Implications of Running My Own Web Server?

[bmichaels556]

So I already have a hosting plan and run several websites. And it's fine! But for a while, I've been meaning to attempt to host my own web server. This way I'll have more flexibility and control over content, file size limits, and so on and so forth. Except now, I finally have hardware capable of actually doing this. Right now I'm rocking a dual-socket Xeon X5675 system, so 12 cores, 24 threads, and only 16GB of RAM right now, but I plan more like 64+. But that's a work in progress. I'm also running currently a 120GB SSD for OS, and a 1TB HDD for storage, which for a very small project with only my own content being hosted, would... Probably be fine, right?

 

I have about 100mbps down, 20+mbps up speed at home. 

 

Now I know I'm not going to be hosting a website with 1,000,000 visitors a day on this thing and that the site would slow to a crawl if I tried. But truth is, I'm not IN that kind of position. Mostly this is just something I've wanted to try for a while, just for the sake of it. That you can have your own control over your own website. That's pretty cool to me! I'm sure this rig and my home connection could easily handle 1,000+ uniques a day without a hitch, on a site where each page is averaging, let's say, 500KB worth of content. I know I'll need a static IP, though as I understand it, there are ways around this with a number of different services that can give you a static IP, then communicate with your connected server. I think...

 

So where would you suggest I start? I'm experienced with the hardware side of things, also some HTML/CSS but I'd probably use a CMS of some sort, so that's just an aside. I'm also kind of worried about security. Suppose I'm hosting a simple Wordpress site for example. What vulnerabilities would I have to worry about in regards to my own home network? I'm well-aware that my site could be hacked through vulnerabilities, be hijacked to host viruses, all that kind of stuff. But what about my own personal data on the other machines I have on my home network? Should I perhaps have a dedicated router, stuff like that?

 

I guess my ideal start, would simply to put up a text-based site index and be able to access it from anywhere. And on top of that, keep the rest of my personal data and machines on my own home network, SAFE. And after that point, I could start to get a bit more fancy. But those are my starting priorities. I'd then like to try my hand at maybe installing something like clipbucket, test out a remote video upload from an outside location, stuff like that. This is all a learning experience to start with, and I'd absolutely love to hear from anyone who's tried projects like this, learn about all the things to consider, any pitfalls you've experienced and so on! Thanks for your time!

 

I'd love to hear from someone. 

[Enderman]

Just use wamp, easy to set up and run.

[bmichaels556]

11 minutes ago, Enderman said:

Just use wamp, easy to set up and run.

Was a big candidate that I was checking out. Other was Xampp.

[Argo Snuffy]

Compartmentalisation is key. Separate your home network with your server. Have your connection static IP or whatever from your router to port forward to a specific machine on your network. 

 

For wordpress... use either nginx or apache. Though for simplicity's sake, Wordpress works best with Apache+Mysql+PHP. It just works out of the box. Use Letsencrypt for your SSL needs.

 

Always layer your defences. Personally, I'd throw in nginx on the front-end or Apache or PHP-FPM. I recommend using one of Cloudflare's free plans so your IP isn't exposed plus you'll have their WAF. Be sure to be running some firewall on your device as well as ModSecurity on your web server. If you're running Linux, hope you're running SELinux plus all the mariadb/mysqldb security stuff. 

 

You might want to do some math if it makes economic sense to do this from your home. Your box will be running 24/7. Traffic or no traffic. There are colocation services available across the web that may make more sense. But I understand how you might want to do something like this. Been there myself about 10 years ago. Have fun! 

 

[bmichaels556]

47 minutes ago, Argo Snuffy said:

Compartmentalisation is key. Separate your home network with your server. Have your connection static IP or whatever from your router to port forward to a specific machine on your network. 

 

For wordpress... use either nginx or apache. Though for simplicity's sake, Wordpress works best with Apache+Mysql+PHP. It just works out of the box. Use Letsencrypt for your SSL needs.

 

Always layer your defences. Personally, I'd throw in nginx on the front-end or Apache or PHP-FPM. I recommend using one of Cloudflare's free plans so your IP isn't exposed plus you'll have their WAF. Be sure to be running some firewall on your device as well as ModSecurity on your web server. If you're running Linux, hope you're running SELinux plus all the mariadb/mysqldb security stuff. 

 

You might want to do some math if it makes economic sense to do this from your home. Your box will be running 24/7. Traffic or no traffic. There are colocation services available across the web that may make more sense. But I understand how you might want to do something like this. Been there myself about 10 years ago. Have fun! 

