How to Secure a Website at Home

hobbit666

Didn't want to start a few thread at the moment,
But i'm hosting a quick site at home on a VM, got a domain and forwarded to my external IP.

The VM is Linux Apache, MariaDB, PHP. But how would people beef up the security.
Stick Nginx in forint on the same server or a separate VM?

travisdh1

@hobbit666 said in What Are You Doing Right Now:

Didn't want to start a few thread at the moment,
But i'm hosting a quick site at home on a VM, got a domain and forwarded to my external IP.

The VM is Linux Apache, MariaDB, PHP. But how would people beef up the security.
Stick Nginx in forint on the same server or a separate VM?

I always use a reverse proxy now (that's what putting Nginx between the server and the outside world does).

Either way, same server or separate VM should be ok. I prefer a separate VM, but that's because I already have one setup with gobs of things running through it.

hobbit666

@travisdh1 said in What Are You Doing Right Now:

I always use a reverse proxy now (that's what putting Nginx between the server and the outside world does).

Either way, same server or separate VM should be ok. I prefer a separate VM, but that's because I already have one setup with gobs of things running through it.

That's what i was thinking. Now to get one setup and configured

JaredBusch

@hobbit666 said in What Are You Doing Right Now:

Didn't want to start a few thread at the moment,

Always make a new thread. make it way the fuck easier to find this recommendation later.

scottalanmiller

@hobbit666 said in How to Secure a Website at Home:

Stick Nginx in forint on the same server or a separate VM?

Separately normally, but the same isn't that bad. Depends how much flexibility that you want. An extra server adds a little additional security. But you are running this at home. So there is a practical limit to consider, as well.

1337

A proxy in front make almost no difference from a security perspective.

It will just pass on any malicious request to the webserver.

If you wanted to go that route you would need something that can detect and filter the request. Basically a web application firewall (WAF) in front.

What kind of website is it and who is going to access it?

scottalanmiller

@pete-s said in How to Secure a Website at Home:

A proxy in front make almost no difference from a security perspective.

It helps, but yes, EXTREMELY little.

hobbit666

@jaredbusch said in How to Secure a Website at Home:

@hobbit666 said in What Are You Doing Right Now:

Didn't want to start a few thread at the moment,

Always make a new thread. make it way the fuck easier to find this recommendation later.

Only asked in "What your Doing" thread as if people said don't bother no need for a thread lol
​​​

hobbit666

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

stacksofplates

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

scottalanmiller

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

If you are concerned about security, use a static generator to output WordPress to "not WordPress", or just stop using WordPress. Your security issues are 99% WordPress, 1% everything else. So since you aren't using WP for anything, don't have it deployed.

1337

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.

Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.

stacksofplates

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

1337

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

scottalanmiller

@pete-s said in How to Secure a Website at Home:

@hobbit666 said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

What kind of website is it and who is going to access it?

It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.

I'll only be a few people accessing when working together to diagnose the pcb.

I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.

Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.

Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.

If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.

JaredBusch

@scottalanmiller said in How to Secure a Website at Home:

If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.

GitLab Pages is where my poor under populated blog resides.

stacksofplates

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

1337

@stacksofplates said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.

stacksofplates

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@pete-s said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

@stacksofplates said in How to Secure a Website at Home:

You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.

Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/

Kong has an open source plugin for oidc.

They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.

You could do that on wordpress directly too I believe.

This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.

True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.

Only nginx plus can do oidc. Apache can but it's more difficult which is why I mentioned the gateways. It's much easier to configure auth and things like rate limiting with an API gateway.

stacksofplates

The reverse proxy aspect only really adds benefit when you need to load balance across multiple services.