TravelMug wrote:Don't, it's not worth it for a website or API (not sure what that "something" is so I'll leave it). That "expensive cloud server" is in fact a $5-$10 per month VPS with someone like Linode or Digital Ocean for a website or an API.
Glorious wrote:Mostly for personal use.So that's the first question: Is this for laughs/personal use, or are you trying to do something serious?
bthylafh wrote:IIRC Digital Ocean's bottom-end service is also $5/month and should be similar to Linode's.
Glorious wrote:I'm on RAMNode's $35/year plan and it's incredible.I use digitalocean's $5 a month tier and have never had a problem.
Duct Tape Dude wrote:Mostly for personal use.
Duct Tape Dude wrote:I'm disappointed, TR. I did not ask for VPS reviews. Now let's dream for a moment: How would you actually answer my original post?
just brew it! wrote:Yeah this is closer to what I was hoping to have detailed: is a reverse proxy (maybe over an SSH tunnel) "safe enough?"I imagine you could set up some sort of VPN and proxy requests from the cloud box's web server through to your box.
Glorious wrote:Hence the wanton disregard in my original post. Can we just disregard all the things I asked to disregard and even if for complete funsies, focus on the problem I outlined?That's where you need to clarify. You'll get away with personal use, but if you are doing something that either is commercial or at least looks commercial, you could very easily find yourself forced into a more expensive business-class connection or get yourself terminated.
Glorious wrote:A direct connection to the internet is exactly what I'd like to avoid. Basically, I already have #2 working as a static VPN host for #4. But suppose I felt like hosting personal projects or websites (or even a Minecraft server) locally and wanted it safely accessible to the outside--is using #2 in conjunction with #3 safer than just going straight to #4?What are you trying to do?
The reason I'm asking is because while I have a VPS with some things, I also have several servers on my home network that are (sorta) open to the internet: I host minecraft, various web front-ends, ssh server, etc...
Duct Tape Dude wrote:A direct connection to the internet is exactly what I'd like to avoid
Duct Tape Dude wrote:Edit: Alternatively, what do self-hosted businesses do? They must have a static IP with some sort of firewall/router to serve requests to different internal servers. How can what I'm asking be so different?
Duct Tape Dude wrote:just brew it! wrote:I imagine you could set up some sort of VPN and proxy requests from the cloud box's web server through to your box.
Yeah this is closer to what I was hoping to have detailed: is a reverse proxy (maybe over an SSH tunnel) "safe enough?"
Glorious wrote:Ah of course. Yes that's what I meant.Well, you have a direct connection to the internet already. Do you mean that you don't want your home's IP address to have any open ports?
Glorious wrote:That sort of answers the question, and that's also a good point.Fundamentally, however you route it, if your home servers have ports open to the internet at large, it's essentially the same risk. Adding another hop via your own VPN or a poor man's version of the same with some sort of tunneling scheme doesn't particularly make any meaningful difference, security-wise.
If anything, if you are going through a VPS provider, you're going to see MORE access attempts, because those ranges are hit harder by brute-force service triers than the residential ranges.
Glorious wrote:I see what you mean, but the point of a website on the world wide web is to access it worldwide.It really does come down to what you are trying to do. If it's just for you, you could always VPN into your home network as the only way anyone can get in. You could could firewall+whitelist all the places you or your friends use to access the internet, and if you need to add a place easily you could leave ssh up on a VPS with white-listed way into your firewall so you can add new IPs as needed.
Glorious wrote:Ah, perfect. What's the best option to set one up on the VPS then? Pfsense?It's not, but the security comes from the firewall.
Glorious wrote:Yeah I guess so, though not my home connection but rather, services hosted in my home. I am familiar with no-ip's services and used them for several years before getting a static IP'd VPS.Are you asking how to make your home connection canonical? That is, some way by which you can reliably address it from anywhere on the internet?
Glorious wrote:Right, that's half the point of the VPS: it has some built-in DoS protection, whereas my home services do not.If we get to the point of layering against DoS, you're already in trouble with your ISP.
just brew it! wrote:Yes! Now we're talking! So because I only have one IP address (2 if you count ipv6, and up to 6 if you count the X1 box, but that's another story...) would something like a router that supports VLANs be safe enough? ie: confine all traffic from #1 to #4 to its own VLAN, and remote in to any machine in that chain to admin it?What you should be looking at is how to wall off the server so that if it gets compromised, it doesn't have access to the rest of your LAN.
