Ask HN: Host a website from a living room in 2022?

135 points by tomekw ↗ HN
As in title. Is Raspberry Pi a viable option (SD card?!)? Should I get an Intel NUC? Fanless would be really, really nice.

Thank you!

EDIT: OK, a web app, not a website, the service is not critical (it's my side project, 5yearsback.com), I'm 100% technical, the app is in Clojure, but I plan to deploy Zig services as well

EDIT2: I've a static IP.

162 comments

[ 3.7 ms ] story [ 197 ms ] thread
Raspberry Pi is hosting their own mastodon instance on one, although it's slow as hell right now, but obviously they have a lot of hits.

Security is a bigger issue IMO though.

What's your goals for the project? I mean it's obviously possible, the question would be why?
Considering that your system, power supply, storage and connection won't be redundant, I would not recommend this if you want the website to have decent uptime.

The cost of a Pi would likely also pay for a decent low-end VPS for a years or so.

I know, but (1) it's not critical, and (2) come on! It's so fun and so web1, and I have a static IP! :)
I don't know how experienced you are. Yes, you can host "a website" on a Raspberry Pi, even on something tiny like the Zero W. It all depends on your needs, a Pi 4 (if you can get a hold of one) is a great option!
if you're just serving a static site you could probably serve it from a toaster
"How thick does my rope need to be?"

I serve a website for my 3D printers from a Raspberry Pi (some are 3B+, some are Zero-W). It's just for "the set of people in the house who use the 3D printers", so the Pi is fine and obviously a viable candidate.

I have an ESP32 (or it might be an ESP8266 even; I'd have to look) that serves a status page for the boiler and near-boiler temps. That's also in-house only, but even that's on the slow side. https://imgur.com/a/JmeXYnj

What is the load this site is expected to serve? To what visitors? How static/cacheable is it? For me, an RPi goes a long way for anything in-house. Out of the house traffic, I'd look at a cheap VPS pretty early in the journey.

I can recommend the Rasperry Pi for self-hosting, if you pick one of the more recent models with more RAM (3 or 4 with 4GB of RAM at least). You just need to keep in mind that the availability of your website is not quite as good as if you were hosting in a datacenter.

Regarding security: you might want to have a look at cloudflared. This is a (free for small projects) service by Cloudflare where your server (Raspberry Pi) connects to cloudflare, and all HTTP traffic is proxied through Cloudflare. This has multiple advantages:

- you don't need to open a port on your router that forwards to your Pi, which is good for security and simplicity (some routers don't even have this option)

- you get all the cloudflare protection with the click of a button, including HTTPS with automatic Cloudflare certificates, DDoS protection, etc

- you don't need DynDNS to point to your dynamically changing IP

Thanks. Fortunately I've a static IP.
Using a different IP than your home network might be a good idea ?

( Your ISP should give you at least a /56 : https://www.ripe.net/publications/docs/ripe-690 )

It'd be helpful for others if you clarified whether you're asking a question or making a statement.
Let's say that I am considering this too, have looked a bit into it, but I am not a network engineer, and haven't done it yet, so I am not sure how good that advice is ?

I guess this depends a LOT your ISP, and especially the router they gave you, how much IPv6-only friendly are they ?

Yes, you can buy your own router, but this come with even more complications and potentially negotiations with the ISP.

I'm starting to notice you end statements with question marks, which solves my previous question.
i concur it is unclear and hard to understand the intention.
What is unclear about question marks indicating uncertainty, especially after I explained it ?

(And to be extra clear, this question mark indicates a question, albeit a rhetorical one.)

Funny man thinking ISPs everywhere just give IPv6 willy-nilly.

Even funnier that you think you'd even be accessible if you put your website on IPv6 only

I have a few personal things hosted on IPv6-only just for giggles. A few years ago those things would almost never be reachable. Now I can reach them at most places. I at least have IPv6 on cellular connectivity all the time.
Before long, not supporting IPv6 will make your website more unreachable than not supporting IPv4. (Already the case in Asia ?)
Aren't there obvious dangers for example if I use my Macbook and host it a server?
I did this for a bit. The main issue was that air intake on my older model was through the keyboard, so clamshell mode was inadvisable - not sure if that’s true of the newer models and M1 should run cooler.

