I once took our corporate T1 because I was hosting a site on a work webserver and it got slashdotted. My boss was really cool about it though, he said, “wow, I’ve never known an internet celebrity before!”
This was in 2001, so it’s meaning has changed significantly since then.
My home DSL connection years ago started being slow - so I checked my home server.
A single image was the top result for "Japanese robot death cat" or something on Google Images, so I was getting pounded. A quick robots.txt update and a few days later everything was calm again.
A home web server is the equivalent of running out of toilet paper. You never designed a Service Level Agreement for either, and it's frustrating, but you will survive it.
Tailscale is nice, you don't even need to open any ports to have your device accessible from anywhere. Works really great, literally (!) takes >10 min to set up (on mobile, dl app, log in with 3rd party identity provider (I choose GitHub), on Server, curl some script (will move to apt or yay or dnf when it detects them), click a link, boom both devices can find each other on unique IP addresses.)
I do open ports, for NextCloud (to be able share stuff) and some websites. But Home Assistant is only accessible from the Tailnet for example, as are my ssh servers.
It's free for the first 20 devices, I guess there is no limit if you want to selfhost the server part (called headscale). They are committed to the free tier though, they wrote a lot about that. I like the company a lot, I hope they don't change. They are very freedom/opensource oriented, for now :)
Once you use Tailscale you realize this is how a VPN should be, it's really something.
Mine is. It has been for 20+ years. It works great. As others have said, POSSE. A repository webserver (nginx) serving static files is incomparibly less of a security risk, than say, running a modern web browser with javascript enabled. But if you go .php/whatever yeah, that's risky.
The Raspberry PI is attached at my home router (1Gb fiber connectivity), then I can access it like a local server (so even by SSH) from everywhere with Tailscale[0]. The rest of the world is proxied by a Cloudflare Tunnel[1].
Yes, remote dev work is done mostly with Visual Studio Code Remote SSH[2] (but I wish something similar would exists for Sublime Text).
>> little Raspberry Pi 4 server that I run from my home ISP, for no reason other than to have some fun
This.
I run mine on RPi 3B+ with a 4 running the database. I reverse proxy to my site via a cloud VPS instance for $4 a month. I switched to the cloud after years on NO-IP when 1) I noticed my IP never changed and 2) my home IP address was public via a look up of my domain name.
On another 3B+ I have a VPN so I can SSH in .
Some day I will get around doing a roll-your-own-ngrok [0] so I don't have to open any ports but have yet to do it. I have done it for a project I was working on and I needed to make the local dev server accessible to a 3rd party. Pretty slick and saves a bunch of time and hassle from having to put the code on the server. (As an aside: Does anyone else dislike the term "grok"? For whatever reason it annoys the hell out of me.)
I really have nothing important on there and go months or years without doing anything to it then get a burst of creativity or what not and update the site or just tinker with it.
This reminds me of setting up a file hosting server at home in high school so i could work on projects from school without constantly burning cds or dealing with terrible thumb drives. Sketchy php, no authentication, no sanitization. Just browse to a file and click upload. In hindsight it's kind of shocking it wasn't taken over
If you built it yourself, it's highly likely nobody ever found it. Even back then most of the "script kiddies" on the internet were using pre-packaged exploits for known software, not searching every single possible IP for forms with upload buttons.
As someone who was a highschooler 2008-2012 who built their own simple PHP apps for things: Script kiddies of the time definitely were scanning for arbitrary forms. Not necessarily trying to exploit the code, but just anything that would allow them to post spam.
I had a big data loss event back in 2008ish when someone found out, I'm guessing, that they could upload a PHP file to an upload-anything form on my home server. I thought I was keeping it secure by disallowing ".php" files, but I think some MultiView option I had set in Apache allowed them to upload .php.somethingelse and still have it get executed, blowing away, sadly, all my Subversion repos. Switched everything I could salvage to Git after that and never looked back. Also I no longer trust Apache to directly serve user-uploaded files. :P
Long story short, someone apparently went to a non-zero amount of effort to hack my homebrew file-upload form.
I'm a huge fan of running web servers in the house - but they don't have to be connected to the Internet to be useful and fun! An Apache instance on my always-on box in the basement [0] serves an incredible number of uses and can be connected to from any computer-like thing on my home network. Old-school CGI scripts can be written almost as quickly as terminal scripts and HTML forms make super quick interfaces. A home web server is probably STILL the easiest way to get files to heterogeneous computers and phones and tablets and...
Our (decades old) house web server has a home page with useful links, and in particular to a simple wiki on the same box. Without any pushing (that never works) the rest of the house has slowly learnt to use it, so the calendar, the wish lists, the pet histories, holiday ideas, all sorts of stuff are on it. The server also hosts simple apps like JS clocks, calculators and of course the [0] pewpew attack map (maybe a little less funny these days, but hey).
Edit: ref CGI, there's a few apps on there that do that as well (e.g. fish tank temperature monitor). Nice thing about a small private network is being able to do CGI scripts in bash/whatever without having to worry too much).
You can use mDNS [0] to publish an internal domain to others on the same LAN. Alternatively, you can use something like a Pi-Hole [1] to be the DNS server for your LAN. Pi-Hole gives you GUI way to point any domain to any IP [2].
Not the OP, but for a small local network it is easy enough to sneakernet hosts files around. (On a USB drive if not a properly classic floppy.)
Also, somepcname.local mDNS works on most operating systems today (once you grant firewall permissions to it; for instance, on Windows setting your home network as a "Private" network for instance when it asks Public or Private).
We have a lot of computers, so DNS is easier than hosts files (also easier for dynamic updates,e.g. random Pi's given a hostname will update DNS via DHCP so no need to find the IP address and update other hosts).
you'd have to edit the hosts file on every single device you want to access that domain. personally, i wouldn't even know how to do that on any of my mobile devices.
It runs DNS and DHCP as well (so we have a domain that's the same as the house name); the DNS is primarily caching so for most sites it's just stock internet (except a bit faster due to the caching). It's also authoritative for a small number of domains that serves ads/do tracking (it's amazing how much better that makes the internet, even the kids comment on how fast it is compared to their friends - and we're out in the sticks on a relatively slow connection).
You probably already have this. Nearly every ISP has been delivering home gateways with DHCP and DNS built in, and DHCP-registration into the local DNS cache. So <your-computer>.lan or <your-computer>.home are likely candidates. Check your settings to find out.
Besides DNS-based naming there is Multicast DNS (Bonjour/Avahi/ZeroConf) and NetBIOS naming (which still exist and works on most operating systems that have Samba or something similar).
In any case, you don't need a remote service like Cloud9 or Tailscale to any of this. Normal networking has done this for decades.
The next step beyond this is running a more capable DNS system in your home network. Generally this takes the shape of a DNS forwarder service running on a router or server. It could be as simple as a PiHole or OpnSense firewall, or however complicated you might want to make it.
Network router with DNS resolver, internal domain, all DHCP clients get registered with a name as a subdomain. mycomputer.networkname.lan - I use pfsense, but lots of others support this.
I personally use avahi (mDNS) as many other replies have suggested.
I use NixOS, so it was easy to make a function to abstract over the config. In each computer's config, all I do is specify a hostname. This function does the work (or really, some nixpkgs committer did):
This might be an overkill, but you can host internal domain using public DNS.
I've got a domain, and I've added multiple A records pointing to IPs of servers in my 192.168.X.Y NAT. This has a downside thought, that with short enough TTL, you may not be able to access your server during intermittent connectivity problems.
I'm using letsencrypt through traefik for the certs.
- desired hostname and search domain(can be bogus though not recommended)
- DHCP server parameters with the router's IP as primary DNS
- DHCP static assignment for (each of)server(s)
- DNS static assignment such as "yourserver.bogusdomain.tld 192.168.10.10"
- (optionally) domain names, ddclient, certbot
"Proper" classical router/firewall OSs like Cisco IOS, Juniper JunOS, VyOS, RouterOS, OpenWrt, all easily do it like they do a cigarette, but good gamer routers and some NASs also can do it okay in many cases.
> A home web server is probably STILL the easiest way to get files to heterogeneous computers and phones and tablets and...
Similarly for printing, I would love a local web app that I could submit PDFs to and get a printer to print the pages. I could imagine scanning working in reverse. I tried googling a bit but alas it seems no one has done it.
For dumb printers we use CUPS, even cheap printers (Oki B412dn here) just plug into the network and are found by most things (even Windows these days).
I also use CUPS on a Pi to put a dumb printer on the network, but I still routinely have issues with my devices not finding the printer or not scaling the page properly.
This is why I was thinking that a plain web app with a known good driver could solve these problems.
Some higher-end printers have HTTPS or LPD (or even FTP) printing built into them. As far as using a web app to queue to a printer that's working on a local Linux machine or so, the webapp could be as simple as just a file upload form and app backed by incron with the right command assigned to the event I think.
See https://pibox.io/ + https://kubesail.com/ for a low-energy, small, Raspberry Pi-driven, quiet option. I have been running one of them running in our basement for about a month. KubeSail, the startup that sells them, offer DNS and backup services, but the box has been designed to run also in the case the company eventually disappears.
Thank you for the shoutout. We’re working our butts off to make home hosting fun. I hope we don’t disappear - but we want to sell real tech and real skills. No black boxes, no moats, no lock-in. Investors hate it! :P
The problem with this is that we really can't trust the home network any more. You need to make sure that any services you run on it are zero-trust - i.e., they don't just assume that anyone inside the domestic firewall is a friend.
