I work in tech and am constantly finding solutions to problems, often on other people’s tech blogs, that I think “I should write that down somewhere” and, well, I want to actually start doing that, but I don’t want to pay someone else to host it.

I have a Synology NAS, a sweet domain name, and familiarity with both Docker and Cloudflare tunnels. Would I be opening myself up to a world of hurt if I hosted a publicly available website on my NAS using [insert simple blogging platform], in a Docker container and behind some sort of Cloudflare protection?

In theory that’s enough levels of protection and isolation but I don’t know enough about it to not be paranoid about everything getting popped and providing access to the wider NAS as a whole.

Update: Thanks for the replies, everyone, they’ve been really helpful and somewhat reassuring. I think I’m going to have a look at Github and Cloudflare’s pages as my first port of call for my needs.

  • jgkawell@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I’ll let folks with more security experience dive into your specific question, but another option is to host your website on something like Github pages (using a static website generator like Jekyll) and point Cloudflare at it. That way you don’t need anything pointed at your local network, get the uptime of Github, and still benefit from your own domain name.

    That’s what I’m doing with my own blog and it’s been great. Github provides the service for free but if they ever charge for it I’ll just start hosting it locally.

  • that guy@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I know it’s not technically “self” hosted but I’d get a cheap yearly VPS somewhere and run a webserver off of that.For me its worth the peace of mind to keep my network a temple instead of a bus terminal. I paid $13 usd for the year for mine

    • TedZanzibar@feddit.ukOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      A VPS makes sense insofar as keeping things thoroughly isolated from my own systems, but the overhead of maintaining a box that’s directly connected to the Internet like that isn’t something I’m keen on and I’m not convinced I’d have the expertise to do it right from the outset.

      • 7Sea_Sailor@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Change the ssh port to something with 4-5 digits, disable ssh password Auth and use certificates only, don’t expose any port other than ssh and 443.

        If you’re paranoid, use cloudflare as a proxy and set the VPS firewall to only accept incoming traffic from cloudflares ip list.

        That’s about it really.

        • CoopaLoopa@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          The Oracle Cloud VPS only has SSH key authentication enabled by default. You can also set it to only allow SSH from your home IP in the virtual firewall before the machine is ever spun up.

          Their current free ARM offering is 1 machine with 4-cores and 24gb RAM for life. You can also add another 2 AMD machines with 1-core and 1gb RAM and still be in their free-tier.

          If you’re going to set it up and take advantage of the ARM machine, make sure you pick a home location for your account that has multiple availability zones. San Fran right now only has 1 zone, so if the shared ARM instances are all used up, you’ll have to wait a few days and try again. Phoenix I think has 3, so you can try with another zone right away.

        • chiisana@lemmy.chiisana.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Changing port is security by obscurity and it doesn’t take much time for botnets to scan all of IPV4 space on all ports. See for example the ever updated list that’s available on Shodan.

          Disable password login and use certificates as you’ve suggested already, add fail2ban to block random drive-bys, and you’re off to the races.

    • Hominine@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I believe Oracle is still offering to slice off a bit of compute for free that should accomplish OP’s goal. I’ve used it to test a Jellyfin host among other things and for the price it can’t be beat!

      • misophist@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’ve been running a script every 60 seconds for 2 months now as a cron job and it still hasn’t been able to create a VM in their US datacenter. I just have a log full of “insufficient host capacity” errors.

  • linearchaos@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The first worry are vectors around the Synology, It’s firmware, and network stack. Those devices are very closely scrutinized. Historically there have been many different vulnerabilities found and patched. Something like the log4j vulnerabilities back in the day where something just has to hit the logging system too hit you might open a hole in any of the other standard software packages there. And because the platform is so well known, once one vulnerability is found they already know what else exists by default and have plans for ways to attack it.

    Vulnerabilities that COULD affect you in this case for few and far between but few and far between are how things happen.

    The next concern you’re going to have are going to be someone slipping you a mickey in a container image. By and large it’s a bunch of good people maintaining the container images. They’re including packages from other good people. But this also means that there is a hell of a lot of cooks in the kitchen, and distribution, and upstream.

    To be perfectly honest, with everything on auto update, cloud flares built-in protections for DDOS and attacks, and the nature of what you’re trying to host, you’re probably safe enough. There’s no three letter government agency or elite hacker group specifically after you. You’re far more likely to accidentally trip upon a zero day email image filter /pdf vulnerability and get bot netted as you are someone successfully attacking your Argo tunnel.

    That said, it’s always better to host in someone else’s backyard than your own. If I were really, really stuck on hosting in my house on my network, I probably stand up a dedicated box, maybe something as small as a pi 0. I’d make sure that I had a really decent router / firewall and slip that hosting device into an isolated network that’s not allowed to reach out to anything else on my network.

    Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don’t use it for DNS don’t use it for DHCP, Don’t allow You’re network users or devices to see ARP traffic from it.

    Firewall drops everything between your home network and that box except SSH in, or maybe VNC in depending on your level of comfort.