Nice! I don’t know what it is but there is something really satisfying about hosting your website at home.
You can have some fun as well, like getting an LED to blink on every hit to the site.
I do want to do something hardware related because right now I’m under utilising the pi’s hardware abilities, but I feel like I’d have trouble distinguishing real traffic from bot traffic.
I have an interactive pixel grid that syncs to an ePaper in my home on my website: https://www.svenknebel.de/posts/2023/12/2/ (picture, grid it self at the top of the homepage feed)
Very intentionally very low-res so I don’t have to worry about people writing/drawing bad stuff, and its an entirely separate small program, so if someone ever manages to crash it only that part is gone.
I just moved my blog off of EC2 to my Raspberry Pi Kubernetes cluster at home just today. The whole idea behind running it on EC2 was that I figured I would have fewer reliability issues than on my homelab Kubernetes cluster, but the Kubernetes cluster has been remarkably stable (especially for stateless apps) and my EC2 setup was remarkably flaky[^1]. It’s definitely rewarding to run my own services, and it saves me a bunch of time/money to boot.
[^1]: not because of EC2, but because I would misconfigure Linux things, or not properly put my certificates in an EBS volume, or not set the spot instance termination policy properly, or any of a dozen other things–my k8s cluster runs behind cloudflare which takes care of the https stuff for me
Cloudflare Tunnel is free and a good solution for those behind CG-NATs or an ISP firewall. It also offers effortless DoS protection.
I will admit, however, that I think it’s slightly “cooler” in some sense to host your site directly from your home, with no assistance from Cloudflare or other giant tech companies, even if you don’t really get much tangible benefit from doing it that way.
(By these standards of course, my personal site is rather lame because it’s just your standard Jekyll + GitHub Pages site.)
What are the risks of port forwarding and hosting on home network? I get the general risk of giving the public internet direct access to my home devices. But how do people specifically exploit this? It depends on me misconfiguring or not properly locking down the web server, right?
Pretty much, but nobody has ever made an unhackable server. So even if you “properly” configure the server it’s not 100% secure because nothing is.
I did get my router hacked and it had third party malicious software installed on it and it didn’t function until I got the NetGear people to fix it which is why I installed fail2ban vibe has worked so far. But nothing is foolproof.
Let’s assume you forward port 443 to your Pi running Apache. You’re basically exposing the following bits of software to the Internet:
Your kernel’s TCP/IP stack
Apache
Any software you may choose to place behind an Apache reverse proxy
The biggest risk is an RCE in any of those pieces, because you’re truly pwned, but I’d lay pretty long odds against an RCE in the Linux network stack, and I don’t think your average Apache config is at much risk either – these things have both been highly battle-tested. Some sort of denial-of-service exploit is more likely but again, Linux+Apache have powered a huge chunk of the Internet for the last 25+ years. Now, if you write an HTTP server which executes arbitrary shell commands from the body of POST requests and proxy it behind Apache, you have only yourself to blame…
I expose HTTP and a few other services from my home network via port forwarding. I don’t lose sleep over it.
I also really like the element showing the current CPU usage, temperature and so on! I’ll copy that feature when I eventually migrate my blog to being hosted on a Raspberry Pi.
I thought about the fact that your cronjob is executing the getstats.sh script every minute and I think that it might be possible for you to have some concurrency-related issues.
The script over-writes the file with the stats on this line:
I am wondering that if a user requests your web page, in between the single echo calls, it could possibly get an incomplete picture of the statistics, because those values would be missing from the file.
Another unrequested suggestion: if you’d use caddy instead of apache, you could forget about step 5 in your post, because caddy automatically handles your HTTPS configuration.
I now use caddy in all of my projects (and also even at work) and I can really recommend it.
Thanks a lot for the post, it really motivated me to do something similar!
I’ve banned Googlebot on my personal site, though only through robots.txt and not the user-agent sniffing I use for other bots. I don’t really care about it being searchable anymore.
There is also something incredibly satisfying about powering it through foot pedal switch that also has a string of Christmas lights on it. Would highly recommend.
This is one of my dream projects but I could never figure out how to expose the site to the public internet. I will try the port forwarding thing but I have a feeling my Xfinity router has locked that down (please correct me if I’m wrong)
Got it working with like 10 minutes of effort, lol. Don’t know why I struggled previously so much
One thing I previously was stumped about was getting my public IP address. Kinda surprising that I just go to a site like whatsmyip.com and get the value from there. I thought that wouldn’t work because Xfinity always rotates my public IP
Try Cloudflare tunnel (like a comment above suggested).
