this post was submitted on 10 Jun 2025
29 points (96.8% liked)

Selfhosted

46677 readers
741 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
29
Got any security advice for setting up a locally hosted website/external service? (lemmy.world)
submitted 4 days ago* (last edited 4 days ago) by Smokeydope@lemmy.world to c/selfhosted@lemmy.world
23 comments fedilink hide all child comments
 

Setting up a personal site on local hardware has been on my bucket list for along time. I finally bit he bullet and got a basic website running with apache on a Ubuntu based linux distro. I bought a domain name, linked it up to my l ip got SSL via lets encrypt for https and added some header rules until security headers and Mozilla observatory gave it a perfect score.

Am I basically in the clear? What more do I need to do to protect my site and local network? I'm so scared of hackers and shit I do not want to be an easy target.

I would like to make a page about the hardware its running on since I intend to have it be entirely ran off solar power like solar.lowtechmagazine and wanted to share technical specifics. But I heard somewhere that revealing the internal state of your server is a bad idea since it can make exploits easier to find. Am I being stupid for wanting to share details like computer model and software running it?

top 23 comments
sorted by: hot top controversial new old
[–] suswrkr@discuss.tchncs.de 3 points 2 days ago

https://github.com/fosrl/pangolin

use this instead of tailscale or other corporate options. tailscale is going for IPO, their service cannot survive investor greed.

[–] dgdft@lemmy.world 23 points 4 days ago* (last edited 4 days ago) (1 children)

No need to cargo-cult security practices here, chief. You’re not gonna get pwned by publishing your hardware specs. If you’re planning to build some kinda webapp for yourself, that’s a different story - but you have to fuck up hard to get hacked while hosting raw HTML.

Use an SSH key, disable password auth, make sure you’re firewalled (i.e. test with nmap), and call it a day.

[–] Smokeydope@lemmy.world 5 points 4 days ago* (last edited 4 days ago) (1 children)

Thanks for the input! I do eventually plan on making some scripts and a custom web interface to interact with/expose some local services on my network once I have the basics of HTML covered as part of a portfolio thing so would like to cover my ass early and not have problems later

[–] non_burglar@lemmy.world 6 points 4 days ago

The most important thing is to use your common sense, think about it an extra minute before punching holes in your fw, and keep those holes documented and to a minimum.

[–] monogram@feddit.nl 3 points 4 days ago* (last edited 3 days ago) (1 children)

Fail2ban ufw nftables

port forward only the bare minimum (80 443)

Expose docker ports with 127.0.0.1:8000:8000 then port forward with caddy server on the host

Edit: add nftables

[–] dgdft@lemmy.world 4 points 3 days ago* (last edited 3 days ago) (2 children)

This is dangerous advice because docker is well-known for undoing UFW’s iptable rules. It’s mitigated by binding to localhost, but still way too easy for people to shoot themselves in the foot by using the two together.

[–] NastyNative@mander.xyz 1 points 2 days ago

Do not open those ports hosting is way to cheap now to take that risk!

[–] monogram@feddit.nl 1 points 3 days ago (1 children)

Docker is going to undo your port iptable rules with or without ufw

Running rm -rf ~ isn’t that hard to do either just don’t do it.

Your router’s NAT should save you if that happens on the wrong port anyway.

[–] dgdft@lemmy.world 2 points 3 days ago* (last edited 3 days ago) (1 children)

You shouldn’t suggest UFW at all then. There are other firewall options that can be used just fine with docker.

It does have real potential to cause issues, e.g. if OP were to put their server in DMZ mode on their router and later copy some docker setup instructions that don’t explicitly bind to localhost.

[–] monogram@feddit.nl 0 points 3 days ago (2 children)

Please tell me more, which firewall would you recommend that plays nice with Docker?

No NAT? Hahaha that’s a big if, and why would you copy paste a docker compose without reading it?

[–] dgdft@lemmy.world 2 points 3 days ago* (last edited 3 days ago)

Please tell me more, which firewall would you recommend that plays nice with Docker?

Firewalld

No NAT?

Another user in this thread suggested DMZing, so combine your advice with theirs and boom. It’s not uncommon, and it’s fine if you firewall the box yourself. Most people don’t knowingly choose to use a firewall that they don’t intend to work, like you would.

why would you copy paste a docker compose without reading it?

There’s more than one way to use docker. Spinning up an official mysql image using the official docker run OR docker compose calls suggested by the docs would start up a server wide open to the entire internet if DMZ’d.

[–] lars@fedihub.space 1 points 3 days ago (1 children)
[–] monogram@feddit.nl 1 points 3 days ago (1 children)

Cool! ufw supports nftables too.

[–] lars@fedihub.space 0 points 3 days ago (1 children)

@monogram@feddit.nl yes. but I use it without UFW.

[–] monogram@feddit.nl 1 points 3 days ago

joke 18+Fine I’ll go sit in the cuck chair again while you write out those long hard nftables commands to my server.

[–] stardustsystem@lemmy.world 6 points 4 days ago (1 children)

You might want to set up dynamic DNS for your domain. If you're hosting from a residential internet connection then your ISP will change your address eventually. Ddclient can be used to report your current IP to your Registrar regularly, so if it changes the domain moves along with it.

[–] dai@lemmy.world 1 points 3 days ago

Depends on your ISP and where in the world you live.

[–] just_another_person@lemmy.world 4 points 4 days ago (1 children)

Keep it segregated from your internal network, no password auth, or better yet, install a privatenet client (Tailscale, Zerotier...etc) and don't open SSH ports at all, consider using a Cloudflare Tunnel or similar...that's a basic start.

Honestly, if you're serving a static site, just deploy it on Digitalocean Apps or R2 for free and skip all the worry and get all the Cloudflare protection built-in.

[–] dai@lemmy.world 1 points 3 days ago* (last edited 3 days ago)

Cloudflared is such a nice feature, I have seperate tunnels for different services hosted on the one machine.

[–] catloaf@lemm.ee 3 points 4 days ago

Isolate it as much as possible. If you can, put it on a little DMZ subnet with access to nothing else. Don't run any unnecessary services, and especially expose only the services you need to (HTTP) and none of the ones you don't (ssh).

[–] SidewaysHighways@lemmy.world 0 points 3 days ago (1 children)

pangolin?

[–] Smokeydope@lemmy.world 2 points 3 days ago

Pangolin.

[–] Coleslaw4145@lemmy.world -2 points 3 days ago

Use a reverse proxy in a DMZ. You can use something like Bunkerweb + Crowdsec to give you a WAF and dynamic IP blocklist in front of your web service.