Ask HN: Host a website from a living room in 2022?
As in title. Is Raspberry Pi a viable option (SD card?!)? Should I get an Intel NUC? Fanless would be really, really nice.
Thank you!
EDIT: OK, a web app, not a website, the service is not critical (it's my side project, 5yearsback.com), I'm 100% technical, the app is in Clojure, but I plan to deploy Zig services as well
EDIT2: I've a static IP.
162 comments
[ 3.7 ms ] story [ 197 ms ] threadSecurity is a bigger issue IMO though.
The cost of a Pi would likely also pay for a decent low-end VPS for a years or so.
https://www.hardkernel.com/shop/odroid-h3/
I serve a website for my 3D printers from a Raspberry Pi (some are 3B+, some are Zero-W). It's just for "the set of people in the house who use the 3D printers", so the Pi is fine and obviously a viable candidate.
I have an ESP32 (or it might be an ESP8266 even; I'd have to look) that serves a status page for the boiler and near-boiler temps. That's also in-house only, but even that's on the slow side. https://imgur.com/a/JmeXYnj
What is the load this site is expected to serve? To what visitors? How static/cacheable is it? For me, an RPi goes a long way for anything in-house. Out of the house traffic, I'd look at a cheap VPS pretty early in the journey.
Regarding security: you might want to have a look at cloudflared. This is a (free for small projects) service by Cloudflare where your server (Raspberry Pi) connects to cloudflare, and all HTTP traffic is proxied through Cloudflare. This has multiple advantages:
- you don't need to open a port on your router that forwards to your Pi, which is good for security and simplicity (some routers don't even have this option)
- you get all the cloudflare protection with the click of a button, including HTTPS with automatic Cloudflare certificates, DDoS protection, etc
- you don't need DynDNS to point to your dynamically changing IP
( Your ISP should give you at least a /56 : https://www.ripe.net/publications/docs/ripe-690 )
I guess this depends a LOT your ISP, and especially the router they gave you, how much IPv6-only friendly are they ?
Yes, you can buy your own router, but this come with even more complications and potentially negotiations with the ISP.
(And to be extra clear, this question mark indicates a question, albeit a rhetorical one.)
Even funnier that you think you'd even be accessible if you put your website on IPv6 only
If you’re wiping it and installing Linux it’s like any other server, but if you’re running macOS you’re open to a wider spectrum of vulnerabilities that wouldn’t normally apply (desktop software). Your apps could also have vulnerabilities that expose access to personal credentials, etc (e.g. filesystems, apple id) depending on your setup.
You can insulate yourself a bit with tunnels/proxies to expose specific services (e.g. cloudflare, ngrok).
I had a lot more peace of mind buying an old, cheap computer, raspberry pis, and eventually NUCs.
I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.
I would still consider it very nice of them to offer this free service that let's you break free from your dynamic IP, crappy router and at the same time giving you protection that you couldn't set up yourself.
I think many people just want to be able to make their device available from the internet - this type of liberty is not really important for many people.
Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.
Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.
http://dusted.dk/pages/aWayOut/
So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.
If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.
For plain HTTP, of course all traffic would be easily intercepted and readable. For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.
So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)
I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.
1: https://forums.raspberrypi.com/viewtopic.php?f=63&t=253104&p...
I've had a previous RPI SD card get corrupted this way and I've been hesitant to do anything useful with home-hosting on one since I had that problem.
Sorry I don’t know that I’m being helpful here. I had the same issue and just ended up with an ups - but I also ended up plugging my networking rack into it (router, cable modem, switch, nas) as well. We’ve only had one real outage since I set this up, but it kept my network alive for 90 minutes or so and then the power came back up.
Also test your backups.
Corruption has always been an issue with using standard SD cards as a boot system. It's just something these cards were never meant to do. I run multiple Pis at home, one of them as a scraper/site hosting/MariaDB/Wireguard. Power outages would almost always corrupt the file system, and a few times, damage the SD card. Once I switched to high endurance cards, I haven't had a problem.
There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.
Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.
Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.
You aren't tied to Cloudflare in the sense that there are other CDN services to choose from, each with their own pros and cons. With the servers on your own infrastructure you can choose the provider you like and easily switch between them. I also have ports forwarded for services that I don't want to proxy.
As far as exposing to the net, ngrok seems cool.
That is a sure way to kill off the battery and a fire risk as well. Laptops aren't designed to run 24/7.
Additionally, keeping a laptop shut and running usually messes with its thermal design as the heat can't escape to the top via the keyboard, further heating up the battery.
https://wiki.pine64.org/wiki/ROCKPro64#Booting_from_USB_or_P...
