're likely to misconfigure or overlook something that causes you problems or even unnecessary security holes.
Well, that's why this setup is for personal projects. I want to learn how to do it right and maybe start hosting some ideas I've had over the years. I don't understand why a preliminary firewall would do nothing from a security standpoint--sure it adds complexity, but the premise of multiple firewalls is the swiss cheese model of security: maybe there is a hole in one firewall, and a different hole in the second firewall (when using different vendors), but together there's a better chance of the holes not lining up and therefore fewer things will get through. From what I've read the two firewall model is typical for deployments at financial institutions, so why not try and apply it here? Plus, the first one will be backed by massive bandwidth and more DoS protection than the second.
just brew it! wrote:
Unless he's trying to run a commercial site or host a lot of multimedia content, I don't see the bandwidth being a big deal. Not sure what his service is like, but my cable internet (Comcast) service has 25 mbit upload, which should be fine for a low-traffic site.
It's more a matter of what he expects to gain from this. If the required storage is less than what comes with a cheap VPS, then just host everything on a VPS and be done with it. If dynamic IP is acceptable and bandwidth needs will be modest, hosting it directly (without the extra VPS hop) makes sense.
The sort of thing he's proposing could make sense if he wants the fixed IP, and has a lot of content which he wants to make available, but which will be infrequently accessed (and therefore won't chew up his upstream bandwidth). Yes, it's a pretty narrow use case.
I'm definitely not trying to run YouTube, just some sites as APIs or a front-end for big
little data work
At the end of it all I expect to gain:
1) Some semblance of what setting up a properly secured and configured infrastructure is like (for low load, to start).
2) Networking experience because I suck at networking.
3) Lots of judgemental gerbils because no matter, what I did it wrong.
So far #3 is going great!
VPS or otherwise, it's just a server. I want to use the VPS to obfuscate my home IP, and as a frontline defense around DoS attacks, because VPSs are set up better for that than my little cable modem. I could just as easily move everything from home into more VPSs or everything from VPS to home with various tradeoffs, but unless someone can convince me otherwise, I'm becoming increasingly stubborn about drawing the line between cloud and home there.
You guys do drive a good point home about large static content. Much better to add a caching layer or refer to a proper CDN in case of large pictures etc. But the point of hosting from home for now is to use more powerful servers cheaply that I can crunch/fetch data on and spit out the results to a web-based front-end (API or website). I'm sure a JPEG here or there will be fine. But here's the other thing: I'm not running anything cool like TechReport, instead I'd be running low-load sites.
I agree... if your goal is to be more secure, the first 3 steps
1) create more attack surface
2) get you a crazy amount of "drive-by brute force attempts", likely multiple per minute, 24/7. You won't believe how many friends you have in China.
3) will make you maintain IPtable filters regardless
I agree there's more attack surface here but I'd argue the surface is more layered. Suppose one of my domains was found by some botnet. I'd rather have the botnet try and take out the VPS than my poor cable modem! I'd rather maintain IPTables primarily on my VPS than my home internet.
Besides, if it all went south and I gave up, I could just kill the VPS and go back to being a happy home internet user instead of swatting away bots from home.
You won't believe how many friends you have in China.
It turns out that "root" is a REALLY common name over there!
And depite lucky 8s, they really like port 22...
EDIT: My comments below are based on the idea that you are running non-personal web hosting, for the purpose of business, based on what you sorta-kinda specified in your original post. If that's incorrect, all bets are off. A single personal website, I'd still want a real firewall, but a lot of the redundancies aren't necessary, just power backup and data backup. And I'd want a static IP if other people than you are accessing the site.
I'd answer your post by telling you how much I'll laugh when your ISP does actually disconnect you for violating their ToS. And they might be slow to catch on, but they will eventually.
You're going to need a business grade firewall, not high-end, but you still need one, preferably with intrusion prevention and unified threat protection (read: subscription cost). You should have a second circuit in case your primary goes down. You're going to need static IPs which your ISP may not provide unless you're on the business tier, and you'll probably need more than one (and it's almost guaranteed that at most, you get one if any for a business tier). And no, Dynamic DNS isn't going to cut it, that's Mickey Mouse if you're doing a real business, and I'd never pay you to host me if that's what you were doing and I was smart. You're going to need UPS power gear, and storage for backup in addition to redundant storage for business continuity. And unless I was a small business that didn't know better, I'd ask you basic details (as a client) about what my uptime guarantee is, if you have redundancies (in case a server or a circuit goes down, or your main building gets flooded and takes out a server.