It creates a private connection between your home network and cloudflare, which won’t expose your home IP or network to the outside.
It’s a compromise to have cloudflare MITM your self-hosted website, but it’s better than burning through your (very generous—sarcastic) xfinity monthly cap.
In theory, yes. You get access to their CDN when using a tunnel. You can setup custom caching rules to serve content from their edge network and reduce your outgoing bandwidth.
In practice, no one visits my site so I can’t test it. lol.
@MiraWelner you mentioned that one of your posts hit the front page of HN for an hour or so. How many visits did you get? And the site served everyone with no downtime? It always amuses me to see a site go down from the HN hug of death, knowing that other sites (such as yours) successfully serve all the traffic from literally a hobbyist computer in someone’s house
This is actually a really funny story - when this post and the git post were on the front page my site was fine. However with this post in particular on HN the site did go down and commenters assumed it was the hug of death.
But actually I don’t think it was the hug of death because it went down exactly at 2am EST - which is when it updates and reboots if necessary!
Is there a simple way to have a backup server for the site? E.g. can I point one of the DNS A records to my IP and another one to my GitHub-Pages-hosted version of the site?
Nice! I don’t know what it is but there is something really satisfying about hosting your website at home. You can have some fun as well, like getting an LED to blink on every hit to the site.
I do want to do something hardware related because right now I’m under utilising the pi’s hardware abilities, but I feel like I’d have trouble distinguishing real traffic from bot traffic.
I have an interactive pixel grid that syncs to an ePaper in my home on my website: https://www.svenknebel.de/posts/2023/12/2/ (picture, grid it self at the top of the homepage feed)
Very intentionally very low-res so I don’t have to worry about people writing/drawing bad stuff, and its an entirely separate small program, so if someone ever manages to crash it only that part is gone.
there is a neat little project at https://lights.climagic.com/ where you can switch the lights on and off remotely…
I just moved my blog off of EC2 to my Raspberry Pi Kubernetes cluster at home just today. The whole idea behind running it on EC2 was that I figured I would have fewer reliability issues than on my homelab Kubernetes cluster, but the Kubernetes cluster has been remarkably stable (especially for stateless apps) and my EC2 setup was remarkably flaky[^1]. It’s definitely rewarding to run my own services, and it saves me a bunch of time/money to boot.
[^1]: not because of EC2, but because I would misconfigure Linux things, or not properly put my certificates in an EBS volume, or not set the spot instance termination policy properly, or any of a dozen other things–my k8s cluster runs behind cloudflare which takes care of the https stuff for me
I would suggest cloudflared (cloudflare proxy) versus opening a port on your home router and port forwarding.
cloudflare regularly blocks my access to sites, from both home and work, so I am not a fan of cloudflare services…
Cloudflare Tunnel is free and a good solution for those behind CG-NATs or an ISP firewall. It also offers effortless DoS protection.
I will admit, however, that I think it’s slightly “cooler” in some sense to host your site directly from your home, with no assistance from Cloudflare or other giant tech companies, even if you don’t really get much tangible benefit from doing it that way.
(By these standards of course, my personal site is rather lame because it’s just your standard Jekyll + GitHub Pages site.)
Can the cloudflare proxy reach the server without opening a port, etc ?
Ah, I did not read close enough. This thing creates a tunnel: https://github.com/cloudflare/cloudflared
What are the risks of port forwarding and hosting on home network? I get the general risk of giving the public internet direct access to my home devices. But how do people specifically exploit this? It depends on me misconfiguring or not properly locking down the web server, right?
Pretty much, but nobody has ever made an unhackable server. So even if you “properly” configure the server it’s not 100% secure because nothing is.
I did get my router hacked and it had third party malicious software installed on it and it didn’t function until I got the NetGear people to fix it which is why I installed fail2ban vibe has worked so far. But nothing is foolproof.
Let’s assume you forward port 443 to your Pi running Apache. You’re basically exposing the following bits of software to the Internet:
The biggest risk is an RCE in any of those pieces, because you’re truly pwned, but I’d lay pretty long odds against an RCE in the Linux network stack, and I don’t think your average Apache config is at much risk either – these things have both been highly battle-tested. Some sort of denial-of-service exploit is more likely but again, Linux+Apache have powered a huge chunk of the Internet for the last 25+ years. Now, if you write an HTTP server which executes arbitrary shell commands from the body of POST requests and proxy it behind Apache, you have only yourself to blame…
I expose HTTP and a few other services from my home network via port forwarding. I don’t lose sleep over it.