If you’re wiping it and installing Linux it’s like any other server, but if you’re running macOS you’re open to a wider spectrum of vulnerabilities that wouldn’t normally apply (desktop software). Your apps could also have vulnerabilities that expose access to personal credentials, etc (e.g. filesystems, apple id) depending on your setup.

You can insulate yourself a bit with tunnels/proxies to expose specific services (e.g. cloudflare, ngrok).

I had a lot more peace of mind buying an old, cheap computer, raspberry pis, and eventually NUCs.

Constantly keeping the battery at 100% can be an issue, but modern versions of macOS allow you to limit charging. There are also utilities that work on older OS versions (they just issue an SMC command to achieve the same thing), like this one: https://github.com/zackelia/bclm
> You might want to have a look at cloudflared

I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.

Good point. You are not dependent on Cloudflare, though, you can use other similar services or open the port on your router if it supports it. And if you pay for it, you can get an SLA so that they can't mess with you by terminating your project.

I would still consider it very nice of them to offer this free service that let's you break free from your dynamic IP, crappy router and at the same time giving you protection that you couldn't set up yourself.

I think many people just want to be able to make their device available from the internet - this type of liberty is not really important for many people.

I'd rather have someone DDoS Cloudflare than my home IP. Or just host somewhere that is not my home without Cloudflare.
Yeah for small services like game servers for my friends and I, I'll host on my home IP. But for large websites and services... no thanks.
Another option is to use a VPS + nginx + a wireguard VPN.

Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.

Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.

This is a great option IMO, I use it myself to host multiple services. A VPS can be had for $5 per month or less
That's what I do, but without a real VPN (I don't want secrets on the VPS)

http://dusted.dk/pages/aWayOut/

Oh interesting, so you only drop a public key onto the VPS, and you forward TLS to the VM at home instead of terminating on the VPS. That's a neat idea.

So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.

Yes you are right.

If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.

For plain HTTP, of course all traffic would be easily intercepted and readable. For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.

So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)

I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.

If you self-host with your ISP, then isn't your ISP also a choke-point? If your ISP decides to block you for some reason, you have to change ISPs or possibly your location if there is only one good ISP at your location.
Depending on your write load, the SD card could become a problem, but you could mount a USB SSD. You can even boot from a USB SSD now (https://www.makeuseof.com/how-to-boot-raspberry-pi-ssd-perma...)
Anyone know what the best practice is to guard against corruption on your SD card or your SSD if your home power goes out and your Raspberry Pi power-cycles unexpectedly (outside of just getting a UPS?)

I've had a previous RPI SD card get corrupted this way and I've been hesitant to do anything useful with home-hosting on one since I had that problem.

The only things I can think of do involve a ups. There are battery banks that support pass through charging but I’m not sure if you’re supposed to use that constantly. A low capacity power strip style ups seems like the next best. Or don’t use a pi at all - if you have an old laptop that you don’t use, that could be the server and it has its own built in ups.

Sorry I don’t know that I’m being helpful here. I had the same issue and just ended up with an ups - but I also ended up plugging my networking rack into it (router, cable modem, switch, nas) as well. We’ve only had one real outage since I set this up, but it kept my network alive for 90 minutes or so and then the power came back up.

Backup, backup, backup.

Also test your backups.

Get an SD card specifically labeled "high endurance." They're a tad bit more expensive, but do work.

Corruption has always been an issue with using standard SD cards as a boot system. It's just something these cards were never meant to do. I run multiple Pis at home, one of them as a scraper/site hosting/MariaDB/Wireguard. Power outages would almost always corrupt the file system, and a few times, damage the SD card. Once I switched to high endurance cards, I haven't had a problem.

I have a datalogger based on RaPi running since around 2 years. It writes every 5 minutes more or less 25 bytes to a file on a standard SD card. I have frequent black outs (and maybe brown outs, too, but never investigated this), and I never had problems with FS corruption.
A good alternative is to use a similar SBC with eMMC module support, such as one of the ODROIDs
I have a Toradex Colibri with 4GB of eMMC formatted with ext4. As part of a system test I've been cutting power on it every 12 hours for two years now and haven't lost a byte.
Enable read-only overlay for your rootfs and make your /boot readonly. Just use raspi-config, and go into performance options.

