just cloudflare tunnel it - i set one up the other day and it works super well, proving external access to a locally hosted service all without having to set up your own SsL certs and worrying about exposing private ips or ports
this post was submitted on 01 Apr 2025
42 points (95.7% liked)
Selfhosted
45394 readers
549 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Its so cheap to just get a vps from a littlecreekhosting deal, I checked them all on lowendtalk and its the cheapest for highest specs, you do have to comment your invoice to double ram, but its 4 core 8gb ram for 3.50 a month and 8core 16gb 7$ cogent amd epyc, and solid ssd space 140-160 idr exactly, they have multiple deals posted, the one with the prices I mention is the best one, they also had windows vps deals. Spent way too long testing hella, its not the best ping out there for me since I'm fairly far but I'm not hosting gameservers so its a non issue.
There are many other deals on lowendtalk but they are typically for way less resources or way more expensive for a lot more resources
Its so cheap to just get a vps from a littlecreekhosting deal
This site seems suspicious as hell. Incredibly basic site, no info on where they're located, and the "About Us" links aren't even links. There's no About Us page.
I've had good luck with these guys: https://cloudfanatic.net/pricing/
I think they would fall in the less resources category. But they offer unlimited data transfer, and you can use any distro you want. I run slackware btw.
The DMZ is the right idea. But it's the old way. You definitely want whatever is serving your website to be separated out from your house. You're hosting should be on an isolated VLAN. The internet should only be able to talk to the server it needs to talk to, no other ports. That box should only be allowed to talk to what it absolutely must talk to and only on the ports that are required. You should run an independent firewall on each one of the boxes that are involved in the hosting with only the proper ports open.
Giving up your private IP Will definitely give away your general location to everyone and your precise location to the authorities.
I would highly recommend using cloudflare or one of the other funnel options. A lot of people don't like cloud flare because they can capitalize on your traffic, The cloudflare also just won't shut you down and sell you out like your ISP will at the first request, They don't do shit about anything until there's a warrant or a court filing. On the upside you don't give out your private IP to anyone. You have DDOS protection, and a reasonable layer of anominity.
You need to check daily to make sure all of your software is updated. We're talking OS, middleware, plugins, application. Preferably via automation. All of the software and plugins you use for this type of hosting end up getting vulnerabilities.
Security is especially difficult on forums. There's lots of opportunities there for skilled people who are pissed off at what you or someone else is saying to get butthurt. People know exactly what you're running, then they do some magic behind the scenes next thing you know there's a bunch of admins you didn't create.
You don't need to be hosting your own email but you are going to need an SMTP provider, most free services won't let you masquerade the from address.
Doesn't Cloudflare cost money for DDoS protection?
You get some coverage for free but if you're really getting slammed I wish to stay up they're not going to do everything for free. I believe They click here to prove you're not a butt is gratis.
If you are based in America, you will want to keep a close eye on the semi-regular attempts from congress to repeal Section 230 of the Communications Decency Act.
If it’s ever successfully repealed, you’d become liable for anything posted to your forum.
If it’s ever successfully repealed, you’d become liable for anything posted to your forum
unless you refuse to moderate it. then you are only criminally liable in the circumstances that have been codified, which usually has a takedown grace period.
By then you would have racked up thousands of dollars in legal fees. Not to mention if anyone posts anything negative about the current administration you could be used as an example.
We already have students on visas being kidnapped off the streets, let’s stop pretending the law actually matters for the people in power.
it's settled law that you are absolved of responsibility if you don't moderate.
You chose to ignore OP's point.
let’s stop pretending the law actually matters for the people in power.
i mean... we're talking about civil torts here, not constitutional law. i think you can still count on a court to throw this out even with a pro se defense.
As some have already mentioned info regarding security I wont add to that.
The other thing you should consider in my opinion is the legal side of things. Depending on you jurisdiction, you as the operator of the instance may be held accountable for the data it stores and serves. This means that you may be liable for both possession and distribution of illegal contents. I am not knowledgeable in regards to laws that cover moderation of content, but I assume you will be required to remove any such content if you gain knowledge of it. Again, this depends entirely on your countries laws and regulations but also on the laws and regulations of the countries you make your service available to.
Please be careful with hosting public instances. If anyone has more insight to this, please do add it and correct me if necessary.
This is especially necessary to consider if you live in the US right now. One of the things the current administration is pushing for even harder than past administrations is removal of Section 230 of the communications act that was enacted in the 90s. This provides a defense against liability for the content you host as long as you make a reasonable effort to remove content that is illegal. Problem is that this makes it really difficult to censor (maliciously or otherwise) content because it's hard to go after the poster of the content and easier to go after the host or for the host to be under threat to stop it from being posted in the first place. But it's a totally unreasonable thing, so it basically would mean every website would have to screen every piece of content manually with a legal team and thus would mean user generates content would go away because it would be extremely expensive to implement (to the chagrin of the broadcast content industries).