 

Damn. That's a lot of things to consider. But I'll definitely look into all of it, and I appreciate the extensive list!

 

Well, I figure that if my server is going to be idle most of the day, running maybe 150 watts at the wall, and the $250 it costed me, I think it COULD be worthwhile. Although I didn't buy this thing with the intent of a web server, it's kind of a "If the shoe fits, wear it" type of deal. I actually bought it mostly for video editing, and things like handbrake and whatnot.

 

My FX-8350 wasn't doing the job as fast as I'd like, and this thing performs well over 2x and I'm actually REALLY satisfied with the performance for the small pricetag. Heck, it rips through tasks like the newer processors ALONE that cost as much. Come to think of it... The dual X5675 system, RAM, hard drives and all actually only use a little over 300 watts at the wall under 100% load. FX-8350 without overclock is 260. Goes to show how wasteful these old FX CPU's are. But that's just an aside.

 

Yeah, the thought has definitely crossed my mind in the past to try something like this. I actually have this super old late 90's Celeron (I think) system from my grandfather's office back in the early 2000's and was planning to mess with it in this way, but I think a proper workstation rig is a much better candidate.

 

 

[Helly]

just want to say a few things...

 

the system you're using is a MASSIVE overkill for a webserver. I get you're also doing other things on it but you don't need any upgrade what so ever for the webserver. A webserver needs very little when it comes to CPU cores or memory, if the website is well build at least. I've seen over a dozen websites run on a 4 threaded server with only 8GB just fine with hundreds of uniques every month without a problem. Once the website is compiled (first time anyone requests it), very little is needed to handle a request by another user. If you're running windows my advice would be to just user hyper-v and create a VM with 4 threads and 4GB of ram. Should work well enough for you for now and you can always increase the ram when you upgrade to 64GB.

 

biggest advice i can give is to NEVER use any php based database manager (like phpmyadmin). These things are full of security holes and exploits. If you're going to advertise your website anywhere you'll have kids running scripts looking for phpmyadmin in no time trying to hack ur database. When i had a very public website running on my server at home (still do, just not as public) i had at least 10 kids every day trying this. Never succeeded of course because i never used a web based admin tool. I'm just mentioning this because as i remember phpmyadmin comes with WAMP. So just delete it. If you don't need to access your database directly over the internet i also suggest to just keep the mysql port closed in the router so it can't be reached from the outside. Why expose it when you don't use it right?

 

another thing to consider is using IIS. The reason being AFAIK IIS blocks everything by default and you have to activate/open everything you need/want and apache for example allows everything and you have to block everything you don't want. Might be a bit of a preference though and i'm no expert by any means, just giving some food for thought..

[chiller15]

If you're going to turn this into a business or plan on making money on this, you may need to check your ISP's small print. Your ISP may have restrictions in your contract that limits you from running a business using a Home connection. Instead you'd need to purchase a business line from them.

 

Also, @Helly said, that server is overkill for what you're planning on doing with it.

[bmichaels556]

8 minutes ago, Helly said:

just want to say a few things...

 

the system you're using is a MASSIVE overkill for a webserver. I get you're also doing other things on it but you don't need any upgrade what so ever for the webserver. A webserver needs very little when it comes to CPU cores or memory, if the website is well build at least. I've seen over a dozen websites run on a 4 threaded server with only 8GB just fine with hundreds of uniques every month without a problem. Once the website is compiled (first time anyone requests it), very little is needed to handle a request by another user. If you're running windows my advice would be to just user hyper-v and create a VM with 4 threads and 4GB of ram. Should work well enough for you for now and you can always increase the ram when you upgrade to 64GB.

 

biggest advice i can give is to NEVER use any php based database manager (like phpmyadmin). These things are full of security holes and exploits. If you're going to advertise your website anywhere you'll have kids running scripts looking for phpmyadmin in no time trying to hack ur database. When i had a very public website running on my server at home (still do, just not as public) i had at least 10 kids every day trying this. Never succeeded of course because i never used a web based admin tool. I'm just mentioning this because as i remember phpmyadmin comes with WAMP. So just delete it. If you don't need to access your database directly over the internet i also suggest to just keep the mysql port closed in the router so it can't be reached from the outside. Why expose it when you don't use it right?