If you want to go with a more traditional x68 any of the many intel n4000/n5000 series systems being sold on aliexpres and similar sizes by no name brands as firewall appliances or network something do support modern m.2/nvme storage.
Regardless, I would host an NGINX proxy in front of some docker containers. It’s the easiest and classic way to front apps with custom domains very very easily. Traefik is also very nice and fast (Go based) reverse proxy.
If it’s purely for personal use, then check Cloudflared to tunnel into your network and access it like a VPN.
Again, if it’s Public be weary of DDOS attacks, port scans, etc. Personally I wouldn’t self-host a public web app from my house and instead would use a 4/mo VPS from Hetzner
It's YOUR internet connection. Who's going to ban you for opening ports and running a server? I've been doing it with comcast for 20+ years.
Maybe not all my server traffic goes through port 80 or 443, but my server is also my torrent seedbox which is high traffic and just another port. WHATEVER.
My server is just a Windows 7 PC in the living room with no monitor, no keyboard, and no mouse. Only connected power and ethernet. I remotely control it with RealVNC and it's extremely stable. The only time it goes down is a power outage because I don't use a UPS.
I use it for a website (nginx/let's encrypt), Jitsi Meet, Mumble, Ventrilo, FTP, proxy (8080), and of course torrents. Not afraid of port scans.
I use a couple of DDNS domains that I give people but I can disable the public one I give to people and change my IP any time I want.
NOT VPN. NOT Cloud. NOT VPS. NOT pay monthly to someone. You can do it all yourself for free and have been able to for decades. Quit being so scared, cell phone generation.
"use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;"
https://www.xfinity.com/Corporate/Customers/Policies/HighSpe...
Just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.
You're not wrong, but as far as I know there is no human on earth that owns "their own internet connection", everyone's network connects to an upstream network. Every upstream service has rules their customers must abide by.
Why do you think routers have PORT FORWARDING in them? Is that just for fun? Think about it. I can go to ebay and buy Microsoft Windows NT Server 4.0 from 1996 and run whatever DNS or IIS server I want, however outdated it is.
It's absolutely absurd to think you have to pay to host things even though you have all the equipment and bandwidth to do it yourself. I only have 1000/42Mbps but I've got a friend who just got fiber in CA who has 10Gbit both ways. With speeds like that, do you think we're just going to upload Linux ISOs AND not RUN servers on all sixty five thousand ports?
Ha ha ha haooowww
Again, just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.
Unfortunately not everyone may live in a region with multiple internet providers, such that they can switch to a different one if banned.
You pay your internet and electricity, no?
That said, unless you have an ideological reason for hosting it from your own home there are many platforms out there that can comfortably fit most non-critical webapps in their free tier with even less hassle than setting up a pi.
What are "the best" at the moment? (best being whatever metric one feels is relevant for this scope)
1) internal HDD can be replaced with cheap, big SSD
2) Computer is absolutely silent
3) everything in one package, no mess of cables
4) very reliable
5) very low power usage
MacOS isn't the best OS for running a server, but I'm used to it so I don't mind setting up launch agents instead of systemd units
Much better value and power over a raspi.
- https://www.servethehome.com/introducing-project-tinyminimic...
- https://www.servethehome.com/tag/tinyminimicro/
If you put them into a cupboard, those PSUs take almost as much space as the computer itself.
That being said, if you use the Mac as a server, behind a NAT/Firewall with only some ports open, use up to date server software, and don't use it to surf the web, then the security impact of using an outdated OS is minimal.
You could of course also just install Linux on it.
[1]: https://dortania.github.io/OpenCore-Legacy-Patcher/
I would also put your app behind CloudFlare.
Also- if you are able to afford an intel NUC ($200?), and the app is low resources enough to be able to run on a Pi. You could also consider getting a VPS ($10/month).
[1] Something like https://www.newegg.com/dell-optiplex-7090-business-desktops-... - but older, and found on a local recycling center.
There are a lot of alternative SBCs to the Raspberry that are easier to find these days.
If you plan to use the SDCard make sure you do not write logs to it or that you change it regularly. I recommend that you mount a harddrive/ssd or usb stick for the logs if you really want them.
Maybe I'm wrong, but I thought AWS' free tier only lasts a year. Then you have to tear everything down and spawn a new account and re-upload and re-configure everything, which is burdensome?
https://docs.aws.amazon.com/whitepapers/latest/how-aws-prici...
Find three of said types of places and run kubernetes and you're good, no?
If the energy of your server is green and the heat is reused, as some modern datacenters do, the only concern becomes EOL of hardware and how quickly they change it.
Otherwise, yeah, shared cloud vm is always more economic than single hosted hardware of any kind.
I'd probably never pick having some device running 24/7 when there are 3$ VPSes
I do
You know that water pipes are in those walls too?