There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.

Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.

Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.

I run much heavier networking equipment (enterprise routing/switching + rack server) but I also host at home using cloudflared on a slow DSL connection. It works very well and the CDN's caching helps with my low upstream bandwidth.

You aren't tied to Cloudflare in the sense that there are other CDN services to choose from, each with their own pros and cons. With the servers on your own infrastructure you can choose the provider you like and easily switch between them. I also have ports forwarded for services that I don't want to proxy.

While you're not concerned with uptime an old laptop isn't a bad way to go: built in battery backup!

As far as exposing to the net, ngrok seems cool.

> While you're not concerned with uptime an old laptop isn't a bad way to go: built in battery backup!

That is a sure way to kill off the battery and a fire risk as well. Laptops aren't designed to run 24/7.

Is this true? My laptop has been on 100% of the time (although usually asleep) and also plugged in much of the time since I bought it in 2014.
Battery vendors generally recommend you do not keep them on a charger all the time since the charger will keep it at 100% charge, and the longer a battery is at 100% charge, the more degradation it will experience for electro-chemical reasons. Sooner or later, that can lead to battery swelling and eventually a catastrophic thermal runoff.

Additionally, keeping a laptop shut and running usually messes with its thermal design as the heat can't escape to the top via the keyboard, further heating up the battery.

Most laptops in the last few years have an option to not fully charge the battery if it's going to sit plugged in. I know this option is available on Dell, Asus, and Apple laptops. I assume others have it as well.
I doubt it, as I n++ your n=1 by experience, but also since I think it shouldn't be hard, electronics wise, to stop charging once full (or even, optionally, 80% / 90%) and fully run on AC as long as it's available. Also I'd say this is an apparent user requirement for laptops.
Depends entirely on how much power you need. Pi is fine if you don't need much, NUC is good if you need something more and, from my experience, can run comfortably with the fans off if you don't mind capping the CPU frequency a bit.
Even an pi is basically in the same performance range as the average lowest tier cloud vm so if your considering something bellow say a aws t2.medium to be enough then your only real concern is if your app is iobound enough for the sd card to be a bottleneck and it's very likely that your app is not.

If you want to go with a more traditional x68 any of the many intel n4000/n5000 series systems being sold on aliexpres and similar sizes by no name brands as firewall appliances or network something do support modern m.2/nvme storage.

Is it public? If you host a high traffic site from residential ISP connection, your account could get banned.

Regardless, I would host an NGINX proxy in front of some docker containers. It’s the easiest and classic way to front apps with custom domains very very easily. Traefik is also very nice and fast (Go based) reverse proxy.

If it’s purely for personal use, then check Cloudflared to tunnel into your network and access it like a VPN.

Again, if it’s Public be weary of DDOS attacks, port scans, etc. Personally I wouldn’t self-host a public web app from my house and instead would use a 4/mo VPS from Hetzner

Man, you are way too afraid dude.

It's YOUR internet connection. Who's going to ban you for opening ports and running a server? I've been doing it with comcast for 20+ years.

Maybe not all my server traffic goes through port 80 or 443, but my server is also my torrent seedbox which is high traffic and just another port. WHATEVER.

My server is just a Windows 7 PC in the living room with no monitor, no keyboard, and no mouse. Only connected power and ethernet. I remotely control it with RealVNC and it's extremely stable. The only time it goes down is a power outage because I don't use a UPS.

I use it for a website (nginx/let's encrypt), Jitsi Meet, Mumble, Ventrilo, FTP, proxy (8080), and of course torrents. Not afraid of port scans.

I use a couple of DDNS domains that I give people but I can disable the public one I give to people and change my IP any time I want.

NOT VPN. NOT Cloud. NOT VPS. NOT pay monthly to someone. You can do it all yourself for free and have been able to for decades. Quit being so scared, cell phone generation.