 

another thing to consider is using IIS. The reason being AFAIK IIS blocks everything by default and you have to activate/open everything you need/want and apache for example allows everything and you have to block everything you don't want. Might be a bit of a preference though and i'm no expert by any means, just giving some food for thought..

Some more great advice, much appreciated!

 

I'm actually kind of surprised to hear that a server doesn't have to be particularly powerful. I mean, I know a few users don't need much, but would something like my rig be required for a site that gets, let's say a million views a day? Well, outside of network speed and bandwidth I mean. 

 

So what's with data centers running a metric crap-ton of cores and RAM? I know a lot of them are storing massive amounts of data, and I'd imagine more cores and RAM are better for a single server and it's files being accessed by a ton of users, or at least I'd imagine so... I mean suppose we were in a business environment and had a central data server for employees to use. I'd imagine that my rig would still be sufficient for a ton of people, wouldn't it?

 

So yeah, is a lot of it just an "e-peen" thing? Naturally for complex calculations, stuff like that, more cores are better, but other than that, why the pressure for such powerful systems?

 

 

[Helly]

In data centers they have dedicated machines for everything you can think of. Database, storage, web, load balancing etc... Those machines are also so powerful because 90%(at least) of the time they are running multiple VM's (could be dozens, don't really know), and everything has at least 1 backup of everything to keep everything accessible in case of failure.

 

services like microsofts Azure and amazon's AWS run like this, with multiple customers being on the same physical machine on a separate VM.

[jde3]

Lots of info up here.

 

Remember Auditing is important as well. Being able to verify that the software your using has no vulnerabilities in it. That usually means subscribing to the security mailing lists for the programs your using and as a sysadmin myself my day starts every day reading those messages and fixing any problems in them.

 

FreeBSD has a shortcut for this because it has auditing built into the package manager. (I know of no linux distro that does this, sorry)

 

For example:
 

Spoiler

root@freefall # pkg audit -F
Fetching vuln.xml.bz2: 100%  727 KiB 744.0kB/s    00:01    
git-2.16.3 is vulnerable:
Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)
CVE: CVE-2018-11235
CVE: CVE-2018-11233
WWW: https://vuxml.FreeBSD.org/freebsd/c7a135f4-66a4-11e8-9e63-3085a9a47796.html

1 problem(s) in the installed packages found.

This isn't a solution for reading the mailing lists but it can help you in case you missed something.

 

It also has Jails giving you the ability to chroot any software you like, regardless if it was built to do so and allows you to set disk to be read only so even root can't change your server config. And a ZFS rollback can easily return the jail server to working condition. (literally in seconds as it does not need to reboot) no matter what happened to it.

 

It has a lot of other advantages also, such as PF firewall, that can be a dynamic firewall and gives you a lot of ACL control in nice neat tables (I mean they based PFSense off it for a reason). Also DTrace so you can *actually* find out what your system is doing and fix it.

 

It's well worth learning it over other platforms in my opinion and if your starting from scratch and have to learn something anyhow.. It's pretty much the alpha predator of server platforms.

[bmichaels556]

You know, I'm gonna sound like such a noob, but in my 10+ mins of work, installing Xampp, and setting up No-IP and writing up a very basic index... Accessing my home server from my mobile network, or of course, anywhere in the world, was pretty exciting! So yeah, I know a ton more is going to have to go into this, but I'm pretty excited to see what I can whip up on this thing.

 

Also, thanks for all the info you guys have already given me. Lots to consider, no doubt. Especially on keeping things locked down. It does make me think that running servers is (mostly) best left up to the big boys, but that doesn't mean this isn't fun.  

 

So are many of the security concerns basically regarding things like databases? If one were to run a completely HTML website, would the security concerns be as big? Just curious. Also, in an HTML-only site, with an open port 80, and absolutely no other changes, would my home network be at risk? The rest of the files on my host machine? 

 

I guess I'm trying to take care of things in a very step by step process, finding out what I'd need for what level of function and so on. Also, what are your thoughts on a physical firewall device? Needed for something basic like this? Or a waste of money when just testing?

[r0otctrl]

On 6/12/2018 at 3:45 AM, Helly said:

biggest advice i can give is to NEVER use any php based database manager (like phpmyadmin). These things are full of security holes and exploits. If you're going to advertise your website anywhere you'll have kids running scripts looking for phpmyadmin in no time trying to hack ur database. When i had a very public website running on my server at home (still do, just not as public) i had at least 10 kids every day trying this. Never succeeded of course because i never used a web based admin tool. I'm just mentioning this because as i remember phpmyadmin comes with WAMP. So just delete it. If you don't need to access your database directly over the internet i also suggest to just keep the mysql port closed in the router so it can't be reached from the outside. Why expose it when you don't use it right?