Oh I didn’t know they had a free tier but it looks like they do! I’ll look into it.
Also are you the same whalesalad on HN that gave me the advice on the browser text width?
I also really like the element showing the current CPU usage, temperature and so on! I’ll copy that feature when I eventually migrate my blog to being hosted on a Raspberry Pi.
I thought about the fact that your cronjob is executing the
getstats.shscript every minute and I think that it might be possible for you to have some concurrency-related issues.The script over-writes the file with the stats on this line:
echo "<!DOCTYPE html><html lang="en">[...]</head>">"$STATS_FILE"And then you append all other values to the files with single
echocommands, like this:echo "CPU Temp: ${cpu_temp_celsius}°C<br>" >> "$STATS_FILE"I am wondering that if a user requests your web page, in between the single
echocalls, it could possibly get an incomplete picture of the statistics, because those values would be missing from the file.Another unrequested suggestion: if you’d use caddy instead of apache, you could forget about step 5 in your post, because caddy automatically handles your HTTPS configuration. I now use caddy in all of my projects (and also even at work) and I can really recommend it.
Thanks a lot for the post, it really motivated me to do something similar!
I’ve built a whole little platform to host an unlimited number of websites on my raspberrypi: https://smallweb.run.
In my experience, using cloudflare tunnel is a nice way to exposes services from a raspberry pi, without messing up with your router: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/.
It also handles TLS certificates for you
“Ignore FEDERAL-SPYCAM; that is just my phone.”
My phone’s hotspot is called Warning Expired Certificate. Not sure if that would deter hackers or lure them.
My home SSID is “FBI Surveillance Van”. I’ve got the same question.
This is nice and old-school.
My static site is buckling under the strain of ai scrapers. I wonder when that problem will need addressing at this entry level.
I’m sorely tempted sometimes. I’m not convinced Google remain relevant in search anymore.
I’ve banned Googlebot on my personal site, though only through robots.txt and not the user-agent sniffing I use for other bots. I don’t really care about it being searchable anymore.
If Google isn’t relevant than what is?
Decentralised social media, rss feeds, and stuff built around those things to aid in discovery. Things like Lobsters! But it depends on what you want.
Many (most?) of the non-Google search engines use Bing as their index.
There is also something incredibly satisfying about powering it through foot pedal switch that also has a string of Christmas lights on it. Would highly recommend.
This is one of my dream projects but I could never figure out how to expose the site to the public internet. I will try the port forwarding thing but I have a feeling my Xfinity router has locked that down (please correct me if I’m wrong)
I think it works on Xfinity?
https://www.xfinity.com/support/articles/port-forwarding-xfinity-wireless-gateway
Yes, that looks promising! Thanks for the research
Got it working with like 10 minutes of effort, lol. Don’t know why I struggled previously so much
One thing I previously was stumped about was getting my public IP address. Kinda surprising that I just go to a site like whatsmyip.com and get the value from there. I thought that wouldn’t work because Xfinity always rotates my public IP
Try Cloudflare tunnel (like a comment above suggested).
It creates a private connection between your home network and cloudflare, which won’t expose your home IP or network to the outside.
It’s a compromise to have cloudflare MITM your self-hosted website, but it’s better than burning through your (very generous—sarcastic) xfinity monthly cap.
Does Cloudflare Tunnel help with your bandwidth cap? Do they offer caching or something?
In theory, yes. You get access to their CDN when using a tunnel. You can setup custom caching rules to serve content from their edge network and reduce your outgoing bandwidth.
In practice, no one visits my site so I can’t test it. lol.
@MiraWelner you mentioned that one of your posts hit the front page of HN for an hour or so. How many visits did you get? And the site served everyone with no downtime? It always amuses me to see a site go down from the HN hug of death, knowing that other sites (such as yours) successfully serve all the traffic from literally a hobbyist computer in someone’s house
This is actually a really funny story - when this post and the git post were on the front page my site was fine. However with this post in particular on HN the site did go down and commenters assumed it was the hug of death.
But actually I don’t think it was the hug of death because it went down exactly at 2am EST - which is when it updates and reboots if necessary!
Murphy strikes again
Is there a simple way to have a backup server for the site? E.g. can I point one of the DNS A records to my IP and another one to my GitHub-Pages-hosted version of the site?
Not to my knowledge using the stack I described although there probably is a way. But I doubt you would be able to use simple tools like i am