The DMCA created way for censors to file a complaint and have content taken down immediately before review, but that means the censors have to do a lot of work to implement it, so they've continued to push for total elimination of Section 230. Since it's a problematic thing for fascism, the current administration has also been working hard to build a case so the current biased supreme court can remove it since legislation is unlikely to get through since those people have to get reelected whereas supreme court justices don't care about their reputation.
So, check your local laws and if in the US, keep an eye on Section 230 news as well as making sure you have a proper way to handle DMCA takedown notices.
Sounds like hosting outside the US is a possible solution. Many things to be careful of, regardless.
Yeah, other countries have similar or even more strict requirements, so yeah it all depends on the jurisdiction. You have to also understand that just hosting something externally, doesn't mean you don't fall under laws of another country. It's the internet. And if you live in a country, you may be held responsible for obeying their laws. I'm not a lawyer, so it's something to be careful of even if externally hosted.
Somehow 4chan admins have largely escaped legal consequences for this stuff, and I don't think it's just because of sec230.
Not a fan of 4chan, but I do note both their and the pirate bay's operation scheme.
I mean, in most cases this isn't criminal law (in the US at least), so it means you have to attract enough attention of a corporation since they're usually the only ones who can afford the legal costs to file the DMCA requests and responses for copyright violation. And with many other civil issues, often corporations with the money for it, don't have standing to sue, and if they did, would be required to sue each individual in the appropriate jurisdiction.
With the removal of Section 230, these costs will go down significantly as a single user's violation could be enough to bankrupt or shut down an entire site of violating content or, if serious criminal violations like child porn, put the person who hosts the site in prison who, will be much easier to identify and sue in a single jurisdiction or arrest than a random internet user.
I liked this read when considering legal ramifications for hosting content. It is U.S. focused so it might not be applicable to someone in another country.
You don’t need to put the server in the DMZ, just port forward port 80 and 443. Most routers these days ignore all requests to ports that aren’t open. And stick it behind Cloudflare, so you don’t have to expose your IP. Cloudflare also allows you to generate SSL certs that are good for a decade.
generating a decade long cert is a terrible idea.
what if a malicious actor gets your private keys and can spoof you now?
you're fucked unless you work through the vendor to blacklist that cert, which is a huge pita.
certs should be done yearly at most. quarterly at best.
Plus certbot and acme easily auto renew the certs.
Yeah, it's a huge PITA to just, you know, click the button to generate a new cert and revoke the old one.
amateur.
you're going to get fucked by doing that one day, and it's going to be months or longer before you realize it.
I just hope you're not responsible for an actual business with poor security practices like that.
You’re just not a pleasant person, are you? Every time you’ve replied to one of my posts, it’s to be a twatwaffle.
An ignorant twatwaffle, considering you obviously have no idea how Cloudflare certs work. Which ends up making me look like I’m smarter than I really am, so thanks!
says the self proclaimed anarchist that fights for....civil rights? they teach you that at the anarchist meetings?
now I know for sure, you're just trying very hard to act intelligent but have no idea what you're actually doing.
now I feel bad for arguing with a child.
Well, if you were so smart yourself, you would know the Cloudflare certs aren’t for public use. The certs your site uses to communicate with the user are shared among multiple Cloudflare users, and aren’t accessible to anyone but Cloudflare. You can’t generate, revoke, view, or download them. The decade long certs you generate are for communication between your origin server and Cloudflare, they aren’t exposed to the public internet. If you use an Argo tunnel, which many selfhosters do, they’re used for the secure VPN tunnel between yourself and Cloudflare. Since all your traffic comes from Cloudflare, a smart user would whitelist those IPs and ignore web traffic from everything else if they weren’t going to use a tunnel. Even if someone got ahold of them, which is unlikely, they wouldn’t do anyone any good, because they would need access to your Cloudflare account as well to change the origin server.
But then, you aren’t so smart yourself. You’re just some random nobody on the internet that decided to start using their arsehole for speaking. And as is typical in such a situation, everything you say reeks of shit.
Now, do you want to continue embarrassing yourself? Because you’re not hurting my feelings by doing so.
I don't use shit-tier products like cloudflare so I don't bother knowing what their product line is or what it does.
not knowing how a platform specific product works doesn't dictate intelligence.
also, in your original comment you said "SSL cert" and never mentioned it was a platform specific cert.
be clear when you say shit and people won't misunderstand you and treat you like a fucking moron.
be clear when you say shit and people won’t misunderstand you and treat you like a fucking moron.
Obviously, when name Cloudflare specifically more than once, it can be so hard to tell which platform I mean. It's an easy mistake to make if you don't know how to read.
not knowing how a platform specific product works doesn’t dictate intelligence.
