How to Secure a Website at Home
-
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
-
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
-
@pete-s said in How to Secure a Website at Home:
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
What kind of website is it and who is going to access it?
It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.
I'll only be a few people accessing when working together to diagnose the pcb.
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.
Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
-
@scottalanmiller said in How to Secure a Website at Home:
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
GitLab Pages is where my poor under populated blog resides.
-
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
-
@stacksofplates said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.
-
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.
Only nginx plus can do oidc. Apache can but it's more difficult which is why I mentioned the gateways. It's much easier to configure auth and things like rate limiting with an API gateway.
-
The reverse proxy aspect only really adds benefit when you need to load balance across multiple services.
-
@jaredbusch said in How to Secure a Website at Home:
@scottalanmiller said in How to Secure a Website at Home:
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
GitLab Pages is where my poor under populated blog resides.
I'll give gitlab a go
-
@pete-s said in How to Secure a Website at Home:
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
But that will cost me this is only to host a few static pages.
-
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
But that will cost me this is only to host a few static pages.
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
-
@obsolesce said in How to Secure a Website at Home:
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
I tried WordPress free hosting, but to use plugins you have to pay
Never heard of Gitlab before until Jared mentioned it. AWS / Azure wasn't aware of any free teirs after trial periods have finished, but will look closer see what I can find.
-
@hobbit666 said in How to Secure a Website at Home:
@obsolesce said in How to Secure a Website at Home:
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
I tried WordPress free hosting, but to use plugins you have to pay
Never heard of Gitlab before until Jared mentioned it. AWS / Azure wasn't aware of any free teirs after trial periods have finished, but will look closer see what I can find.
GCP has an always free tier. GitLab pages and GitHub pages will host static sites for free.
I have my wife's business site on gitlab pages and I have a static site for documentation for an API I wrote on GitHub pages and I have a project I wrote on Vercel. Vercel is by far the most featureful and IMO better than the others. It will host the static sites and server less functions.
They work really well.
-
@hobbit666 said in How to Secure a Website at Home:
@obsolesce said in How to Secure a Website at Home:
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
I tried WordPress free hosting, but to use plugins you have to pay
Never heard of Gitlab before until Jared mentioned it. AWS / Azure wasn't aware of any free teirs after trial periods have finished, but will look closer see what I can find.
We'll technically it might cost you $0.02 a month to host a static site on Azure/AWS. It costs me $0.01 a month for my static site on Azure because the storage costs. But it's totally free on the others I mentioned.
-
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
But that will cost me this is only to host a few static pages.
If the pages are static how did WordPress get involved?
-
@scottalanmiller said in How to Secure a Website at Home:
If the pages are static how did WordPress get involved?
Because User
-
@jaredbusch said in How to Secure a Website at Home:
@scottalanmiller said in How to Secure a Website at Home:
If the pages are static how did WordPress get involved?
Because User
^^this
-
@scottalanmiller said in How to Secure a Website at Home:
If the pages are static how did WordPress get involved?
Although they are static pages I wanted to use a light box type Plug-in so I can use larger images but display as thumbnails. Just thought a easy with WordPress and that's was the first thing I thought of.
But was happy to install anything
(Before its mentioned, yes you can most probably do it all with just HTML/PHP but my coding knowledge is zero now a day)
-
@obsolesce said in How to Secure a Website at Home:
We'll technically it might cost you $0.02 a month to host a static site on Azure/AWS. It costs me $0.01 a month for my static site on Azure because the storage costs. But it's totally free on the others I mentioned.
OK that should a lot better will have to look more into their offerings, I just assumed pricing was a bit hight then that. Like Vultr etc etc
-
@hobbit666 said in How to Secure a Website at Home:
@obsolesce said in How to Secure a Website at Home:
We'll technically it might cost you $0.02 a month to host a static site on Azure/AWS. It costs me $0.01 a month for my static site on Azure because the storage costs. But it's totally free on the others I mentioned.
OK that should a lot better will have to look more into their offerings, I just assumed pricing was a bit hight then that. Like Vultr etc etc
I thought static as in literally static html pages. If you are talking about WordPress and PHP pages, that won't work on anything I mentioned, unless you have something running somewhere else that converts them to static HTML pages and pushes them to there.