Because inside the firewall are a bunch of phones and laptops and things that are accessing random webpages and running random apps; and (depending on your level of home network paranoia) maybe a bunch of internet-of-things things, or networked speakers, or televisions, etc., etc.
So even your basement server for home-only use really needs a cert, and client auth, and obviously needs to stay patched... lest it become a monster inside the firewall itself.
A few weeks ago I set up a Stable Diffusion webui on my home linux box and used a Cloudflare tunnel to host it on a url and gate access to just my company's email domain. I started a slack channel for AI Art and we started holding a daily contest, it's been really fun.
Shout out to Cloudflare, setting up an access protected tunnel took like 10 minutes.
I've wanted to do this for years, but just can't stand the security hassle. One solution I've often thought about, is renting a small office in the neighborhood and setting up there, obviously that adds a lot of expense.
I'm not much interested in a personal webserver than having as a NORMAL service an ipv6 global per any connection, all ISP crappy router deniable or configurable in bridge mode, anyone normally owning a personal domain name or more than one.
Some subdomains dedicated to personal services etc. Web server just a part of the game, not them specifically.
Technically there are NO reasons to justify "cloud computing" despite claims, the only real justifications are business of some against others interests. There are no reasons despite all ipv6 issue to not offer global addresses etc. The real issue is that most people simply have next to no ideal about IT nor how to benefit from in in their own lives. Those who know have not much choice...
Speaking as someone who hosts multiple websites, email, etc. in the corner of a room
> [it should] be reliable if I kick a cable out of the wall
Right, if you want it to be reliable but also be able to cut its cables, then you will need a secondary host outside the home.
> or in the unlikely event that I get a bunch of traffic.
Are you serving media (music or video of more than a few seconds)? If not: DSL or mobile data (if your data cap allows) is fine for HN front page. Judging by the current page weighing 100KB, you can have 10 visitors every second at 1 MiB/s upload. (HN reaches that rate only in spikes, even at a top three position.)
> I’d also like it to be quick!
It's currently not quick at DigitalOcean (2 seconds for TLS setup, 12 seconds for HTML, 8 seconds for JavaScript, etc... 27 seconds total). It can only get better!
I can recommend something beefier than a raspberry pi, though, or at least than than the pi 1-3 speeds that I'm used to. I personally use an old laptop which is plenty fast for, well, anything you'd also ask of a daily driver, except it now doesn't need to render a GUI which speeds things up a lot. They can peak up to 100W depending on the model, but are usually very low power when nothing is being asked of them.
> Oh, and I don’t want to have my home network hacked.
Then install unattended-upgrades, put admin panels (phpmyadmin, wp-admin) behind basic authentication, don't host things you don't trust (random code written by 'someone on the internet' that has never been tested by anyone), put it in a VLAN if you want to be extra cautious, and you'll be fine. It never hurts to keep your phone and other systems on the LAN up-to-date anyhow so they should be secure as well, even if someone does get in.
Pretty much! As engineers we all sweat sleepless nights mulling over five 9's and we conflate these valid business needs with our hobbies and personal art/projects.
It doesn't have to be this way! Put it on a pi and have fun, if not for your sanity at the very least do it for your second most valuable resource, your time. If all a person wants to do is have a website that plays a piezo buzzer when someone visits on your RPi, just write that damned code, they shouldn't feel the need to worry about all the nitty gritty when all that they wanted to do is have fun!
Hey, that's my Raspberry Pi when I find this one thing that looks fun, try it out and give up a few days later. Extremely efficient uptime, it's 100% when i need it.
Look how much electricity we would save if many unused servers would turn on only when users actually need them. We need WoL via browser. https://en.wikipedia.org/wiki/Wake-on-LAN
Yep, exactly that. I know most of HW can go on power-save on idle states, but still drawing some 5-15W of energy doing nothing. We need some kind of "e-ink" for web resources which doesn't change much but just need to be reached occasionally/on-demand, with a slight unsuspend delay of course.
> I personally use an old laptop which is plenty fast
If connected on wifi to your router this of course solves the "kick a cable out" problem too, even if the battery is really old you'll almost certainly still have a few minutes.
> Then install unattended-upgrades, put admin panels (phpmyadmin, wp-admin) behind basic authentication
I'd go as far as protecting the directory to only allow access from local network, and use wireguard to reach the machine.
It's likely a server in the corner of the room will cost more than a VPS, certainly in my country. A server drawing 25 Watts cost more than the $3/month I pay. (That said I also have a pihole running on a 1B - my parasitic house load is about 100W for the fridge, router, wifi, etc)
I thought I had made a mistake when I calculated the cost of 100W incandescent lighting to be the awfully coincidental number of almost exactly 100€/year. Finding this to be correct was quite the revelation: makes estimating the cost of anything in the house so easy because I already knew the wattages :)
(The landlord had installed these sensor-activated ancient bulbs in the hallway, where I pass through to to the cellar / power meter, and I was trying to track down this mysterious 100W that seemed to be always running, without fail. Turns out, it was only running when I was checking the meter! We then did the math with a better runtime estimate and still went out to buy LED bulbs at our earliest convenience. They're brighter than before (we erred on the high side), just as warm light, and use 2.5x less power.)
Correct, i.e. 40W instead of 100W. It sounded more impressive than "40% of the original value" so I went with "2.5x less". Not the best measure to choose one's words by, admittedly.
You managed to say that immediately. Were there other serious explanations that came to mind? If not then you need to have more self-confidence because you do know!
> even if the battery is really old you'll almost certainly still have a few minutes
Very true! Battery from like 2015 still manages to keep it running for about two hours I think, which is frankly amazing. I was constantly dealing with taking the battery out of the laptop when not in use (98% of the time, it was connected to a charger, either in a classroom or at home, so I'd need only to bridge the stand-by/suspend/sleep period in the train). At the time, it didn't seem to have an effect as the battery still decreased in capacity and I was disappointed with the results, but I gotta say, it is certainly doing a good job since then!
Unfortunately, external drives on the 'server' are not on uninterruptible power and having two of them in a btrfs mirror caused me more headaches than I like to admit. Even after I figured out which one had the more recent data after going out of sync, I misunderstood the phrasing of the man page and mixed up the arguments for the device to be recovered and the device to recover from. 2/7 would not recommend btrfs on devices without UPS, or if you don't want to shell out the money to buy three instead of two large drives so you can have a 1:1 disk image of the known good device before starting to operate on it (which is what btrfs was supposed to do in the first place, but alas).
> A server drawing 25 Watts costs more than the $3/month I pay.
With the screen and keyboard backlight and such turned off, it should draw less than 25W unless you're actively making use of it (and thus it being worth it), but yes that's ballpark correct.
I also get a lot more value out of it than what I expect to get for $3/month, though :). LAN speed transfers can be nice, no network latency (at least not beyond of your control) when you host a game server, access control is all up to you, dedicated hardware, you can choose to upgrade to 16GB RAM at will (perhaps you got a new DDR4 machine and have no use for the old DDR3 RAM that still fits in this 'server') without having to pay extra every month for those gigabytes forever, buying storage basically at cost price...
You can use something like dynamic dns updaters[0]. They run on the box and when they detect that your ISP has changed your IP will update the DNS records accordingly.
Dynamic DNS as others have mentioned. Or, many ISPs will provide static IPs for an additional cost, but you may need to switch to their business service.
Personally, I host my DNS with dyn.org, and use something like ddclient (which runs on my Linux firewall/router) to update my DNS records with Dyn in the rare event it changes. I've never had issues with it.
Cloudflare tunnel even lets me host a vanity website (potateaux.com) from a NAT'd LTE uplink using a regular phone hotspot. Game-changer, especially given the price!
I keep being amazed how the self-hosting community loves to recommend "just send all your traffic through cloudflare". It's the antithesis of self hosting.
Nice, thanks for the list! Do you have any recommendation how to tunnel from a VPS to my home server if I'm already using Tailscale? Just use any old reverse proxy like Nginx/Traefik/Caddy?
Caddy supports .ts.net domains and will pull the cert from the running Tailscale daemon on your system. And even better integration is coming soon, Tailscale is working on things.
I'd say that "self-hosting" is defined by where your processing and data reside, who controls these.
But if you want to be accessible to the outside world, you need to direct your traffic outside; I don't see a substantial difference between routing your traffic through Cloudflare, Comcast, Equinix, or any other major connectivity provider.
> I'd say that "self-hosting" is defined by where your processing and data reside, who controls these.
And I would mostly agree so long as you're the only one who has access to said data. There will always be "ISPs", of sorts, that your data needs to pass through; that's simply how the internet works.
The nitpick about Cloudflare is that they are starting to act as a gateway to the internet. Maybe you can turn their fronting off if they start giving you trouble, or maybe your registrar also runs behind Cloudflare. Anyway, bit of a philosophical discussion how much power to vest in one company.
The real trouble is that their main offering involves giving them the private keys to your traffic. I don't know if that's also the case with this Tunnel product, but at least for regular websites, then they process your actual data, as with the bank example (a colleague at said bank was not happy).
My ISP simply gives everyone a static IP by default.