When I was self-hosting I was fortunate enough to have two static IPs. I put my LAN router on one IP, and the server on the other -- outside my LAN. IOW, I treated my own server as potentially hostile/compromised.
just brew it! wrote:HAHA!! That is quite creative! The hotspots are pretty locked down and might be perfect for that sort of thing (assuming I don't host on port 80). I think I still have a few in range despite getting my own router.If you've got Comcast for your broadband maybe you could connect the server via the public WiFi hotspot functionality to get some isolation from your LAN?
just brew it! wrote:Very sensible. I prefer running everything in a VM anyway, but could probably use some suggestions or guides on how to set up the routing specifically. I guess the idea would be to confine all web traffic to its own VLAN, firewall everything, then whitelist each connection as needed. How might one do that? pfsense? iptables?Failing that, I'd probably run the server in a NATted VM, and set up the host's routing tables to restrict the host's access to the LAN. At least this way, an attacker would need to be able to compromise the web server and break out of the VM sandbox and find a privilege escalation exploit on the host to cause trouble.
Duct Tape Dude wrote:A web request is to travel through the following chain. As safely as possible, solve for #3 in terms of software, protocols, and/or hardware:
2. Cheap cloud server with static IP and nginx or other routing software
4. profit! TR Gerbil hardware
ie: What is the safest way to serve requests from #1 to #4 and back? And is this a viable/safe enough setup in the first place?
deruberhanyok wrote:I worked at a company that did something very similar - they had a website portal that was used by customer equipment to check for updates, etc. This lived off in the cloud for reasons. But it connected back to some internal systems that hosted the data. The internal systems pushed updates out to the cloud system, then customer equipment would check in with the cloud system and pull the update down from there.
deruberhanyok wrote:That seems like a sufficiently paranoid suggestion to be worth using.I'd also take the step further that any internet-bound traffic from your basement servers (update checks, etc) go up through the tunnel and then out to the internet from there.
deruberhanyok wrote:Spot on.As to "safe" I'm just working on the assumption that you mean "won't break my stuff at home".
steelcity_ballin wrote:The VPS comes with some DoS mitigation and as for API token/size/rate limits, it depends on whatever personal project I'm working on. But both those things are worth implementing.Is your API Token-based? Is it rate-limited? I'd worry some internet schmuk quickly abusing your data and exposing your scheme to your ISP when lots of data starts flowing to outbound requests.
Duct Tape Dude wrote:Thanks so much, deruberhanyok. This is the kind of TR discussion I was looking for. To me, "cheap cloud server" means plenty of traffic but limited disk/RAM/CPU. It gets expensive to store things quickly in the cloud or do heavy computation, but traffic is measured in hundreds of gigs.
JBI wrote:Depends what you mean by "limited", which in turn depends on what you're trying to store/compute. Linode's $5 plan includes a gig of RAM, 20GB of SSD, and one CPU core. Unless you're expecting a lot of traffic and/or planning to store a lot of multi-media, that's more than big/fast enough for a personal site. Unless you're planning to do on-the-fly media transcoding there's probably not much in the way of heavy computation either.
Arvald wrote:Well I am going to take a different argument then the rest of these guys.
What is your upstream on your internet?
Most home services are much slower upstream than downstream. i.e. 30/5. a typical business even doing minor hosting is 100/100 or greater.
also hosting on that 30/5 link users accessing data dig into your personal bandwidth.
Then take into account that some ISPs try to limit connections (not as big a deal was it was years ago, they had to loosen this one for modern gaming)
Over all your home internet link is not enough to host a website with more than a few users.
Glorious wrote:That's way too complicated, and now you have two points of failure: If either your home connection *OR* your VPS is unreachable/kaput, your system doesn't work.
It also does nothing from security, the first 3 steps do *literally* nothing: by running a reverse proxy on a VPS all you are doing is adding a hop and you are adding it on a range of addresses that's guaranteed to get more drive-by brute attempts.
This is the kind of thing where you are going to add a tremendous amount of work for yourself with no benefit, and because it's so complex, you're likely to misconfigure or overlook something that causes you problems or even unnecessary security holes.
JBI wrote:Unless he's trying to run a commercial site or host a lot of multimedia content, I don't see the bandwidth being a big deal. Not sure what his service is like, but my cable internet (Comcast) service has 25 mbit upload, which should be fine for a low-traffic site.
roncat wrote:You won't believe how many friends you have in China.