How to Secure a Website at Home

JaredBusch

@hobbit666 said in What Are You Doing Right Now:

Didn't want to start a few thread at the moment,

Always make a new thread. make it way the fuck easier to find this recommendation later.

scottalanmiller

@hobbit666 said in How to Secure a Website at Home:

Stick Nginx in forint on the same server or a separate VM?

Separately normally, but the same isn't that bad. Depends how much flexibility that you want. An extra server adds a little additional security. But you are running this at home. So there is a practical limit to consider, as well.

1337

A proxy in front make almost no difference from a security perspective.

It will just pass on any malicious request to the webserver.

If you wanted to go that route you would need something that can detect and filter the request. Basically a web application firewall (WAF) in front.

What kind of website is it and who is going to access it?

scottalanmiller

@pete-s said in How to Secure a Website at Home:

A proxy in front make almost no difference from a security perspective.

It helps, but yes, EXTREMELY little.

hobbit666

@jaredbusch said in How to Secure a Website at Home:

@hobbit666 said in What Are You Doing Right Now:

Didn't want to start a few thread at the moment,

Always make a new thread. make it way the fuck easier to find this recommendation later.

Only asked in "What your Doing" thread as if people said don't bother no need for a thread lol
​​​

hobbit666

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

stacksofplates

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

scottalanmiller

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

If you are concerned about security, use a static generator to output WordPress to "not WordPress", or just stop using WordPress. Your security issues are 99% WordPress, 1% everything else. So since you aren't using WP for anything, don't have it deployed.

1337

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.

Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.

stacksofplates

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

1337

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

scottalanmiller

@pete-s said in How to Secure a Website at Home:

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.

Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.

If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.

JaredBusch

@scottalanmiller said in How to Secure a Website at Home:

If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.

GitLab Pages is where my poor under populated blog resides.

stacksofplates

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

1337

@stacksofplates said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.

stacksofplates

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.

Only nginx plus can do oidc. Apache can but it's more difficult which is why I mentioned the gateways. It's much easier to configure auth and things like rate limiting with an API gateway.

stacksofplates

The reverse proxy aspect only really adds benefit when you need to load balance across multiple services.

hobbit666

@jaredbusch said in How to Secure a Website at Home:

@scottalanmiller said in How to Secure a Website at Home:

If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.

GitLab Pages is where my poor under populated blog resides.

I'll give gitlab a go

hobbit666

@pete-s said in How to Secure a Website at Home:

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

But that will cost me this is only to host a few static pages.

Obsolesce

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

But that will cost me this is only to host a few static pages.

You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...

Why wast time and resources doing it at home?