self-hosting applications

  1. install a web server like nginx or Apache on your server
  2. find an application to self-host
  3. look up the requirements of the application
    • software dependencies
    • hardware requirements
  4. install the required dependencies
  5. install the application
  6. configure the application
  7. profit

This solution uses a load balancer server on the Internet which terminates the SSL connection and then hands the traffic through a wireguard VPN to a reverse proxy or web server, which in turn serves either static content or reverse proxies an application.

This way you don't expose your local IP to the internet and DDoS attacks don't hit your local internet connection. If you have a dynamically changing IP or prefix, you also don't have to use DynDNS because you initiate a VPN connection to the internet server.

You could also terminate the SSL connection on your local server and forward the traffic directly. This is useful if you want to use Split DNS or Hairpin NAT to serve local requests locally without it hitting the Internet.

If you want to offload the external clients' SSL onto the internet server, you can copy the SSL certificate to both servers and do either double SSL (terminating SSL, then connecting to another SSL web server) or proxy SSL terminated requests to the non-SSL endpoint at the local server.

In that case, since the HTTPS traffic is already encrypted, you may lose the VPN tunnel completely. This is only possible if you have a static IP or use DynDNS for your local connection to the internet, as the server has to know your external IP for this to work. It also exposes your local web server to the internet and anyone knowing your local IP can connect to it without going through the external server.

You could also remove the load balancer if you only have a single local server and just port forward the corresponding ports from the internet server to the local one. However you'll lose the ability to proxy the same port for a different domain as there can be only one listener on one port at the same time.

These example configurations show only a fraction of what different combinations are possible with load balancers, web servers, reverse proxies and VPNs. You have to use what fits your personal use case best as there is no general "best" or "worst" solution.

Many people use Docker containers or Docker-Compose setups to self-host services as it's a quick and simple way to get the most up-to-date versions of their favourite self-hosted software. Many times the software in the repositories of popular Linux distributions are a bit out of date.

Popular solutions include, but are not limited to:

The most important difference between server hardware is their CPU architecture and Kernel support. You can run everything on x86 because it's the most popular hardware platform, but ARM is steadily catching up.

A lot of software runs on these small computers with low power usage. Their CPU architecture is ARM so there are limits to this.

You can throw a distribution like DietPi on your Raspberry Pi and use it like regular Debian. Some features like virtual machines, containers etc. may be hard to use.

which Raspberry Pi should I buy?

Currently (10/2020) the most recent iteration of the popular SoC is the Raspberry Pi 4. The 4GB version of the Raspberry Pi 4B is pretty good.

The 8GB version might be good if you want to host lots of services, but keep in mind the CPU of the Raspberry Pi is not the fastest, you'd probably run into a CPU bottleneck instead of a RAM bottleneck in that case.

Your Pi will get hot hosting lots of services, so consider getting a case with a fan and/or a heatsink.

  1. install it from your Linux distribution's repository
  2. configure the service
  3. configure the firewall
  4. monitor the service
  5. run it as a different user than root (usually default for most pre-packaged services)
  • Operational security (OPSEC) – don't leak your own data (passwords, sensitive configuration files)
  • Hardening – don't let hackers take your servers
  • open ports – only expose stuff to the internet which is configured securely
  • in-transit encryption – use TLS or similar everywhere you can
  • Last modified: 2021-01-24 12:33