I know of only one ISP in the Netherlands that uses CGNAT and there you can ask support to fix it, which takes them 24 hours. I learned that the hard way when wanting to have a gaming night, hosting a factorio server in my student room. No gaming night for me, or so the ISP thought while rubbing their hands. It took me a bit but I eventually managed to proxy the UDP traffic somehow, not sure anymore if I used hole punching or somehow encapsulated it in TCP and reverse SSH tunneled or something. (Edit: on second thought, pretty sure I asked the other participants if they had IPv6 -- they did not -- and then proxied the traffic from my server via IPv6 using iptables. /edit)
We are quite fortunate with having had an early ISP community that managed to gobble up all the IP addresses we'd need for a good long while, and our population is relatively stable compared to other parts of the world. I know not everyone is this fortunate. (Hello ipv6...)
Even in a place like Germany, it seems one needs to be a business connection to get this service, it's simply not offered for consumers at all that I could find in some town in NRW. This is why I'm so happy the Netherlands has ISPs like Freedom (successor of XS4ALL) and Tweak who not only care about being cheap. Even if you don't use Tweak or Freedom, I feel like it keeps the local competition sharp.
If you're lucky and your ISP supports dynamic DNS updates: Get a router/gateway capable of running OpenWRT (alternatively some routers might support this natively, or you could setup an old PC for routing), use the appropriate client and set it up to adjust the DNS record [0].
You can rig up your own dynamic dns pretty easy. Most dns services have some simple api you can use so usually it’s just a curl line in your cron tab to run every minute.
I have a cron job that updates my domain's records at digitalocean every hour via their API. But in practice my ISP only actually seems to issue a new IP if I restart my router.
Good suggestion! I used this in 2014. Blog post about it: https://lucb1e.com/?p=post&id=120 (Btw, I no longer vouch for the quality or correctness of an 8-year-old post of mine.) I remember that the latency wasn't amazing or anything, but I apparently found it acceptable enough to use it for SSH.
I'd call your ISP, because mine is not small and offers "business" class service which costs the same as residential, reserves a static ip, and slightly boosts uplink speeds.
> How did you solve the problem of getting a stable mapping from DNS name to IP address?
I technically have a dynamic IP, as the ISP also sells an upgrade to a guaranteed static IP which I don't pay for.
However, I've been getting assigned the same IP consistently since 2013. I used to use a dynamic DNS service to keep track of it but stopped doing that since it never changes.
It never changes until it does. And eventually it will. Just be ready for it to change if anything you count on relies on it. I know this from experience (and far more than just mine).
P.S. - I pay for a static IP from my ISP. Don't count on that never changing either. I know this from experience.
You can set up your domain to have very short TTL (like 2 minutes) and have a script polling your external IP every 2 minutes to watch for IP changes, then have the script change the records of your domain when the IP does change.
Most nameservers provide a REST API for updating records so this is very easily done.
In my country the dynamic IP's at most fiber providers are so long lived / stable, we can basically treat them as static. You have to phone them if you want force renew your ip address because doing it from our side, we end up with the same public address. I appreciate this behaviour from my provider. Boring & predictable. Just check it once a month if it is still the same.
I moved to an ISP that provides a static IP for $5 extra a month.
But before that I created a service for looking up my ip address and hosted it for free at fly [1]. Then I setup a script in cron to update my dns every 5min if it had changed.
I second the isolated VLAN approach. I host all my public-facing sites in a VLAN specifically made for that, which grants no access to anything private.
I third. I've got our computers and phones on one VLAN, everything else is on a separate VLAN (streaming boxes, cameras and other smart home crap, guest devices, etc).
I did but a /slightly/ more expensive but web-managed switch with the precise idea of playing with vlans... Needless to say, I never "found time" to actually do it :)
One day I will. In the meantime, could you please drop some links to some good introductory pages ?
I'm using a ubiquiti managed switch and three ubiquiti access points. Basically, you setup VLANs in the Unifi management software and then you can assign ports on the switch and Wi-Fi profiles to a particular VLAN.
From there, any device that connects to one of those ports or wi-fi networks will use the assigned VLAN. The access points are great because you can create several wi-fi networks and then the software provisions them to how ever many access points and switches you have, so you don't have to login to each one and set them up separately.
Any links I sent would be specific to Ubiquiti, but happy to do so if you plan to use their hardware.
Old laptop at your own place + second old laptop at a home lived in by family or friend would probably work great for this.
Hell now I want to try this with two old but decent android phones - they would sip power and have a built in UPS and would blow a RPI out of the water speed wise. Throw a USB-C to Ethernet adapter on each and setup for HA (or if you were really lazy just a simple round robin DNS setup). Put one at a friend house and have them both setup with the free Cloudflare proxy thing and you would not even need to open any ports on your firewall.
The problem with using old phones is that the battery swells up after a few months left continuously on charge. You could extend the life using Tasker and a smart plug, but you'd lose a lot of the UPS's potential.
To solve the redundancy problem I wonder if running something like Hashicorp's Nomad on a few raspberry pis split across some friends houses could work nicely. Each site gets hosted at multiple houses for redundancy but no one person needs multiple devices.
Not familiar with Nomad; how does that work under the hood? Do you proxy all traffic through this third party who then load balances with a regular old http proxy, or is it actually self-hosted by the set of friends? With multiple DNS A records, this shouldn't work (it'll just fail in 1/N cases if 1 of the N IPs is down), so I'm curious how this is different from just hosting with Hashicorp directly.
Each friend's Nomad "client" (a node in the cluster) would accept a "job" which is the HTTP server. The missing piece is communicating back to some authority which clients are running the service, and on which ports. This could be done with DNS SRV records. Most commonly, Consul is used for DNS in a Nomad cluster.
So if I understand it correctly, this haproxy they suggest is the new central point of failure? Sorry for being skeptical but I'm not really understanding the advantage.
But people would need to know which other domains run the other proxies. Might as well manually type in the other domain.
The only way I see to avoid a SPOF is with anycast, which I think involves running your own ISP to be able to arrange your own BGP sessions and announce at multiple locations.
IIRC, Nomad doesn't do well with having clients on distant networks; you could have a server/client at each friend's house, but I don't recall off the top of my head how service discovery would work in that case. I'm sure it's supported by consul in some way though.
Hi there. I have a R-pi vs 2, and I'm wondering how well you think that would hold up for a basic blog site. It doesn't need to be super fancy, but I would like it to at least be a little nicer looking and just a little more complex than for example Ycombinator.
Is this worth while to do? I'm concerned about using a pi, because micro-sd cards seem to be notoriously bad for corrupting data in less than ideal power situations.
You can always plug in a spinning disk. I used an RPi Model A to stream HD video off an HDD for around a year and it worked just fine. Keep an image of your SSD in case it gets corrupted and you need to reinstall.
Okay, so forgive me if this is a dumb question, but I thought the R-pi 2 requires the OS to be on the micro-sd to boot and can't use USB or PCI adapter connected drives?
It's possible to keep just a bootloader on the SD card, and have everything else on USB storage, so if the SD fails the data is safe and you just need to set up the bootloader again.
Yes, that’s true. What I was suggesting:
* put the OS on the sd card.
* Put all the data on an external drive that is more reliable.
* Take a snapshot image of the sd card when setup is complete. If your sd card is ever corrupted you can use the image to restore the server.
> I have a R-pi vs 2, and I'm wondering how well you think that would hold up for a basic blog site.
Whether it could survive a lot of pageloads, like when submitting to HN and it gets traction, 100% depends on the blog software.
It won't run Wordpress well because that software is ridiculously heavy, and I frankly don't have good examples of database-based blog software aside from something I wrote myself. Mine still does multiple mariadb queries per pageload, so it's not as though it's extremely lightweight, but page generation comes out to a few milliseconds on a laptop with a CPU from 2012 inside. This software would survive the HN homepage easily.
I would estimate that anything that can handle >10 requests per second will survive the HN homepage, but if you're on the edge of 10r/s then perhaps it might be slower during the busiest minutes. If you would use static page generation (like jekyll, though I'm personally not a fan of how jekyll works it's the most well-known example) then the pi will definitely survive serving those static pages easily.
> I would like it to at least be a little nicer looking
The looks don't make it heavier or less heavy. Having a few style rules applied to the page is a few extra bytes per pageload, but they're not going to make the difference between it working or it not working.
> I can recommend something beefier than a raspberry pi, though, or at least than than the pi 1-3 speeds that I'm used to.
Thin clients are perfect for such tasks. More powerful than a Pi, fanless, uses little power, and comes with a proper network card. Second hand HP T620s are cheap.
> Then install unattended-upgrades, put admin panels (phpmyadmin, wp-admin) behind basic authentication, don't host things you don't trust (random code written by 'someone on the internet' that has never been tested by anyone), put it in a VLAN if you want to be extra cautious, and you'll be fine.
Also default security measures such as disabling root login via SSH, disable password login via ssh, use fail2ban (also works for wp-admin and the likes!), install/use firewall and only open services which you want to access from the outside.
In 2003 I had my web server in my college apartment bedroom. This is back when AOL Instant Messenger was popular.
I had a URL on my website called moo.html that wasn't indexed. My friends had it bookmarked, and when they visited it they got a picture of a cow, but it played a cow mooing in my bedroom. It was a nudge to come online and be social.
You had to put a link in your profile that contained "%n", and the client would replace %n with the screen name of the person clicking the link. They never took that away as long as I was using AIM, but there was no way to see anyone simply viewing your profile without clicking a link as far as I can remember.