Would closing the MySQL port to the outside world "patch" the vulnerabilities of GUI interfaces like PhpMyAdmin? Also, any idea as to whether or not I'd need to keep the MySQL port open for web-scraping? Thanks in advance!

[r0otctrl]

On 6/12/2018 at 12:51 PM, jde3 said:

This isn't a solution for reading the mailing lists but it can help you in case you missed something.

 

It also has Jails giving you the ability to chroot any software you like, regardless if it was built to do so and allows you to set disk to be read only so even root can't change your server config. And a ZFS rollback can easily return the jail server to working condition. (literally in seconds as it does not need to reboot) no matter what happened to it.

 

It has a lot of other advantages also, such as PF firewall, that can be a dynamic firewall and gives you a lot of ACL control in nice neat tables (I mean they based PFSense off it for a reason). Also DTrace so you can *actually* find out what your system is doing and fix it.

 

It's well worth learning it over other platforms in my opinion and if your starting from scratch and have to learn something anyhow.. It's pretty much the alpha predator of server platforms.

You're talking about FreeBSD here, right?

[jde3]

26 minutes ago, r0otctrl said:

Would closing the MySQL port to the outside world "patch" the vulnerabilities of GUI interfaces like PhpMyAdmin? Also, any idea as to whether or not I'd need to keep the MySQL port open for web-scraping? Thanks in advance!

Web Scraping? You mean like Google? Uh. No. Your maybe confused about how this works. Nothing needs to access MySQL except the web server. (Use MariaDB not MySQL, it's a libre-fork of MySQL after Oracle bought MySQL) Often in simple LAMPS setups the database will listen on localhost anyhow.

 

The web server contacts the database to generate the data sent to the user. Users don't talk to the database directly. phpMyAdmin/phpPgAdmin are fine things to use if you use them well and understand how they work. You developers may want them for various reasons.. who knows. They should have tightly controlled access in the web server, like all admin and statistic areas of the web server. SSL and Authentication is common here as well as allow subnet, deny all rules.

20 minutes ago, r0otctrl said:

You're talking about FreeBSD here, right?

Yes

[r0otctrl]

13 hours ago, bmichaels556 said:

You know, I'm gonna sound like such a noob, but in my 10+ mins of work, installing Xampp, and setting up No-IP and writing up a very basic index... Accessing my home server from my mobile network, or of course, anywhere in the world, was pretty exciting! So yeah, I know a ton more is going to have to go into this, but I'm pretty excited to see what I can whip up on this thing.

 

Also, thanks for all the info you guys have already given me. Lots to consider, no doubt. Especially on keeping things locked down. It does make me think that running servers is (mostly) best left up to the big boys, but that doesn't mean this isn't fun.  

 

So are many of the security concerns basically regarding things like databases? If one were to run a completely HTML website, would the security concerns be as big? Just curious. Also, in an HTML-only site, with an open port 80, and absolutely no other changes, would my home network be at risk? The rest of the files on my host machine? 

 

I guess I'm trying to take care of things in a very step by step process, finding out what I'd need for what level of function and so on. Also, what are your thoughts on a physical firewall device? Needed for something basic like this? Or a waste of money when just testing?

 

13 hours ago, bmichaels556 said:

So are many of the security concerns basically regarding things like databases? If one were to run a completely HTML website, would the security concerns be as big? Just curious. Also, in an HTML-only site, with an open port 80, and absolutely no other changes, would my home network be at risk? The rest of the files on my host machine?

The database is where all good stuff, the valuable data is stored, so naturally securing your database is of the utmost importance. You wouldn't want your precious data that was collected over a span of months or even years being destroyed with a single statement. A purely HTML website shouldn't be much of an issue. You have to extra vigilant any time your website accepts and or deals with user input. You'll be vulnerable to cross-site scripting attacks and what not.

[r0otctrl]

16 minutes ago, jde3 said:

Web Scraping? You mean like Google? Uh. No. Nothing needs to access MySQL except the web server. (Use MariaDB not MySQL, it's a libre-fork of MySQL after Oracle bought MySQL)

The web server contacts the database to generate the data sent to the user. Users don't talk to the database directly.

