• 37 Posts
  • 2.6K Comments
Joined 1 year ago
cake
Cake day: June 16th, 2023

help-circle

  • You aren’t wrong but the things you’re mentioned are always an issue, even if he was running the entire website on a VPS.

    VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.

    Yeah, but at the same time any VPS provider worth it will have some kind os firewalling in place and block a DDoS like that one. People usually don’t ever notice this but big providers actually have those measures in place and do block DDoS attacks without their customers ever noticing. If they didn’t hackers would just overrun a few IPs and take all the bandwidth the provider has and take their all their customers down that way.

    I’m not saying anyone should actually rely only on the VPS provider ability to block such things but it’s still there.

    The OP should obviously take a good read at nftables rate limiting options and fail2ban. This should be implemented both at the VPS and his home server to help mitigate potential DDoS attacks.

    Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.

    It doesn’t and it was never supposed to mitigate that as the OP only asked for a way to reverse proxy / hide is real IP.


  • TCB13@lemmy.world
    cake
    toSelfhosted@lemmy.worldAlternatives to CloudFlare?
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    14 hours ago

    @foremanguy92_@lemmy.ml ,

    Step 1: get a cheap VPS, or even a free one (https://www.oracle.com/cloud/free/)

    Step 2: If you’ve a static IP at home great, if you don’t get a dynamic DNS from https://freedns.afraid.org/ or https://www.duckdns.org/

    Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:

    server {
        listen 80;
        server_name example.org; # your real domain name you want people to use to access your website
        location / {
            proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS.
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;
        }
    }
    

    Step 4: Point your A record of example.org to your VPS.

    Step 5: there’s a potential security issue with this option: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from and to get around this you can do the following on the home server nginx config:

    http {
    (...)
            real_ip_header    X-Real-IP;
            set_real_ip_from  x.x.x.x; # Replace with the VPS IP address.
    }
    

    This will make sure only the VPS is allowed to override the real IP of the client.

    Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.

    Proceed to disable plain text / HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. You should replace them with server { listen 443 ssl; so it listens only for HTTPs traffic.

    Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;

    Step 8: set the home server’s firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.


    Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change proxy_pass to the IP of the home server inside the tunnel like proxy_pass http://10.0.0.2). This has two advantages: 1) you don’t need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network… however it also has two drawbacks: you’ll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn’t bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won’t gain much there in terms of security.




  • TCB13@lemmy.world
    cake
    toPrivacy@lemmy.mlWhy don’t you like Apple?
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    edit-2
    18 hours ago

    In terms of privacy? What’s the alternative? I’m sure that stock Android phones are way way worse in terms of privacy than any Apple device ever made.

    Android is great in theory but the amount of pre-installed garbage, material design and Google / vendor powered spyware is way too much for my liking. I’m not saying that Apple doesn’t track things, because they do, but at least there’s no vendor garbage and you can go through the Settings and disable everything you don’t need, restrict Apps from running in the background etc. If you don’t upload your data into iCloud it will be way more private than the average Android phone.

    Another thing I dislike about non-Apple phones is that, besides the Pixel and a few others, their bootloader and storage security is a joke, if someone gets your device you can assume they’ll get to your data.

    GrapheneOS is great, it would be the one and only alternative to the mess that Android is however I can’t daily drive that as it lacks features (nice things) I do want to have.


  • TCB13@lemmy.world
    cake
    toApple@lemmy.worldWhy you like Apple?
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    18 hours ago

    Vertical integration (the ecosystem), decent UIs (that the GNOME guys are unable to get close to), higher level of security and privacy than most stock Android phones out there.

    Android is great in theory but the amount of pre-installed garbage, material design and Google / vendor powered spyware is way too much for my liking. I’m not saying that Apple doesn’t track things, because they do, but at least there’s no vendor garbage and you can go through the Settings and disable everything you don’t need, restrict Apps from running in the background etc. If you don’t upload your data into iCloud it will be way more private than the average Android phone.

    Another thing I dislike about non-Apple phones is that, besides the Pixel and a few others, their bootloader and storage security is a joke, if someone gets your device you can assume they’ll get to your data.