Could you have added an <img src="http://tracking.example.com/pixel.gif?name=%n"> to the profile, tracking them via the weblogs, or having a era-appropriate CGI script sitting there that kept track of them?
I wasn't an AOL user so it took me a few reads to get the concept. What this must mean is something like:
[Joe] what's up <a href="//example.net/?username=
[Jane] nm, wbu
[Joe] ">join my chess game?</a>
Which could show on Jane's screen, if there is no HTML escaping at all, as:
[Joe] what's up
[Joe] join my chess game? (<-link)
The message of Jane's would have looked like it got swallowed because it was inside the HTML tag, but so long as Jane doesn't know what's up and ignores it, clicking the link instead, the owner of example.net would see a pageload of https://example.net/?username=%0A%5BJane%5D%20nm%2C%20wbu%0A... and thus learn that the other person is called Jane. Then again, for this to work it would already have to be on the screen of the person clicking the link, but not of the person who sent the link or there would be no point. So I feel like I'm still missing something.
Less clever than that. jaywalk's comment got it. You could put a link in your away message/status/profile and see which people clicked it and/or were "stalking" you.
I was using a log watcher that could run a command on a regex match, but I remember having an elaborate .htaccess that would shell out all kinds of things... many ways to tie them together, all very hacky.
it might not even be that hacky to be honest. in some ways modern log aggregation isn’t that different, just insulated by more steps and safe guards. less moos though.
Years ago I had /var/www/lights_on.sh that turned lights on in my room. Only hardened against RCE by Wi-Fi password, but was possible. It broke later. The real problem was that browsers sometimes prefetched it.
Similar story: In college much more recently (2019), I had a linux server running at my boyfriend's apartment since he was off campus and we were blocked from doing anything like that on the school's network. Sometimes, I would say hi to him or wish him goodnight by playing a little tune on the PC speaker hooked up to that computer. He'd always text me back with a smiley face or something like that. Feels like that kind of interaction is really rare on the web these days, but we had fun with it for a little while.
Wow cool but that’s bizarro world to me. In my days college was where everything awesome was happening because it had fast and basically unrestricted internet. A lot of the Napster and other P2P stuff that followed was being seeded from someone’s dorm. The best game servers, etc. On IRC in the early 00s, I did a lot of trading of video (live music footage) and one kid in a dorm somewhere could host an enormous amount of content by most home internet standards. Once I got off dialup download speeds, I could easily download more than I could afford to store. The cheapest thing for me to do was buy a massive stack of CDRs and start burning. If I remember correctly, the largest HDD at the time was about 40GB.
Our school's IT department used to go around with wireless scanners to make sure nobody was running networks without the school's permission. I knew people who got busted for stuff like that, but my roommates and I eventually hacked a way around this by naming our network "Dave's iPhone Hotspot" and never had any issues. At that point, the webserver moved from my boyfriend's place back to my own until we moved off campus the following year.
In my college days the filtering started because half of the IT students were playing World of Warcraft from the school network. Which obviously triggered a cat and mouse game of introducing new blocking measures and trying to get around it. When we were not trying to get WoW to work we were busy showing off our Compiz rotating desktop cubes. Those where the days.
In those days, the profs were the ones playing the video games.
They were "testing the newly pulled fibre optics" by trying to saturate it with Wow, Diablo, Counterstrike, Doom, Quake, etc.
They would book the computer labs of 60+ computers and tell everyone to boot up a copy of (ahem pirated) Half Life and get everyone one on games and then run a traceroute/ping/packet trace, etc to measure what was happening.
DR-DOS / Novell DOS actually shipped with a basic multiplayer space sim (https://en.wikipedia.org/wiki/NetWars) in the box, with the official explanation for its existence being "to test network topology and configuration".
Similar memories and tales here :) I had a 100Mbit unfiltered connection in my dorm room in 2001 (!). Pretty wild for the time. I guess it took until about 2018 before I finally surpassed that speed at home. Nuts really.
Lots of pirating but also, thanks to it having a public static IP, a fabulous way for me to learn all about running and configuring my own web server, irc server, mail server, dns server, ftpd etc. etc. It was my gateway into experimenting with linux, discovering luminaries like DJB & RS, learning about RFCs, appreciating the open source/free software movement and probably a major reason why I ended up on a sysadmin/ops/infra trajectory after uni that still serves me well to this day.
Yeah I started and sold a web hosting company around that time based on the skills I picked up with all those things. I didn’t host it from my dorm but just commodity servers with a shared hosting app installed. If I remember correctly I had about 5000 users and sold because I didn’t want to hire help when it started to encroach a bit too far into my leisure time.
A few of my customers were running legit and decent sized businesses and they had no idea it was being hosted by a college kid who actually wasn’t even monitoring things all that much. When I encountered a problem I couldn’t figure out from searching the internet, I’d usually just write some script and cron job to restart the service periodically. It also served as my everything (nameservers, support, e-mail, etc) so I remember one time there was a fire in my data center and it went down for about 36 hours. I had no way to communicate with my customers and the site was unavailable. Luckily I think only about 10 customers even noticed.
In 2001 I had an account set up for my girlfriend, now wife, so that she could telnet (openssh wasn't really widespread then!) to my desktop and it would play a sound and blink a light as part of the login procedure.
The light was controlled by an X10 "firecracker" module. Neat stuff, for the time.
Anyway, she would do that to get my attention if I wasn't by the PC and she wanted to chat via ICQ.
I still use one of those firecracker modules to toggle a set of Christmas-type lights from the command line. I've gotten a ton of fun out of that little module in the 20ish years I've owned it.
Nice. If I remember correctly it was their "Powerhouse" deal and you just paid for shipping.
I still have the modules around here somewhere!
No native serial ports, though, and the restriction of things needing to be on the same circuit kind of puts a damper on things. In my college dorms everything in my room was on the same circuit.
Yeah-- that was the one. I've found additional modules here and there in thrift stores and garage sales. The stuff was always just flaky enough that I never wanted to trust it with anything serious. Turning on lamps and strings of xmas lights was fine because the occasional "freak out" that the modules inevitably would fall victim to, requiring a power-cycle to overcome, never caused any major inconvenience. Their hard-wired more "serious" brethren, though, scared the heck out of me. I can't imagine they were at all reliable over the long haul.
re: the serial ports - If I remember correctly the signaling to the module was done on handshake pings (because serial data could "pass thru" the module). They'd probably be pretty easy to bit-bang from any 5V logic source.
Have a similar story around the same time, probably ~2002. Cell phones weren't that popular yet either.
As a high school student I helped my school do some sys admin stuff, and one day I was stuck in a server(?) room while the guy who had keys etc. was away in another room and floor. So I ssh-ed into the machine he was likely working on and ejected the CD ROM back and forth until I caught his attention :D
In the early 2000s I had a program on my girlfriend's, now ex-wife's, family computer that would kill the AOL process when sent a specific string over a TCP port so that I could call her when her sister was using the computer. That combined with a DynDNS client let me call anytime.
I'm seeing this sort of thing a lot lately (perhaps I'm looking for it?). A lot of people expressing, in one form or another, that we, our society, have somehow have gone down the wrong path. Even in this article there is a subtext of change ... for the worse.
If you want to be dismissive, call it nostalgia — or point out that every generation feels this way about the way the world is compared to the way it was when they were younger.
But I think there is something truly broken in the world and I think people feel it too. The phrase that kept popping into my head when I was feeling particularly down about the way of things was, "No one would have chosen this." That is, in reference to the way the Western world is today.
One night in the 90s I woke up at 1am because the server next to my bed started making a lot of noise! I quickly login and see a process by user "nobody" taking up 100% cpu! I'm being hacked! Quickly pull the network cable out of the wall, wide awake.
Turns out there is a cron job that updates the locate command's index.
At a web startup I worked at in 2008, we had some automated emails sent to all our users. We didn't have sendmail or postfix or whatever properly configured and so the emails came from nobody@ourdomain.com. Our CEO was pissed because he didn't understand that it wasn't like some intentional joke by our engineering team.
My first real job was to work with another intern to write a “tool to keep track of who’s been trained on what” since they were doing it with a spreadsheet. This was in 2001.
We wrote it on the LAMP stack which gave us the full suite of whatever you could find on a Linux CD at the time.
Fancy graphs? No problem.
Send reminder emails? Sure boss! We dutifully started hacking and testing and hacking to get that function in.
To test, we decided to send emails to jackfrost, santa, and so on from our own sendmail server to the corporate mail server. It worked fine because we weren’t spamming it, we were just sending a few messages every now and then as we debugged.
Turns out there’s really a Jack Frost that worked for us.
He was not pleased.
We were amused.
I think we apologized, and I forget how we figured out he was a real person.
I remember mine (a Pentium 2 with a SCSI disk) would go off at 6 AM, just as I was about to fall asleep (aah that student life). One day I had an aha moment, that I could change the cron timer to make it run at 9am.
I, too, got bothered by fan noise at night, and my server was being hacked.
Well. Hacked as in someone banging their password list against an SSH server that only accepts public key logins, at maximum speed with tens of simultaneous connections, pegging the CPU (and I was running junk hardware, I found that 800MHz Intel Coppermine CPU literally from a mixed waste trash bin). Usually the scripts doing this had the decency to keep the attempts to something like 1 per second which would be unnoticeable.
The problem was that I only had mechanical hard drives back then and they would spin up all the time and make noise.
