We shall Self-Host

Domain - Reverse Proxy- Security Self-Hosting is fun but remember to be careful out there. Follow these minimum guidelines. DNSSEC, SSH Firewall and other things to set up

We shall Self-Host
Photo by Christina @ wocintechchat.com / Unsplash

The scary but interesting step

Installing the fundamental services

You can not have more then one service on a port - FACT. ‌‌
You can have many services on the same port in a server - FACT.

🔐
Firts plan. Plan well! A good plan meens less mistakes and suprices

Domain First of all we need to spend some euros to buy a domain name.
I use Namecheap, but shop around for the best deal There is usually two prices: 1. year and renewal, check both to see which is the cheapest.
Then sign up for a free Cloudflare account and set the DNSSEC and SSL/TLS I use Full (strict) using Origin Certificates, set all other parameters following their excellent guides and some common sence.

Networks our ISP is what it is but we can set up our own firewalls - and we will set up them every ware. We will only open the needed ports all other we drop. We use SSH and keys to sign in to VM's. We always use a non root user to operate the VM's. We lock the access to local network only for SSH. Setting up a tunnel would be safe - no port open at all.

🔐
Lock down SSH ! Use ssh-keys and lock use of passwords. 

Reverse Proxy. We need a reverse proxy to send users on port 443 (HTTPS) to these services running on port 80 (HTTP) infograph.example.com to service info-graph, www.example.com to service www and info.mysite.io to service mysite ...

Use authentication like Authelia and 2FA.

And that is not all -we do it using Let's encrypts certificates!

Security

The www is more like a Wild West for Weirdos. Anything goes and there are many bad and sic people out there. We need to be alert! We need to secure the VM !

⚠️
Be careful out there. One mistake its all it takes to have a catastrophe.

What shall we do to be secure:

  • We will not open ports
  • We use signed HTTPS (not self signed)
  • We use strict firewall rules
  • We read the logs
  • We use keys with ssh
  • No root login to the VM
  • No password login to the VM
  • We use Fail2ban or CrowdSec
  • Use DuckDuckGo - Search engine to protect your privacy
  • Use secure Browsers that respects your privacy - Vivaldi, Firefox ...