Your mistake is thinking that it is YOUR internet connection. It's not. It belongs to your ISP. If it belonged to you, you wouldn't have to pay for it every month. A lot of ISPs specifically forbid running a web server from your connection. Comcast is one of them. Among their restricted uses they include:

"use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;"

https://www.xfinity.com/Corporate/Customers/Policies/HighSpe...

Just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.

> Your mistake is thinking that it is YOUR internet connection. It's not. It belongs to your ISP. If it belonged to you, you wouldn't have to pay for it every month. A lot of ISPs specifically forbid running a web server from your connection. Comcast is one of them

You're not wrong, but as far as I know there is no human on earth that owns "their own internet connection", everyone's network connects to an upstream network. Every upstream service has rules their customers must abide by.

I haven't read the "terms of service" in years, but this was never a thing I'm familiar with. It was known that if you pay for internet, you can do whatever you want with it (well, short of violating federal law).

Why do you think routers have PORT FORWARDING in them? Is that just for fun? Think about it. I can go to ebay and buy Microsoft Windows NT Server 4.0 from 1996 and run whatever DNS or IIS server I want, however outdated it is.

It's absolutely absurd to think you have to pay to host things even though you have all the equipment and bandwidth to do it yourself. I only have 1000/42Mbps but I've got a friend who just got fiber in CA who has 10Gbit both ways. With speeds like that, do you think we're just going to upload Linux ISOs AND not RUN servers on all sixty five thousand ports?

Ha ha ha haooowww

So, you haven't read the rules, and therefore think you can ignore them. If you're lucky, your ISP will continue not bothering to enforce their rules. Personally, I don't like relying on luck.

Again, just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.

> Quit being so scared.

Unfortunately not everyone may live in a region with multiple internet providers, such that they can switch to a different one if banned.

I'm not afraid. If it ever came to that, all you'd have to do is call up next day, same address, using your girlfriend's name and sign up for new service. Bet me.
> NOT pay monthly to someone.

You pay your internet and electricity, no?

A pi is a viable solution up to at least a few thousand visitors a day, depending on how spread out they are. You will need to find a way to give your pi/NUC a static IP address though. Many ISPs will give you a static IP, then you can simply set up port forwarding for port 80/443 on your router and be off. If not, ngrok or a similar service can work as well.

That said, unless you have an ideological reason for hosting it from your own home there are many platforms out there that can comfortably fit most non-critical webapps in their free tier with even less hassle than setting up a pi.

"there are many platforms out there that can comfortably fit most non-critical webapps in their free tier with even less hassle than setting up a pi."

What are "the best" at the moment? (best being whatever metric one feels is relevant for this scope)

I use netlify for serving frontend assets and have used fly.io's free tier, supabase's free tier, and all the major public cloud free tiers (though the latter is the most difficult to manage from a cost perspective).
And fly.io has a special feature to serve the static files for you so you can do it all in one place without putting load on your app server. Simply need to specify what folder to look in for the static files in your fly config file.
With AWS you can host a very robust website using API Gateway, (AWS Lambda or ECS) and either RDS or DynamoDB for a datastore. All of this can come in under their free tier for a huge amount of traffic.
I think the best home server is the 2014 Mac Mini because:

1) internal HDD can be replaced with cheap, big SSD

2) Computer is absolutely silent

3) everything in one package, no mess of cables

4) very reliable

5) very low power usage

MacOS isn't the best OS for running a server, but I'm used to it so I don't mind setting up launch agents instead of systemd units

There are a bunch of micro SFFs like it (Dell/HP/Lenovo etc) with 6th-8th gen i5/i7s) with the same power, noise profile and are $100 off eBay.

Much better value and power over a raspi.

I wonder why noone except Apple manages to build a small device with an integrated PSU.

If you put them into a cupboard, those PSUs take almost as much space as the computer itself.

Seems like one issue would be that an older Mac device is not going to be able to run new software updates once it ages out and wont get new security updates once that happens.
Yes, that is true. OpenCore [1] allows a few extra years, but at some point the 2014 mini will be too old.

