• 1 Post
  • 12 Comments
Joined 1 year ago
cake
Cake day: June 19th, 2023

help-circle






  • I host in the way that you describe: “service.domain.com”. I use Cloudflare, docker, and Caddy.

    I don’t remember any pit falls off the top of my head. Make sure to use HTTPS (port 443). Everything on http is basically open for everyone to see. Caddy should set that up for you automatically, tho. I recently moved to Caddy from Traefik, it’s an awesome tool.

    Oh, here’s a pitfall. One time I opened a port, #22, for ssh access to my server. I installed fail2ban on my server. One weekend I looked at my logs and found I’d banned hundreds of IP addresses. Some bot found my open port and then begun attacking the login with some kinda rainbow table. I moved the port from the ssh default to something else and never had a problem since.

    Also, and this isn’t a requirement but just useful, I set up a VLAN for my selfhosted server. It’s firewalled from my local network. That way, if someone access’ my server they don’t have access to my whole network.

    So, tldr, have fun and midigate risk where you can.






  • That’s a tuff ask, and it’s been awhile since I looked.

    My kids phone is Android, computer is Windows, and I couldn’t get away without Googles Family link.

    The PC was easier. I use Pihole to primarily block ads, but it can also log DNS requests from my kiddos PC, and I use my switch to kill his internet. It’s a desktop and doesn’t have wifi. So it’s just a Ethernet cable to his room. Kill the port or unplug the cable for dramatic effect. Any OS he’s on he’ll have restrictions and monitoring as long as he doesn’t spin up a VPN or learn how to change the DNS host. But much to my dismay I don’t think he’ll ever love Linux, or networking.

    The phone was harder. Android gives up a random MAC address so blocking him from wifi was difficult, and it didn’t matter anyway since he had cell service. Eventually I came to realize that if he’s in the Google ecosystem, I have to play with Google if I want parental controls on his phone. It sucked. But, again much to my dismay, he doesn’t seem to think a big company knowing literally everything about him matters all that much so… Whatever. Maybe I’m the one that’s crazy.


  • From what I’ve read about Cloudflares Zero Trust Tunnel thing it’s actually more secure than hosting it with a public IP address.

    To be clear I haven’t done it. So idk for sure. But it sounds like they use some kinda 2fa system to get to your services, you don’t expose a public IP, and it’s all behind Cloudflares service. Which is great for security. If you trust Cloudflare. I trust Cloudflare, but some folks might not.

    I might check this out as a weekend project tho. See how it differes from my setup with vlans, VM’s, firewalls and fail2ban.