In 2001 I started to systematically search for the causes of the disk noises and document it at
https://www.agol.dk/quietlinux/
E.g., I spent a lot of time finding out that CUPS was generating a new certificate every 5 minutes. Nowadays it is a lot easier to investigate things like that. Back then I was patching the kernel.
Some relatives of mine have internet-connected RGB lamps that they use in a similar fashion. When one sets the color, the others automatically synchronize. It seems like a pretty neat low-stress way to keep in touch.
I did something similar when I lost my phone but it was still connected to the network. Ssh into it and `while true; do espeak "I am here"; done`. Related: http://bash.org/?5273
The xkcd reminds me of a friend who was locked out of her car. The battery in her remote key fob had run down so the door would not unlock when she pushed the unlock button on it. She was still trying to figure out online how to get a new battery when I took her key from her and opened the door by inserting it in the lock. She was so embarrassed that she wouldn't talk to me for a few days.
I did that, recently. My fob battery died, I unlocked the car with the key, opened the door and... the car alarm went off. I'm not sure what the designers were thinking.
You turn the alarm off by starting the car, because the ignition has an rfid-like close-range reader which only requires passive circuitry in the key. That's how you differentiate between a break-in and the legitimate owner.
My car has push start (like many new ones) & has no keyhole inside (it has one in door to open the door). Although it has a seat/slot for the whole key to go in, in case of low battery. I assume that will stop the alarm. :-|
My car is also push start and I have to hold the fob in front of the start button for a short while before turning on the car if the fob battery is out.
I’m fairly certain we’ve recently fought to open a rented car because the keyfob died and the way to extract the key from the fob was non-obvious.
Then when we finally got inside, the car didn’t have a keyhole to start it at all. Ended up calling the rental agency that showed us how to invoke the magic sequence by holding the (empty) fob in front of the start button for a few seconds before pressing it. I guess it does passive RFiD or something?
Anyway, that’s the point where I decided modern cars are not my thing.
That's the immobilizer chip. It's a little pill-shaped RFID-like thing that's been inside keys since long before remote locks and push-to-start. Basically any key that has some plastic instead of being entirely metal. The reader is located immediately next to the ignition key hole on the steering column, and that location is sometimes used even in push-to-start cars although apparently in your case it was near the start button instead. Distance is limited to a couple centimeters max. Car won't start unless the immobilizer's reader sees the correct key. When a push-to-start fob's battery is in working order, the distance is moot because it uses full blown RF instead.
Modern is a subjective thing. I have a golf 5 from 2005 (tdi). One day I had to go somewhere and it turns out the car starts and shuts itself down immediately... It turns out the ground connection to the dash was intermittent. The dash for some unknown reason is the place where the immobiliser code/certificate is stored so when you start the car the Ecu has to talk to both the immobiliser coil next to the key and the dash.
I'll leave it to readers imagination how long it took me to troubleshoot the issue.
I did a similar thing with my family: I'd hooked a GNU/Linux box up to the family Hi-Fi system to play our various music libraries, and when I was living overseas I'd "call them" by ssh-ing in and asking mpd to start playing something. They'd come online and call me using Google Talk (the very first one, probably, because it was good, simple, built on open standards, and long dead).
Quote similar approach was sharing your Floppy Disk A:/ drive. Any attempt to access it via the network would make this loud noise of empty drive, which meant someone is waiting for you in the chat.
I love this story! A few years ago I had a server in my apartment with a similar 'dingdong.html' that would ring an old elevator bell I had salvaged from the junk. I didn't end up giving people the URL; I just made an ESP8266 button that would send a request.
If it had been a bit more reliable I would have kept using it but I had some issues with either the bell coil or the relay and it kept sticking. All in all the project ended up being more expensive than a wireless doorbell, but I enjoyed the experience (and the smartwatch notification when someone was at the door).
From experience, if you're a heavy-sleeping teenager like I used to be, the noise is less of an issue ;) I don't think I could cope with the sound of two fans and three HDs spinning nowadays, but back then it was a tiny price to pay for the coolness of having a real server in my bedroom.
Nowadays I just run an RPi3, which is silent and takes very little power.
In college we'd run a Plex/backups/Minecraft server in an old HP box on the floor. It survived a very hostile environment and was very educational to work with.
It's interesting how people used to do this back in ~2005 but now don't, however nowdays computers are much much faster and stronger than they were in 2005 so it aught to have become more feasible since a normal laptop should be akin to a small cluster back in those days.
It's also easier and faster to make your own butter today than it was 100 years ago, but most people don't because it's even easier to just buy some at the store.
I have a web server in the corner of my room since the beginning of 2004.
Besides being a firewall/router/switch and hosting a web server, it hosts more than a dozen other services, including an e-mail server, NTP server, DNS servers, DHCP & TFTP servers, etc.
In 18 years it did not have any down time, except for a few minutes every 3 to 5 years, when I have upgraded the hardware.
I could have upgraded the hardware less frequently, but I have replaced it whenever I could reduce the power consumption without decreasing the performance.
Now it is at the 6th hardware version. It has started as a big Pentium 4 pedestal server consuming over 200 W, but until now it has been reduced to an Intel NUC with a 4.5 GHz 4-core Coffee Lake U CPU, together with 4 USB to Ethernet adapters used to increase the number of Ethernet ports to 5, consuming not much above 10 W, while being much faster than the oldest servers.
A laptop has the advantage of incorporating an UPS, but I would not trust most of them with working 24/7 for years, like an Intel NUC, or preferably some fanless small computer (with an external UPS).
>In 18 years it did not have any down time, except for a few minutes every 3 to 5 years, when I have upgraded the hardware.
I wish I had that reliable of a power source. Even with a UPS, I've had tornados, snowpocalypse, etc where the power loss has lasted longer than any UPS I have.
I have power interruptions from time to time, but fortunately they are not long.
Now, with only an Intel NUC connected to an UPS that could power a big server for a half hour, the NUC might work for a day from the UPS without having to shut down.
Where I live, the "snowpocalypses", which were frequent when I was a child, have disappeared completely. On the other hand, tornadoes, which were completely unknown previously, have started to appear, so they might become a cause of problems in the future.
I'm more impressed by the internet connection. Mine is down for at least a few minutes every week. And that's only counting when I'm at home to notice it.
Though I am an individual user, I have paid since the beginning for a "business" internet connection, in order to obtain some (8) static public IPv4 addresses.
It has cost me about $60 per month, which is significantly more than non-business connections of similar speed (currently around 400 Mb/s) cost around here.
Paying for a business connection has been the main expense for having my own e-mail and web server. Except for the first server, all the later upgrades have been done by reusing computers that had been originally bought and used for other purposes. With the quickly declining power consumption of the newer servers, the cost of the electrical energy has become negligible.
A Raspberry Pi is not a good choice for a firewall/router and/or Web server, but there are small computers similar in size and price, e.g. NanoPi R5S (fanless and with 3 Ethernet ports, including two of 2.5 Gb/s for LAN and one of 1 Gb/s for WAN; 2 USB ports can be used to increase the number of Ethernet ports to 5), which should be good enough for most people.
Thing about a laptop - I am not going to keep it running 24/7. So I probably want to buy another computer for the hosting. And by that point it is cheaper to use a free netlify/github hosting type thing. You have to be quite motivated to run your own. Even in 2005 there was very cheap shared hosting, I wouldn't have chosen to self host unless it is for hobby/experimentation reasons.
Most modern phone OSes today try to limit background services to squeeze battery life out of idle states. Even though "always on", some of the idle states are extreme battery misers. For instance, even the iPhone 14 with its "always on display" is doing some really interesting idle stuff, the "always on display" itself refreshes as 1 frame per second or slower (sometimes one frame per minute! as the clock is the only guaranteed to update, once a minute). It seems like the device is always responsive due to how "instant" it wakes from idle states.
All of which are a lot of very interesting reasons why you can't just run a web server on your current phone with its current modern OS and expect it to have 24/7 up time even though it feels to you like your phone has 24/7 responsiveness uptime.
It's a solvable problem if there were enough interest: light web hosting is something that could be added to the list of system services that can wake the device from idle states (in similar ways to how notification services get prioritized, or trickle data feeds like Find My Services). It's not likely a problem that current phone OSes are incentivized to support, though, because there's currently no reason for millions of people to want websites served from their pockets.
Maybe one day there will be an interesting P2P data "hosting" protocol that would be useful for modern OSes to prioritize in that way.
You can but it would drain the battery fast. You can use an old phone that stays plugged in, but my old abandoned phones were all abandoned for a reason, usually because some critical part of them doesn't work anymore.
Search for "fanless mini pc" on Amazon or whatever and you'll be surprised. There's a lot of cool devices available that are approximately the size of a phone, use very low power (under 15 W) like a phone, are under $200 brand-new, have wired ethernet built in, USB ports, HDMI ports, can run normal Linux, and unlike Raspberry Pi they are actually in stock.
My web site (taoofmac.com) used to be hosted at home behind a DSL line. I ran it on anything from an NSLU2 (look it up, it was one of the first easy-to procure, easily hackable ARM machines) to PHP+MySQL on Windows Server (don't ask), and after a while I had Snort and all sorts of stuff running alongside to secure it.
Whenever I was linked from Slashdot I would pretty much lose connectivity, so I started using Coral CDN, moved it to a colo, then to Linode, and on and on through some 6 or 7 providers as technology changed and I tried new things.
