I’ve wanted to do this for a long time. My current ADHD hyperfixation is NodeBB, but I think my questions fit most anything that you want to be available to the general public and not just yourself and your friends.
Basically, I want to host a NodeBB instance intended for the general public out of my house. What are the risks of doing this? In particular, what are the risks of doling out a web address that points to my personal IP address? Is this even a good idea? Or should I just rent a VPS? This is 80% me wanting to improve my sysadmin skills, and 20% me wanting to create a community.
I have a DMZ in place. Hosts in the DMZ cannot reach the LAN, but LAN hosts can reach the DMZ. If necessary, I can make sure DMZ hosts can’t communicate with each other.
I have synchronous 1 Gb fiber internet. Based on the user traffic of similar forums, I don’t anticipate a crush of people.
I know the basics of how to set up a NodeBB instance, and I’ve successfully backed up and restored an instance on another machine.
I’m not 100% on things like HTTPS certs. I can paste a certbot command from a tutorial, that’s it.
Anything else I should know? Thanks!
EDIT:
I also have a domain, a couple of them, actually. They’re like potato chips; you can’t stop at just one.
I don’t plan on self-hosting email used for forum registration and announcements. I’m not a masochist.
EDIT for future readers:
I think for now I’m not going to self host anything I intend to be accessed by the public. While I pay the internet bill, my name is on the account, and I own all the equipment, I’m not the only member of this household, so it would be somewhat inconsiderate of me to share our bandwidth with public traffic. In general I think those warning against self-hosting resources one intends to be accessed by the general public are pretty sound.
I tried the Cloudflare tunnel suggestion, but it doesn’t seem to play nice with NodeBB. I can access the forum, even over HTTPS, but I can’t log in. Some quick googling leads me to believe it has something to do with web sockets. The first fix I found involves exposing my IP, which defeats the purpose of using a cloudflare tunnel. There may be a way around it, but I frankly can’t be bothered.
You must log in or register to comment.
I have dynamic dns through cloudflare that provides a proxy ip address for me in addition to some protections.
After that I use a reverse proxy to route specific domain names to services. My router is set up to forward only ports 80 and 443 to that reverse proxy, so there’s a good layer of safety there. There could be a weakness on the router, but at this point traffic is pretty limited.
After that, at least for your service, if you can have some control or throttling of signings and be more selective about who you let in, then that could help.
I say do it. Sure there’s risk someone could put something on there you don’t want, but I wouldn’t say it’s big enough to not do it.
just cloudflare tunnel it - i set one up the other day and it works super well, proving external access to a locally hosted service all without having to set up your own SsL certs and worrying about exposing private ips or ports
I looked up Cloudflare tunnels and tried setting one up. Some things future readers may want to know:
- You have to set Cloudflare as your domain’s authoritative nameservers.
- You need to set up an account (not a problem) but also have to register a payment method, even for the free tier (no me gusta).
- Regarding NodeBB specifically, if you set up a tunnel, you can access the forum, even over HTTPS, but it fails when you try to log in. A few minutes of searching leads me to believe it has something to do with web sockets, and the solution requires you to partially expose your IP address, defeating the principle purpose for me to use cloudflare in the first place.
i definitely didn’t have to enter my card details, could my region though
also, what kind of forum are you running that needs web sockets?
I’m attempting to run a NodeBB forum. I’m only assuming that web sockets was the issue because the first search result I came up with that matched my symptoms mentioned it.
If you are based in America, you will want to keep a close eye on the semi-regular attempts from congress to repeal Section 230 of the Communications Decency Act.
If it’s ever successfully repealed, you’d become liable for anything posted to your forum.
If it’s ever successfully repealed, you’d become liable for anything posted to your forum
unless you refuse to moderate it. then you are only criminally liable in the circumstances that have been codified, which usually has a takedown grace period.
By then you would have racked up thousands of dollars in legal fees. Not to mention if anyone posts anything negative about the current administration you could be used as an example.
We already have students on visas being kidnapped off the streets, let’s stop pretending the law actually matters for the people in power.
it’s settled law that you are absolved of responsibility if you don’t moderate.
As some have already mentioned info regarding security I wont add to that.
The other thing you should consider in my opinion is the legal side of things. Depending on you jurisdiction, you as the operator of the instance may be held accountable for the data it stores and serves. This means that you may be liable for both possession and distribution of illegal contents. I am not knowledgeable in regards to laws that cover moderation of content, but I assume you will be required to remove any such content if you gain knowledge of it. Again, this depends entirely on your countries laws and regulations but also on the laws and regulations of the countries you make your service available to.
Please be careful with hosting public instances. If anyone has more insight to this, please do add it and correct me if necessary.
This is especially necessary to consider if you live in the US right now. One of the things the current administration is pushing for even harder than past administrations is removal of Section 230 of the communications act that was enacted in the 90s. This provides a defense against liability for the content you host as long as you make a reasonable effort to remove content that is illegal. Problem is that this makes it really difficult to censor (maliciously or otherwise) content because it’s hard to go after the poster of the content and easier to go after the host or for the host to be under threat to stop it from being posted in the first place. But it’s a totally unreasonable thing, so it basically would mean every website would have to screen every piece of content manually with a legal team and thus would mean user generates content would go away because it would be extremely expensive to implement (to the chagrin of the broadcast content industries).
