this post was submitted on 29 Dec 2023
111 points (96.6% liked)

Selfhosted

40369 readers
363 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I work in tech and am constantly finding solutions to problems, often on other people's tech blogs, that I think "I should write that down somewhere" and, well, I want to actually start doing that, but I don't want to pay someone else to host it.

I have a Synology NAS, a sweet domain name, and familiarity with both Docker and Cloudflare tunnels. Would I be opening myself up to a world of hurt if I hosted a publicly available website on my NAS using [insert simple blogging platform], in a Docker container and behind some sort of Cloudflare protection?

In theory that's enough levels of protection and isolation but I don't know enough about it to not be paranoid about everything getting popped and providing access to the wider NAS as a whole.

Update: Thanks for the replies, everyone, they've been really helpful and somewhat reassuring. I think I'm going to have a look at Github and Cloudflare's pages as my first port of call for my needs.

you are viewing a single comment's thread
view the rest of the comments
[–] linearchaos 17 points 11 months ago (2 children)

The first worry are vectors around the Synology, It's firmware, and network stack. Those devices are very closely scrutinized. Historically there have been many different vulnerabilities found and patched. Something like the log4j vulnerabilities back in the day where something just has to hit the logging system too hit you might open a hole in any of the other standard software packages there. And because the platform is so well known, once one vulnerability is found they already know what else exists by default and have plans for ways to attack it.

Vulnerabilities that COULD affect you in this case for few and far between but few and far between are how things happen.

The next concern you're going to have are going to be someone slipping you a mickey in a container image. By and large it's a bunch of good people maintaining the container images. They're including packages from other good people. But this also means that there is a hell of a lot of cooks in the kitchen, and distribution, and upstream.

To be perfectly honest, with everything on auto update, cloud flares built-in protections for DDOS and attacks, and the nature of what you're trying to host, you're probably safe enough. There's no three letter government agency or elite hacker group specifically after you. You're far more likely to accidentally trip upon a zero day email image filter /pdf vulnerability and get bot netted as you are someone successfully attacking your Argo tunnel.

That said, it's always better to host in someone else's backyard than your own. If I were really, really stuck on hosting in my house on my network, I probably stand up a dedicated box, maybe something as small as a pi 0. I'd make sure that I had a really decent router / firewall and slip that hosting device into an isolated network that's not allowed to reach out to anything else on my network.

Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don't use it for DNS don't use it for DHCP, Don't allow You're network users or devices to see ARP traffic from it.

Firewall drops everything between your home network and that box except SSH in, or maybe VNC in depending on your level of comfort.

[–] [email protected] 3 points 11 months ago (1 children)

Are you my brain? This exactly the sort of thing I think about when I say I'm paranoid about self-hosting! Alas, as much as I'd like to be able to add an extra box just for that level of isolation it'd probably take more of a time commitment than I have available to get it properly setup.

The attraction of docker containers, of course, is that they're largely ready to go with sensible default settings out of the box, and maintenance is taken care of by somebody else.

[–] linearchaos 1 points 11 months ago

Oh yeah, I totally get the allure of containers. I use them myself just not in production.

To be fair, python and node both suffer from the same kind of worries. And stuff gets slipped into those repos not too infrequently.

[–] [email protected] 1 points 11 months ago (2 children)

Can i ask you to elaborate on this part

Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don't use it for DNS don't use it for DHCP, Don't allow You're network users or devices to see ARP traffic from it.

I used to have a separate box, but the only thing it did was port forwarding

Specifically i don't really understand the topology of this setup, and how do i set it up

[–] [email protected] 2 points 11 months ago (1 children)

Cloudflare tunnel is a thin client that runs on your machine to Cloudflare; when there’s a request from outside to Cloudflare, it relays it via the established tunnel to the machine. As such, your machine only need outbound internet access (to Cloudflare servers) and no need for inbound access (I.e. port forwarding).

[–] [email protected] 1 points 11 months ago (1 children)

Thank you for your reply, but i actually was asking about the network stuff 😅

I used to use cloudflare tunnels for many years, now i'm a bit too tin foiled to use any cloudflare 😅

[–] [email protected] 2 points 11 months ago

Ah sorry I went down the wrong rabbit hole.

I’d imagine an isolated VLAN should be sufficient good starting point to prevent anyone from stumbling on to it locally, as well as any potential external intruder stumbling out of it?

[–] linearchaos 2 points 11 months ago (1 children)

You need to have a rather capable router / firewall combo.

You could pick up a ubiquity USG. Or set up something with an isp router and a PF sense firewall.

You need to have separate networks in your house. And the ability to set firewall rules between the networks.

The network that contains the hosting box needs to have absolutely no access to anything else in your house except it's route out to the internet. Don't have it go to your router for DHCP set it up statically. Don't have it go to your router for DNS, choose an external source.

The firewall rules for that network are allow outbound internet with return traffic, allow SSH and maybe VNC from your home network, then deny all.

The idea is that you assume the box is capable of getting infected. So you just make sure that the box can live safely in your network even if it is compromised.

[–] [email protected] 2 points 11 months ago (1 children)

(I just noticed i replied to your another comment, but still to you 😬)

Now i'm a little bit confused, what does it do then?

If the box doesn't have access to anything on the network, how would it do anything?

[–] linearchaos 2 points 11 months ago (1 children)

The box you're hosting on only needs internet access to connect the tunnel. Cloudflare terminates that SSL connection right in a piece of software on your web server.

[–] [email protected] 1 points 11 months ago

I mean, what does it host if the only thing it has access to is the internet?