Web-scraping, as in executing a script which collects data off of the web by parsing websites and typically storing it in a database. But if a web-scraping script connects via some sort of framework to the database to input data thereto, wouldn't the database also be exposed to some degree by proxy? Unfortunately I'm only familiar with MySQL. Isn't MySQL comparatively lightweight and super efficient for applications such as basic websites and what not?

[jde3]

11 minutes ago, r0otctrl said:

Web-scraping, as in executing a script which collects data off of the web by parsing websites and typically storing it in a database. But if a web-scraping script connects via some sort of framework to the database to input data thereto, wouldn't the database also be exposed to some degree by proxy? Unfortunately I'm only familiar with MySQL. Isn't MySQL comparatively lightweight and super efficient for applications such as basic websites and what not?

I know what it is I just don't know what would be a reason to do it or why you would.. (really ever) want something to do that.

 

MariaDB and MySQL are the same thing. (at least they were..) One project is controlled by the community the other by an evil corporation pretty much.

 

If a script was trying to mine data out of your database that would be considered an exploit and it should be patched by the web application developer. (Wordpress, Ghost, Django, Roundcube, Nextcloud etc etc.) They will not allow just anyone to mine the database.

 

 

[r0otctrl]

Just now, jde3 said:

I know what it is I just don't know what would be a reason to do it or why you would.. (really ever) want something to do that.

 

MariaDB and MySQL are the same thing. One project is controlled by the community the other by an evil corporation pretty much.

 

If a script was trying to mine data out of your database that would be considered an exploit and it should be patched by the web application developer. (Wordpress, Ghost, Django, Roundcube, Nextcloud etc etc.) They will not allow just anyone to mine the database.

 

 

Oh, man, there are tons of applications that one can monetize by scraping data off of the web.

 

So MariaDB is relational? Maybe I'll switch over. One of the reasons I've stuck with MySQL is simply because my current web hosting provider supports it.

Hm... I'm not talking about scraping data out of my own database or that of somebody else. What I was saying is that web-scraping scripts will typically connect to the database, usually via a framework of some sort, in order to transfer data that is scraped from the web to the database itself.

So FreeBDS > Linux for n00bs like myself? I already have my server set up in a Linux environment, but goddamn it's overwhelming how much there is to learn, not to mention how much there is I still have to learn.

[jde3]

11 minutes ago, r0otctrl said:

Oh, man, there are tons of applications that one can monetize by scraping data off of the web.

The money aspect would probably involve blackmail or fraud of some kind so keep that in mind. If your not really getting this "product" in a legit way, you'll still have the problem of fencing it. Good luck with your criminal enterprising though.

 

11 minutes ago, r0otctrl said:

So FreeBDS > Linux for n00bs like myself? I already have my server set up in a Linux environment, but goddamn it's overwhelming how much there is to learn, not to mention how much there is I still have to learn.

Linux has the advantage of being able to take an error, throw it into google and possibly find help. (good help no but help, maybe). If you know nothing FreeBSD may be wise to start out with as the amount of time to *really* learn them is about the same. Someone that can just install Ubuntu does not know Linux.

 

Books can help, I've taken jobs I have no idea how to do before for companies and had to cram all day all night to learn something.. thats the life of a sysadmin though. Any time somebody shows up with some new tech they want to use you have to be the expert on how to integrate it and secure it.

[r0otctrl]

16 minutes ago, jde3 said:

The money aspect would probably involve blackmail or fraud of some kind so keep that in mind. If your not really getting this "product" in a legit way, you'll still have the problem of fencing it. Good luck with your criminal enterprising though.

 

Linux has the advantage of being able to take an error, throw it into google and possibly find help. (good help no but help, maybe). If you know nothing FreeBSD may be wise to start out with as the amount of time to *really* learn them is about the same. Someone that can just install Ubuntu does not know Linux.

 

Books can help, I've taken jobs I have no idea how to do before for companies and had to cram all day all night to learn something.. thats the life of a sysadmin though. Any time somebody shows up with some new tech they want to use you have to be the expert on how to integrate it and secure it.

The money aspect would probably involve blackmail or fraud? Not at all, but I'm not about to tell the entire world about my personal business ideas. That aside, there are countless other applications that are completely legitimate and perfectly legal, which can and are generating huge profits for individuals and companies as we speak.

Lol! Of course installing Linux is a drop in the bucket, if even that.