The DMCA created way for censors to file a complaint and have content taken down immediately before review, but that means the censors have to do a lot of work to implement it, so they’ve continued to push for total elimination of Section 230. Since it’s a problematic thing for fascism, the current administration has also been working hard to build a case so the current biased supreme court can remove it since legislation is unlikely to get through since those people have to get reelected whereas supreme court justices don’t care about their reputation.
So, check your local laws and if in the US, keep an eye on Section 230 news as well as making sure you have a proper way to handle DMCA takedown notices.
Sounds like hosting outside the US is a possible solution. Many things to be careful of, regardless.
Don’t chose china or russia though ;-)
You don’t need to put the server in the DMZ, just port forward port 80 and 443. Most routers these days ignore all requests to ports that aren’t open. And stick it behind Cloudflare, so you don’t have to expose your IP. Cloudflare also allows you to generate SSL certs that are good for a decade.
deleted by creator
Plus certbot and acme easily auto renew the certs.
Yeah, it’s a huge PITA to just, you know, click the button to generate a new cert and revoke the old one.
deleted by creator
You’re just not a pleasant person, are you? Every time you’ve replied to one of my posts, it’s to be a twatwaffle.
An ignorant twatwaffle, considering you obviously have no idea how Cloudflare certs work. Which ends up making me look like I’m smarter than I really am, so thanks!
deleted by creator
Well, if you were so smart yourself, you would know the Cloudflare certs aren’t for public use. The certs your site uses to communicate with the user are shared among multiple Cloudflare users, and aren’t accessible to anyone but Cloudflare. You can’t generate, revoke, view, or download them. The decade long certs you generate are for communication between your origin server and Cloudflare, they aren’t exposed to the public internet. If you use an Argo tunnel, which many selfhosters do, they’re used for the secure VPN tunnel between yourself and Cloudflare. Since all your traffic comes from Cloudflare, a smart user would whitelist those IPs and ignore web traffic from everything else if they weren’t going to use a tunnel. Even if someone got ahold of them, which is unlikely, they wouldn’t do anyone any good, because they would need access to your Cloudflare account as well to change the origin server.
But then, you aren’t so smart yourself. You’re just some random nobody on the internet that decided to start using their arsehole for speaking. And as is typical in such a situation, everything you say reeks of shit.
Now, do you want to continue embarrassing yourself? Because you’re not hurting my feelings by doing so.
deleted by creator
I would do it. Its fun…
Will you mess up? Yes. Who cares, Do it, just ensure its data you can lose no worries.
I would host on a vps, just to keep you home safe from swat raids (assuming you in the us, other nations should be safe).
Risk of people uploading images that are illegal and you would end up being liable for hosting them. Risk of being hacked…
I don’t know how big of a risk this really is these days… I used to host a PHPbb forum in the early 2000’s off my personal computer and it didn’t get any traffic beyond myself and the friends I told about it. Kinda curious about that, myself, with how things have changed over the last 25 years.
Don’t do it.
Hosting a public service with no real knowledge of security can only end badly.
Get a vpc, do it there, learn from mistakes.
It’s more than just HTTPS, you also need proper authentication, regular updates, emergency updates for critical vulnerabilities, ideally some sort of monitoring to detect potential misuse of the service or any escalations from the service to the OS.
Ask yourself this: If this was your first time driving a car, would you rather do it in an empty parking lot where at worst you will damage the car. Or would you rather do it in a busy street where at worst you can kill someone?
Its so cheap to just get a vps from a littlecreekhosting deal, I checked them all on lowendtalk and its the cheapest for highest specs, you do have to comment your invoice to double ram, but its 4 core 8gb ram for 3.50 a month and 8core 16gb 7$ cogent amd epyc, and solid ssd space 140-160 idr exactly, they have multiple deals posted, the one with the prices I mention is the best one, they also had windows vps deals. Spent way too long testing hella, its not the best ping out there for me since I’m fairly far but I’m not hosting gameservers so its a non issue.
There are many other deals on lowendtalk but they are typically for way less resources or way more expensive for a lot more resources
Its so cheap to just get a vps from a littlecreekhosting deal
This site seems suspicious as hell. Incredibly basic site, no info on where they’re located, and the “About Us” links aren’t even links. There’s no About Us page.
its one of the more trusted ones on lowendtalk? nicer site doesnt equal better company and typically equals worse deals, a lot of the nicer looking sites on lowendtalk have had comment saying they are scams
No, I didn’t say this “isn’t a nice site”. I said it’s “suspicious as hell”.
Having a working site and a navigable “About Us” page isn’t “nice”. It’s the bare minimum I would expect of any legitimate nice or ugly site.
There’s just a lot on their site that reeks of sloppy scammers.
OP asks for not doing exactly that though.