No, but using hostility as a way to distract from when you've gone and made yourself look like an idiot is certainly a defense commonly used by, as you put it, "fucking morons". Now, is there any other pearls of wisdom you want to offer us, Mr. Trump, or was your eternally youthful ardor spent on that one emission?
take a chill pill and come back to read from start to finish.
you were the first one to respond with hostility, prick. I commented on how it's a bad idea to have SSL certs last for a decade.
that's when you responded with heavy sarcasm, like a angsty child.
maybe if you didn't have tissue paper for skin you could see how much of a petulant child you are. I can even see how fragile your ego is from all your interactions with others.
I don't know what's more pathetic, your overwhelming desire to be right or your desperate need to prove you're smarter than somebody else.
some friendly advice before I block you forever. if you think everyone around you is an asshole, you're the asshole.
if you think everyone around you is an asshole, you’re the asshole.
Most people I run across aren't assholes, you're just an exception.
I just want to say that you should make sure to take notes on what you're doing and why. It helps when you break something and want to go through what you did and sometimes notes don't make sense unless you put why so you can research it again
Don't do it.
Hosting a public service with no real knowledge of security can only end badly.
Get a vpc, do it there, learn from mistakes.
It's more than just HTTPS, you also need proper authentication, regular updates, emergency updates for critical vulnerabilities, ideally some sort of monitoring to detect potential misuse of the service or any escalations from the service to the OS.
Ask yourself this: If this was your first time driving a car, would you rather do it in an empty parking lot where at worst you will damage the car. Or would you rather do it in a busy street where at worst you can kill someone?
Have you ever tried Cloudflare Tunnels? I think this would solve most of those issues
I have not, I tend to avoid services and diy it
And what could actually happen? You learn through doing!
If for example the server is actually a computer in the LAN and maybe it's also his media server and his backup server then potentially any compromise could lead to his personal information leaked and or other computers in the LAN compromised.
So what could actually happen? His personal photos and passwords and accounts can be leaked or taken over. He could be spied on by accessing his webcam. A lot of things could go wrong.
You are right. Learning by doing is awesome. Just be sure to do it in a safe way. Get a VPC. Do it there. No personal information, no access to other services. Just this service, just for this purpose. Worst case scenario, if it's taken over, the only thing that's harmed is the forum itself. Which is not the end of the world, I'm guessing.
You might consider using something like Cloudflared or Tailscale's Funnels to proxy the connections through to prevent DDOSing and apply ACLs. You can still use your domains with those.
Hosting for yourself so you can access your content outside your home is usually the use-case, use WireGuard for that though (checkout headscale) along with virtualization, VLANs, etc.
Hosting for a group of friends and/or family can usually be ok, assuming that is a well known and restrict group.
Hosting for the general public from home is usually not recommended, use a VPS for that. Bear in mind you'll likely be liable for what you host, one way or the other, depending on your jurisdiction.
If you store content (files others may upload like movies and photos) you may be responsible for that (i.e. is that content legal in your jurisdiction?).
There may be a legal distinction between the server's geographic location and the entity responsible for it - but in your case it's the same, so, again, beware.
Just linking to content deemed illegal may get you into trouble.
Putting the site behind a login-only page and vetting account creation could mitigate (or exponentiate) this.
Anyway IANAL.
What do you want to host and for whom?
I would do it. Its fun...
Will you mess up? Yes. Who cares, Do it, just ensure its data you can lose no worries.
I would host on a vps, just to keep you home safe from swat raids (assuming you in the us, other nations should be safe).
I agree. Just run it. that's how I learned decades ago. Don't ignore it either if you wanna get better.
The risks are just as bad as owning some amazon IoT device
Great point about IoT
Do it.
There's really not much that can end badly, someone gets in your network (unlikely anyone even knows it exists)? reformat all your shit. Just by knowing what a DMZ is you are already more qualified than half the people I've met self hosting
do you run a business out of your house? do you run a bunch of peoples personal info? does anyone else? If you answered no to all of these then there really isn't much that can "go wrong" you can just unplug your shit.
hosting email also isn't that big of a deal but your home ISP will block port 25, you need to have a "business" one for them to unblock it and even then sometimes have to directly request it. Things like mailcow docker make it dead easy.
and yea as the other guy said always update your stuff
Scans for open ports run continuously these days.
Ten years ago I opened a port for something for a couple days - for months after that I was getting regular scans against that port (and others).
At one point the scans were so constant it was killing my internet performance (poor little consumer router had no defense capability).
I don't think the scans ever fully stopped until I moved. Whoever has that IP now probably gets specifically scanned on occasion.
And just because you don't run a business doesn't mean you have nothing to lose.
DMZ should be enough... But routers have known flaws, so I'd be sure to verify whatever I'm using.
scans for open ports ran continuously since the 1990s, it was never a big deal. Also they only run on lower ports (not that it matters)
what are you talking about killing your internet performance? You can have hundreds of thousands of scans per day (which isn't gonna happen, you won't even get 100) and it still won't bog down jank cable internet from early 2000s