It's been 20 years now (just wrote about that last week), and I sort of miss those days, but on the other hand I really don't--keeping the server alive and secure (even in Linode) was a bit of a chore, so the writing was pretty much on the wall that it would eventually become just a set of static pages on an Azure storage account. Zero worry about keeping the site secure, no runtime issues, and plenty of opportunities to be creative (like this: https://taoofmac.com/static/graph)
And boy, do I have plenty of in-house web servers and Raspberry Pis to make up for it--but none are public, and I just have a couple of cores spinning on each major provider for toy projects.
I hosted a phpbb board out of my room during high school. Our school board had just done the "one laptop per kid" thing, and the machines were all locked down and most of the fun sites were blocked, but not my site, because IT didn't know about it. So everyone went there to chat. We had an IRC server. People became friends that otherwise were in different cliques irl.
One time we were supposed to be doing work during class, but everyone was on IRC chatting. The classroom was completely silent. Somebody wrote "somebody say penis" in the channel and the whole classroom started laughing at the same time, for seemingly no reason. The teacher was confused, it was a good time to be a 15 year old dorking around with computers.
I graduated HS in 2012. There were a few guys who would literally yell the word "penis" at the top of their lungs in class. I now recall a time when one kid was working in a group with one of these troublemakers, and the problematic one raised his voice to say, "Why are you drawing a picture of a penis 'John'?" when in fact John was merely working on his own part of the project.
I host a website with 20k daily visitors from my living room. If you want something that feels as small and convenient as a pi but with a little more muscle to it, mini PCs are your best friends.
445 comments
[ 3.3 ms ] story [ 312 ms ] threadThe idea is you'd publish on your own web server, and syndicate to other services that could maintain under pressure, etc.
I think that for many people, setting it up at home is "Good enough" and if you get slash dotted, well then you can deal with it at that point.
This was in 2001, so it’s meaning has changed significantly since then.
A single image was the top result for "Japanese robot death cat" or something on Google Images, so I was getting pounded. A quick robots.txt update and a few days later everything was calm again.
Small sites would get pissed when site like the nyt hotlinked and serve them pron instead.
Every so often I think about doing it again, but security paranoia keeps me from it. What if they broke out somehow? I could DMZ it I guess.
It can be a bit tricky with hairpin routing, but you can make the DMZ seem to be "on the internet" even to the home network.
Use tail scale or something similar for actual "access my home network from far away"
I do open ports, for NextCloud (to be able share stuff) and some websites. But Home Assistant is only accessible from the Tailnet for example, as are my ssh servers.
Once you use Tailscale you realize this is how a VPN should be, it's really something.
[0]: https://github.com/anderspitman/awesome-tunneling
Like HTML's marquee and blink tags, just because you can do something on your web site doesn't necessarily mean you should.
1: It was two T3 lines, but only half of the second line was provisioned, so ~67MBps vs today's 12MBps.
I run it behind a cheapo VPS for geolocation reasons.
https://fatcity.it
What does this involve? Are you tunneling a browser through ssh? Are you doing development work?
Also, the status page is a rather beautiful bit of text. Did you do that yourself?
Yes, remote dev work is done mostly with Visual Studio Code Remote SSH[2] (but I wish something similar would exists for Sublime Text).
[0]: https://tailscale.com/
[1]: https://developers.cloudflare.com/cloudflare-one/connections...
[2]: https://code.visualstudio.com/docs/remote/ssh
Edit: Yes, I hacked together the status page, something similar welcomes me when I ssh into the machine.
Edit 2: Some benchmark here: https://pibenchmarks.com/benchmark/62022
And feel free to ask me anything.
This.
I run mine on RPi 3B+ with a 4 running the database. I reverse proxy to my site via a cloud VPS instance for $4 a month. I switched to the cloud after years on NO-IP when 1) I noticed my IP never changed and 2) my home IP address was public via a look up of my domain name.
On another 3B+ I have a VPN so I can SSH in .
Some day I will get around doing a roll-your-own-ngrok [0] so I don't have to open any ports but have yet to do it. I have done it for a project I was working on and I needed to make the local dev server accessible to a 3rd party. Pretty slick and saves a bunch of time and hassle from having to put the code on the server. (As an aside: Does anyone else dislike the term "grok"? For whatever reason it annoys the hell out of me.)
I really have nothing important on there and go months or years without doing anything to it then get a burst of creativity or what not and update the site or just tinker with it.
[0] https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.htm...
If you're very concerned about privacy, frequently SMTP headers generally contain IP address info...
It's puzzling that email services don't redact the originating (often home/residential) IP address from authenticated clients for privacy reasons.
Long story short, someone apparently went to a non-zero amount of effort to hack my homebrew file-upload form.
[0] https://ratfactor.com/setup2
Edit: ref CGI, there's a few apps on there that do that as well (e.g. fish tank temperature monitor). Nice thing about a small private network is being able to do CGI scripts in bash/whatever without having to worry too much).
[0] https://github.com/hrbrmstr/pewpew
[0] https://wlog.viltstigen.se/articles/2021/05/02/mdns-for-linu...
[1] https://pi-hole.net
[2] https://docs.callitkarma.me/posts/PiHole-Local-DNS/
Also, somepcname.local mDNS works on most operating systems today (once you grant firewall permissions to it; for instance, on Windows setting your home network as a "Private" network for instance when it asks Public or Private).
(How would you even add hosts to an iPhone or something?)
1. https://tailscale.com/kb/1054/dns/
2. https://tailscale.com/kb/1153/enabling-https/
Besides DNS-based naming there is Multicast DNS (Bonjour/Avahi/ZeroConf) and NetBIOS naming (which still exist and works on most operating systems that have Samba or something similar).
In any case, you don't need a remote service like Cloud9 or Tailscale to any of this. Normal networking has done this for decades.
The next step beyond this is running a more capable DNS system in your home network. Generally this takes the shape of a DNS forwarder service running on a router or server. It could be as simple as a PiHole or OpnSense firewall, or however complicated you might want to make it.
You could have your own top level domain as well.
I use NixOS, so it was easy to make a function to abstract over the config. In each computer's config, all I do is specify a hostname. This function does the work (or really, some nixpkgs committer did):
I've got a domain, and I've added multiple A records pointing to IPs of servers in my 192.168.X.Y NAT. This has a downside thought, that with short enough TTL, you may not be able to access your server during intermittent connectivity problems.
I'm using letsencrypt through traefik for the certs.
- desired hostname and search domain(can be bogus though not recommended)
- DHCP server parameters with the router's IP as primary DNS
- DHCP static assignment for (each of)server(s)
- DNS static assignment such as "yourserver.bogusdomain.tld 192.168.10.10"
- (optionally) domain names, ddclient, certbot
"Proper" classical router/firewall OSs like Cisco IOS, Juniper JunOS, VyOS, RouterOS, OpenWrt, all easily do it like they do a cigarette, but good gamer routers and some NASs also can do it okay in many cases.
Similarly for printing, I would love a local web app that I could submit PDFs to and get a printer to print the pages. I could imagine scanning working in reverse. I tried googling a bit but alas it seems no one has done it.
This is why I was thinking that a plain web app with a known good driver could solve these problems.
https://www.geeksforgeeks.org/incron-command-in-linux-with-e...
Because inside the firewall are a bunch of phones and laptops and things that are accessing random webpages and running random apps; and (depending on your level of home network paranoia) maybe a bunch of internet-of-things things, or networked speakers, or televisions, etc., etc.
So even your basement server for home-only use really needs a cert, and client auth, and obviously needs to stay patched... lest it become a monster inside the firewall itself.
Shout out to Cloudflare, setting up an access protected tunnel took like 10 minutes.
Some subdomains dedicated to personal services etc. Web server just a part of the game, not them specifically.
Technically there are NO reasons to justify "cloud computing" despite claims, the only real justifications are business of some against others interests. There are no reasons despite all ipv6 issue to not offer global addresses etc. The real issue is that most people simply have next to no ideal about IT nor how to benefit from in in their own lives. Those who know have not much choice...
> [it should] be reliable if I kick a cable out of the wall
Right, if you want it to be reliable but also be able to cut its cables, then you will need a secondary host outside the home.
> or in the unlikely event that I get a bunch of traffic.
Are you serving media (music or video of more than a few seconds)? If not: DSL or mobile data (if your data cap allows) is fine for HN front page. Judging by the current page weighing 100KB, you can have 10 visitors every second at 1 MiB/s upload. (HN reaches that rate only in spikes, even at a top three position.)
> I’d also like it to be quick!
It's currently not quick at DigitalOcean (2 seconds for TLS setup, 12 seconds for HTML, 8 seconds for JavaScript, etc... 27 seconds total). It can only get better!
I can recommend something beefier than a raspberry pi, though, or at least than than the pi 1-3 speeds that I'm used to. I personally use an old laptop which is plenty fast for, well, anything you'd also ask of a daily driver, except it now doesn't need to render a GUI which speeds things up a lot. They can peak up to 100W depending on the model, but are usually very low power when nothing is being asked of them.
> Oh, and I don’t want to have my home network hacked.
Then install unattended-upgrades, put admin panels (phpmyadmin, wp-admin) behind basic authentication, don't host things you don't trust (random code written by 'someone on the internet' that has never been tested by anyone), put it in a VLAN if you want to be extra cautious, and you'll be fine. It never hurts to keep your phone and other systems on the LAN up-to-date anyhow so they should be secure as well, even if someone does get in.