Translation: Using a host you contract to takes all of that out of your hands, doesn't violate an ISP agreement, and makes it easy to sleep at night, while you concentrate on doing the part that utilizes your real skills. Run a business like a business, not a tinkerer's hobby.
If traffic is low I'm sure they won't mind. If I have to downgrade to business internet that's ok too.
I thank you for your recommendations and I totally agree! But I'm not hosting anyone else, and if I were, I would totally
get on board with a business-class firewall and static addresses for all front-facing infrastructure. The goal of this setup is to learn and implement a solid network architecture, each part of which could be upgraded as needed if transitioning to a critical business setup, but each part's function
is the same. A paid firewall with intrusion prevention and threat protection is a definite step up from a simple free firewall. But the purpose of that part in the architecture remains the same: filter traffic.
Your caveats and recommendations are sound. Thank you!
Ok, but you do realize that's literally all a website is: HTTP GET (Document).
Yes, if you want to quickly download a file of substantial size or stream something that requires a lot of bitrate, yeah, you are out of luck. That's not really "hosting a website" though.
This is why I keep pressing for details on what exactly he is trying to do as opposed to exclusively discussing (with pre-qualifications!) how to do it.
Like I warned him at the outset, yup, beyond just the "Mickey Mouse" approach to business he's embarking upon, as you say, he's potentially risking account termination if what he is doing even *looks* commercial.
Yes, they usually warn you a lot first, and/or try to coerce you into a much more expensive business class connection, but they typically aren't absolutely required to do that. You don't want to lose internet abruptly and then have to complain to regulatory authorities. That takes forever, whatever the resolution.
No business, no money earned, just personal little data projects and a sandbox. I'd like this to be an architecture I could emulate if I did
do a consulting business though (with upgrades as necessary, like LoneWolf15 pointed out). This is the rehearsal, not production.
The only real reason I can see for doing any of the cloud VPS stuff is if you're going to do caching on it. At least that way you're reducing the strain on your home upload. I suppose a variation on this might be hosting static content on the VPS but sending active content/db requests back to a more powerful server at home. Those would have to be very heavy requests for it to be worth the trouble though.
If you have all sorts of ports blocked by your ISP then having a VPS front everything makes sense as long as you actually need anything more than the VPS gives you anyway. It will probably also hide what you're doing from your ISP.
If I really felt I needed to do something like this then I'd probably use openvpn to connect the home server to the VPS. Setup the VPS to be the server then have the home servers connect as clients. I have run into problems installing openvpn on some VPSs though so you'd have to suck it and see.
You could add a IPS system to the VPS if you wanted extra security from it but then you could add that inside your home network instead, there's no benefit from doing it in a VPS.
The extra storage space at home is a red herring as you'd never be able to upload all of those TBs of stuff.
You have a point about OpenVPN. Maybe that would be a better alternative to this setup, I'd have to draft that out.
Also on some VPSs you need to enable access to creating virtual NICs. I ran into similar issues hosting a Neorouter server on my VPS for those times when mom calls asking how to make her desktop icons smaller and I need to remote in. Love you, mom.
Totally get that a CDN should be used if I'm hosting Linux ISOs or RAW photos. I don't plan on uploading many TBs of stuff, just the results of aggregating arbitrary amounts of data. As pointed out, for small-scale sites I don't mind taking the risk of doing light obfuscation for my ISP to get around port 80 limitations.
Agreed. And my first post showed how to do it as a corporate business doing it right, which the OP would probably laugh at; but then again, I didn't find his original post very clear on what he wanted to do; apparently you didn't either.
And if you don't have a static IP and you're running a website for anyone but just you (in which case it isn't corporate, and if it's low traffic, they won't care), you need one, which probably takes the business tier anyway. But based on the OP stating they had all sorts of datacenter grade equipment lying around, I figured they were doing more than just a simple site (heck, you can run IIS on a Windows 7 workstation easy enough). So if someone's using big equipment...it's either business...or they're sharing "files" out to other people, which could be an equally big issue, resulting in ISP service termination.
I think all along I probably should have asked "how do corporations secure themselves and what's a way to scale down that architecture enough to host a personal site?" I probably don't need 10tbps of DoS protection or heuristic threat analysis firewalls or fancy load balancers, but lesser versions of each might suit me just fine.
THANK YOU GERBILS. SORRY FOR THE WALL OF TEXT BUT YOU'RE ALL THE GREATEST. I really appreciate the critiques.
Also I swear _next_ year I am attending the BBQ. Wife works this BBQ weekend