That being said, if you use the Mac as a server, behind a NAT/Firewall with only some ports open, use up to date server software, and don't use it to surf the web, then the security impact of using an outdated OS is minimal.

You could of course also just install Linux on it.

[1]: https://dortania.github.io/OpenCore-Legacy-Patcher/

You could probably even host on an old phone if you really wanted to, at the end of the day it doesn't matter what you're hosting on but how you're managing assuming internet speed and hardware latency aren't an issue.
Concerning security: look into Traefik or Nginx Proxy Manager to proxy from your server to your domain. Then, attach a Cloudflare proxy to your domain so people won't ever know your home IP. Only expose port 443, and I think you're okay. Happy to hear otherwise.
I just have an old Dell computer [1]. They are pretty small, quiet, has an SSD, and I do not need to fiddle in having everything compiled for Arm.

I would also put your app behind CloudFlare.

Also- if you are able to afford an intel NUC ($200?), and the app is low resources enough to be able to run on a Pi. You could also consider getting a VPS ($10/month).

[1] Something like https://www.newegg.com/dell-optiplex-7090-business-desktops-... - but older, and found on a local recycling center.

You could also take a look at used fanless thin clients from HP and such. Cheap, totally silent, still fairly low electricity consumption but more power.
Yes this would work.

There are a lot of alternative SBCs to the Raspberry that are easier to find these days.

If you plan to use the SDCard make sure you do not write logs to it or that you change it regularly. I recommend that you mount a harddrive/ssd or usb stick for the logs if you really want them.

Any particular reason why? You can get a free VPS in many places, for example: micro instances on AWS free tier, Azure free tier, etc. I don't know if they give you a unique static global IP, probably not. But as another commenter said, you can proxy it to Cloudflare with their free service with cloudflared. That will protect you from others knowing your home IP and general location, and also you don't want DDoS interrupting your home connection.
As a slight variant of this question - how would you host a production site from your living room? Assuming you have a static IP and a business account.
Get a second redundant power line, battery backup for a couple days, multiple independent internet connections, ....?
is it even feasible to have a redundant power in a regular home? the rest is easily doable, though.
Yep. Most electric companies will be more than delighted to run a second line to your home, as they then get to collect those sweet installation costs from you. So if you're willing to pay, they're probably more than happy to let you.
I don't see how that would be redundant though, wouldn't it be just as likely to fail for the same reason the other line does?
If by "production" you mean it's something you intend to use to produce revenue, then you absolutely shouldn't until you've evaluated and exhausted all of your better options.
Though I personally wouldn't do this, why not? There are places where business gigabit internet is plentiful and weather is stable so power outages are very rare.

Find three of said types of places and run kubernetes and you're good, no?

Is the carbon footprint better if I host my own RPI instead of using a cheap virtual server somewhere ? Having a Raspberry on all the time will consume some electricity I gues...
this depends on your datacenter i would wager.

If the energy of your server is green and the heat is reused, as some modern datacenters do, the only concern becomes EOL of hardware and how quickly they change it.

Otherwise, yeah, shared cloud vm is always more economic than single hosted hardware of any kind.

If you use a cheap recycled server you will be running in years old computers. If we compare that to buying something (including building and transportation) I bet that RPI have higher impact.
You folks arent worried about fire hazard?

I'd probably never pick having some device running 24/7 when there are 3$ VPSes

Hehe, you have so many things running 24/7 in your house already. Refrigerator, freezer, heating system, laptops in standby, printers in standby, routers in standby or active 24/7, HVAC systems etc.
Unless you unplug everything when not in use, you already have a dozen fire hazards at home. A PC that's powered off still delivers power to a bunch of components like the Intel ME, or nic for WOL; your TV, dish washer, washing machine, fridge, Alexa, smart hub, router, PlayStation 4 have some soc running 24/7. A pi is probably very safe, I've never heard of one going up in flames just like that. It's much more likely the USB charger it's running off will blow up of it's a cheap one from Walmart.
Also worth investing in a surge protector device if you're worried about your electronics getting fried due to electricity surges.
>Unless you unplug everything when not in use

I do

I thought the same as you for a long time and have a new fear for you:

You know that water pipes are in those walls too?