It doesn't have to be this way! Put it on a pi and have fun, if not for your sanity at the very least do it for your second most valuable resource, your time. If all a person wants to do is have a website that plays a piezo buzzer when someone visits on your RPi, just write that damned code, they shouldn't feel the need to worry about all the nitty gritty when all that they wanted to do is have fun!
I think I've heard of some services like that...
If connected on wifi to your router this of course solves the "kick a cable out" problem too, even if the battery is really old you'll almost certainly still have a few minutes.
> Then install unattended-upgrades, put admin panels (phpmyadmin, wp-admin) behind basic authentication
I'd go as far as protecting the directory to only allow access from local network, and use wireguard to reach the machine.
It's likely a server in the corner of the room will cost more than a VPS, certainly in my country. A server drawing 25 Watts cost more than the $3/month I pay. (That said I also have a pihole running on a 1B - my parasitic house load is about 100W for the fridge, router, wifi, etc)
Or, you know, only allow access from the attached hardware and reach the machine the old-fashioned way: By walking.
Regarding costs, it's useful to know the cost of a watt: For my electric rates, the equation runs:
So at least in my area the 25W server would not quite cost more than $3/month.(The landlord had installed these sensor-activated ancient bulbs in the hallway, where I pass through to to the cellar / power meter, and I was trying to track down this mysterious 100W that seemed to be always running, without fail. Turns out, it was only running when I was checking the meter! We then did the math with a better runtime estimate and still went out to buy LED bulbs at our earliest convenience. They're brighter than before (we erred on the high side), just as warm light, and use 2.5x less power.)
And yes, in my opinion we erred on the high side, but it's not far off from what the original incandescent (which apparently was 2x50W, measured).
Very true! Battery from like 2015 still manages to keep it running for about two hours I think, which is frankly amazing. I was constantly dealing with taking the battery out of the laptop when not in use (98% of the time, it was connected to a charger, either in a classroom or at home, so I'd need only to bridge the stand-by/suspend/sleep period in the train). At the time, it didn't seem to have an effect as the battery still decreased in capacity and I was disappointed with the results, but I gotta say, it is certainly doing a good job since then!
Unfortunately, external drives on the 'server' are not on uninterruptible power and having two of them in a btrfs mirror caused me more headaches than I like to admit. Even after I figured out which one had the more recent data after going out of sync, I misunderstood the phrasing of the man page and mixed up the arguments for the device to be recovered and the device to recover from. 2/7 would not recommend btrfs on devices without UPS, or if you don't want to shell out the money to buy three instead of two large drives so you can have a 1:1 disk image of the known good device before starting to operate on it (which is what btrfs was supposed to do in the first place, but alas).
> A server drawing 25 Watts costs more than the $3/month I pay.
With the screen and keyboard backlight and such turned off, it should draw less than 25W unless you're actively making use of it (and thus it being worth it), but yes that's ballpark correct.
I also get a lot more value out of it than what I expect to get for $3/month, though :). LAN speed transfers can be nice, no network latency (at least not beyond of your control) when you host a game server, access control is all up to you, dedicated hardware, you can choose to upgrade to 16GB RAM at will (perhaps you got a new DDR4 machine and have no use for the old DDR3 RAM that still fits in this 'server') without having to pay extra every month for those gigabytes forever, buying storage basically at cost price...
For me, that's the big challenge; all I have is home internet on a dynamic IP provided by one of the big cable monopolies in the US.
[0] https://github.com/timothymiller/cloudflare-ddns
- Setup public IP updating. You server runs a daemon that updates the DNS record automatically. You can do that with NameCheap. ($)
- You can pay 5$ to have a digital ocean droplet that acts as a reverse proxy that just forwards traffic to your real server. ($$)
- You can pay for "entreprise" service and get a static IP. ($$$)
You would run a program on your system which connects to Cloudflare. The traffic goes to Cloudflare first, and then gets forwarded to your system.
[1] https://blog.cloudflare.com/tunnel-for-everyone/
https://github.com/anderspitman/awesome-tunneling
But if you want to be accessible to the outside world, you need to direct your traffic outside; I don't see a substantial difference between routing your traffic through Cloudflare, Comcast, Equinix, or any other major connectivity provider.
And I would mostly agree so long as you're the only one who has access to said data. There will always be "ISPs", of sorts, that your data needs to pass through; that's simply how the internet works.
The nitpick about Cloudflare is that they are starting to act as a gateway to the internet. Maybe you can turn their fronting off if they start giving you trouble, or maybe your registrar also runs behind Cloudflare. Anyway, bit of a philosophical discussion how much power to vest in one company.
The real trouble is that their main offering involves giving them the private keys to your traffic. I don't know if that's also the case with this Tunnel product, but at least for regular websites, then they process your actual data, as with the bank example (a colleague at said bank was not happy).
I know of only one ISP in the Netherlands that uses CGNAT and there you can ask support to fix it, which takes them 24 hours. I learned that the hard way when wanting to have a gaming night, hosting a factorio server in my student room. No gaming night for me, or so the ISP thought while rubbing their hands. It took me a bit but I eventually managed to proxy the UDP traffic somehow, not sure anymore if I used hole punching or somehow encapsulated it in TCP and reverse SSH tunneled or something. (Edit: on second thought, pretty sure I asked the other participants if they had IPv6 -- they did not -- and then proxied the traffic from my server via IPv6 using iptables. /edit)
We are quite fortunate with having had an early ISP community that managed to gobble up all the IP addresses we'd need for a good long while, and our population is relatively stable compared to other parts of the world. I know not everyone is this fortunate. (Hello ipv6...)
Even in a place like Germany, it seems one needs to be a business connection to get this service, it's simply not offered for consumers at all that I could find in some town in NRW. This is why I'm so happy the Netherlands has ISPs like Freedom (successor of XS4ALL) and Tweak who not only care about being cheap. Even if you don't use Tweak or Freedom, I feel like it keeps the local competition sharp.
[0] https://openwrt.org/docs/guide-user/services/ddns/client
Try not to worry too much about what happens when your IP is reassigned before you can update the name.
I technically have a dynamic IP, as the ISP also sells an upgrade to a guaranteed static IP which I don't pay for.
However, I've been getting assigned the same IP consistently since 2013. I used to use a dynamic DNS service to keep track of it but stopped doing that since it never changes.
P.S. - I pay for a static IP from my ISP. Don't count on that never changing either. I know this from experience.
Most nameservers provide a REST API for updating records so this is very easily done.
But before that I created a service for looking up my ip address and hosted it for free at fly [1]. Then I setup a script in cron to update my dns every 5min if it had changed.
[1] https://fossil.chillfox.com/echo_ip/index
One day I will. In the meantime, could you please drop some links to some good introductory pages ?
Thanks!
From there, any device that connects to one of those ports or wi-fi networks will use the assigned VLAN. The access points are great because you can create several wi-fi networks and then the software provisions them to how ever many access points and switches you have, so you don't have to login to each one and set them up separately.
Any links I sent would be specific to Ubiquiti, but happy to do so if you plan to use their hardware.
Hell now I want to try this with two old but decent android phones - they would sip power and have a built in UPS and would blow a RPI out of the water speed wise. Throw a USB-C to Ethernet adapter on each and setup for HA (or if you were really lazy just a simple round robin DNS setup). Put one at a friend house and have them both setup with the free Cloudflare proxy thing and you would not even need to open any ports on your firewall.
This article is likely to give you a good idea of the architecture: https://developer.hashicorp.com/nomad/tutorials/load-balanci...
The only way I see to avoid a SPOF is with anycast, which I think involves running your own ISP to be able to arrange your own BGP sessions and announce at multiple locations.
Is this worth while to do? I'm concerned about using a pi, because micro-sd cards seem to be notoriously bad for corrupting data in less than ideal power situations.
Whether it could survive a lot of pageloads, like when submitting to HN and it gets traction, 100% depends on the blog software.
It won't run Wordpress well because that software is ridiculously heavy, and I frankly don't have good examples of database-based blog software aside from something I wrote myself. Mine still does multiple mariadb queries per pageload, so it's not as though it's extremely lightweight, but page generation comes out to a few milliseconds on a laptop with a CPU from 2012 inside. This software would survive the HN homepage easily.
I would estimate that anything that can handle >10 requests per second will survive the HN homepage, but if you're on the edge of 10r/s then perhaps it might be slower during the busiest minutes. If you would use static page generation (like jekyll, though I'm personally not a fan of how jekyll works it's the most well-known example) then the pi will definitely survive serving those static pages easily.
> I would like it to at least be a little nicer looking
The looks don't make it heavier or less heavy. Having a few style rules applied to the page is a few extra bytes per pageload, but they're not going to make the difference between it working or it not working.
Thin clients are perfect for such tasks. More powerful than a Pi, fanless, uses little power, and comes with a proper network card. Second hand HP T620s are cheap.
Also default security measures such as disabling root login via SSH, disable password login via ssh, use fail2ban (also works for wp-admin and the likes!), install/use firewall and only open services which you want to access from the outside.
I had a URL on my website called moo.html that wasn't indexed. My friends had it bookmarked, and when they visited it they got a picture of a cow, but it played a cow mooing in my bedroom. It was a nudge to come online and be social.
The End.
At least if you are this person: http://facebook.com/profile.php?=73322363
(This link redirects to the profile of whoever clicks it)
it might not even be that hacky to be honest. in some ways modern log aggregation isn’t that different, just insulated by more steps and safe guards. less moos though.
The school I was in had to do a complete wipe of 5 TB of random shares (back then that was a lot of data)
and they expelled a bunch of students for pirating and hosting extreme content
After that the network filtering was standard policy.
They were "testing the newly pulled fibre optics" by trying to saturate it with Wow, Diablo, Counterstrike, Doom, Quake, etc.
They would book the computer labs of 60+ computers and tell everyone to boot up a copy of (ahem pirated) Half Life and get everyone one on games and then run a traceroute/ping/packet trace, etc to measure what was happening.
Those were the days...
Lots of pirating but also, thanks to it having a public static IP, a fabulous way for me to learn all about running and configuring my own web server, irc server, mail server, dns server, ftpd etc. etc. It was my gateway into experimenting with linux, discovering luminaries like DJB & RS, learning about RFCs, appreciating the open source/free software movement and probably a major reason why I ended up on a sysadmin/ops/infra trajectory after uni that still serves me well to this day.
A few of my customers were running legit and decent sized businesses and they had no idea it was being hosted by a college kid who actually wasn’t even monitoring things all that much. When I encountered a problem I couldn’t figure out from searching the internet, I’d usually just write some script and cron job to restart the service periodically. It also served as my everything (nameservers, support, e-mail, etc) so I remember one time there was a fire in my data center and it went down for about 36 hours. I had no way to communicate with my customers and the site was unavailable. Luckily I think only about 10 customers even noticed.
The light was controlled by an X10 "firecracker" module. Neat stuff, for the time.
Anyway, she would do that to get my attention if I wasn't by the PC and she wanted to chat via ICQ.
I still have the modules around here somewhere!
No native serial ports, though, and the restriction of things needing to be on the same circuit kind of puts a damper on things. In my college dorms everything in my room was on the same circuit.
re: the serial ports - If I remember correctly the signaling to the module was done on handshake pings (because serial data could "pass thru" the module). They'd probably be pretty easy to bit-bang from any 5V logic source.
As a high school student I helped my school do some sys admin stuff, and one day I was stuck in a server(?) room while the guy who had keys etc. was away in another room and floor. So I ssh-ed into the machine he was likely working on and ejected the CD ROM back and forth until I caught his attention :D
Her sister caught on but couldn't prove it.
If you want to be dismissive, call it nostalgia — or point out that every generation feels this way about the way the world is compared to the way it was when they were younger.
But I think there is something truly broken in the world and I think people feel it too. The phrase that kept popping into my head when I was feeling particularly down about the way of things was, "No one would have chosen this." That is, in reference to the way the Western world is today.
Turns out there is a cron job that updates the locate command's index.
We wrote it on the LAMP stack which gave us the full suite of whatever you could find on a Linux CD at the time.
Fancy graphs? No problem.
Send reminder emails? Sure boss! We dutifully started hacking and testing and hacking to get that function in.
To test, we decided to send emails to jackfrost, santa, and so on from our own sendmail server to the corporate mail server. It worked fine because we weren’t spamming it, we were just sending a few messages every now and then as we debugged.
Turns out there’s really a Jack Frost that worked for us.
He was not pleased.
We were amused.
I think we apologized, and I forget how we figured out he was a real person.
Well. Hacked as in someone banging their password list against an SSH server that only accepts public key logins, at maximum speed with tens of simultaneous connections, pegging the CPU (and I was running junk hardware, I found that 800MHz Intel Coppermine CPU literally from a mixed waste trash bin). Usually the scripts doing this had the decency to keep the attempts to something like 1 per second which would be unnoticeable.
The problem was that I only had mechanical hard drives back then and they would spin up all the time and make noise.
In 2001 I started to systematically search for the causes of the disk noises and document it at https://www.agol.dk/quietlinux/
E.g., I spent a lot of time finding out that CUPS was generating a new certificate every 5 minutes. Nowadays it is a lot easier to investigate things like that. Back then I was patching the kernel.
I did something similar when I lost my phone but it was still connected to the network. Ssh into it and `while true; do espeak "I am here"; done`. Related: http://bash.org/?5273
Then when we finally got inside, the car didn’t have a keyhole to start it at all. Ended up calling the rental agency that showed us how to invoke the magic sequence by holding the (empty) fob in front of the start button for a few seconds before pressing it. I guess it does passive RFiD or something?
Anyway, that’s the point where I decided modern cars are not my thing.
I'll leave it to readers imagination how long it took me to troubleshoot the issue.
Plot twist: It's a Ring doorbell and wi-fi is down.
Though I did have a Linux ppc box serving website under my desk in the early 2000s.. until they blocked port 80.
https://web.archive.org/web/20020124163137/http://www.linuxp...
If it had been a bit more reliable I would have kept using it but I had some issues with either the bell coil or the relay and it kept sticking. All in all the project ended up being more expensive than a wireless doorbell, but I enjoyed the experience (and the smartwatch notification when someone was at the door).
Nowadays I just run an RPi3, which is silent and takes very little power.
I have a web server in the corner of my room since the beginning of 2004.
Besides being a firewall/router/switch and hosting a web server, it hosts more than a dozen other services, including an e-mail server, NTP server, DNS servers, DHCP & TFTP servers, etc.
In 18 years it did not have any down time, except for a few minutes every 3 to 5 years, when I have upgraded the hardware.
I could have upgraded the hardware less frequently, but I have replaced it whenever I could reduce the power consumption without decreasing the performance.
Now it is at the 6th hardware version. It has started as a big Pentium 4 pedestal server consuming over 200 W, but until now it has been reduced to an Intel NUC with a 4.5 GHz 4-core Coffee Lake U CPU, together with 4 USB to Ethernet adapters used to increase the number of Ethernet ports to 5, consuming not much above 10 W, while being much faster than the oldest servers.
A laptop has the advantage of incorporating an UPS, but I would not trust most of them with working 24/7 for years, like an Intel NUC, or preferably some fanless small computer (with an external UPS).
I wish I had that reliable of a power source. Even with a UPS, I've had tornados, snowpocalypse, etc where the power loss has lasted longer than any UPS I have.
Now, with only an Intel NUC connected to an UPS that could power a big server for a half hour, the NUC might work for a day from the UPS without having to shut down.
Where I live, the "snowpocalypses", which were frequent when I was a child, have disappeared completely. On the other hand, tornadoes, which were completely unknown previously, have started to appear, so they might become a cause of problems in the future.
It has cost me about $60 per month, which is significantly more than non-business connections of similar speed (currently around 400 Mb/s) cost around here.
Paying for a business connection has been the main expense for having my own e-mail and web server. Except for the first server, all the later upgrades have been done by reusing computers that had been originally bought and used for other purposes. With the quickly declining power consumption of the newer servers, the cost of the electrical energy has become negligible.
A Raspberry Pi is not a good choice for a firewall/router and/or Web server, but there are small computers similar in size and price, e.g. NanoPi R5S (fanless and with 3 Ethernet ports, including two of 2.5 Gb/s for LAN and one of 1 Gb/s for WAN; 2 USB ports can be used to increase the number of Ethernet ports to 5), which should be good enough for most people.
All of which are a lot of very interesting reasons why you can't just run a web server on your current phone with its current modern OS and expect it to have 24/7 up time even though it feels to you like your phone has 24/7 responsiveness uptime.
It's a solvable problem if there were enough interest: light web hosting is something that could be added to the list of system services that can wake the device from idle states (in similar ways to how notification services get prioritized, or trickle data feeds like Find My Services). It's not likely a problem that current phone OSes are incentivized to support, though, because there's currently no reason for millions of people to want websites served from their pockets.
Maybe one day there will be an interesting P2P data "hosting" protocol that would be useful for modern OSes to prioritize in that way.
https://github.com/feelfreelinux/octo4a
Search for "fanless mini pc" on Amazon or whatever and you'll be surprised. There's a lot of cool devices available that are approximately the size of a phone, use very low power (under 15 W) like a phone, are under $200 brand-new, have wired ethernet built in, USB ports, HDMI ports, can run normal Linux, and unlike Raspberry Pi they are actually in stock.
Whenever I was linked from Slashdot I would pretty much lose connectivity, so I started using Coral CDN, moved it to a colo, then to Linode, and on and on through some 6 or 7 providers as technology changed and I tried new things.
It's been 20 years now (just wrote about that last week), and I sort of miss those days, but on the other hand I really don't--keeping the server alive and secure (even in Linode) was a bit of a chore, so the writing was pretty much on the wall that it would eventually become just a set of static pages on an Azure storage account. Zero worry about keeping the site secure, no runtime issues, and plenty of opportunities to be creative (like this: https://taoofmac.com/static/graph)
And boy, do I have plenty of in-house web servers and Raspberry Pis to make up for it--but none are public, and I just have a couple of cores spinning on each major provider for toy projects.
One time we were supposed to be doing work during class, but everyone was on IRC chatting. The classroom was completely silent. Somebody wrote "somebody say penis" in the channel and the whole classroom started laughing at the same time, for seemingly no reason. The teacher was confused, it was a good time to be a 15 year old dorking around with computers.
Edgy...
Bunch of clowns :P
How long ago was this? You'd think the school had a strict filter on outside connections, especially to IRC servers.