#dev 2025-02-25
2025-02-25 UTC
grufwub, NaomiAmethyst8, [morganm], rossabaker, sebbu3, jonnybarnes, GuestZero, nemonical and Guest6_ joined the channel
#
tecaster anyone here self-hosting on a raspberry pi? can it be set up securely enough that i don't have to worry about it compromising the rest of my devices on the home network?
Luther_Gray joined the channel
#
immibis yes it's just a small Linux PC
#
immibis well not a PC but acts like one for most purposes as long as you only want to run Linux software
#
GWG- My biggest Pi issue is the SD card for OS
#
immibis everything works the same as long as your software is compiled for ARM
nemonical joined the channel
#
SylvatiCodes i would like to know at least a summary good answer to immibis question. I am faced with either cloudflare tunnels (great in all aspects except for 100% privacy :shrug:), setting up nginx reverse proxy on self host server (which means opening 80/443?), or (if feasible) small vps with nginx reverse proxy to either self host server or all on a vps (the latter bearing a price tag)
#
immibis people are afraid of opening ports on their routers even though this doesn't actually weaken security. Security is weakened if something weak is running on that port, not because of the port itself. Blocking all the ports by default is merely a defense-in-depth measure in case you have a server running accidentally.
#
immibis server software like ssh and nginx is secure enough for all but the most paranoid people. Most webservers on the internet are running them.
#
SylvatiCodes any veteran thoughts on self hosting greatly appreciated. it just seems so blasé for e.g. 'awesome open source' and others to suggest opening any ports you don't have to on your personal routers
#
immibis SylvatiCodes: you need an open port to provide a service. Opening the port is just a formality to make sure you really meant to provide the service and you're not doing it by accident because something you thought was only open to the local network was open to the whole Internet by mistake.
#
SylvatiCodes immibis i get that, totally... but it's your home router and tht just makes me think what if it does get exploited and once a hacker gets in they can pivot wherever they like (of course they'd need password or other explots available)
#
immibis SylvatiCodes: is your web server exploitable? Don't use an exploitable web server.
#
immibis Sandboxing it isn't a terrible idea UNLESS you go so far that it stops you being able to run it in the first place ...
#
immibis if someone finds an exploit in nginx they're not going after YOU first... and that very rarely happens... has it ever happened? Even Heartbleed was read-only access.
#
immibis (read-only access to any data going through the server, so maybe they could grab your admin password if you had an admin login to the same server)
#
SylvatiCodes apart from constantly updating the nginx package, and understanding my threat model is probably the same as most people (i.e. more than non tech people think theirs is), what do you suggest if anything?
#
immibis I suggest just running the damn server
#
SylvatiCodes hahahaha
#
SylvatiCodes are you a haxor
#
SylvatiCodes jk
#
immibis it's nowhere near as scary as cloudflare wants you to think
#
SylvatiCodes brb
#
immibis are you also doing something super secure that you have to be paranoid about? then just run the damn server on a VPS separate from the secure stuff.
#
GWG- sebbu: I just opted to switch to miniPCs... so I could get more robust storage
#
immibis also a good option
#
immibis the mini PC, that is. not so much sshfs.
Luther_Gray joined the channel
#
immibis raspberry pi's do have the SD card reliability problem. I know some people choose to boot from NVMe or USB stick instead.
#
jeremycherfas I'm in the middle of resigning my site, and after coding up a sidebar and larger footer (which contains some of the things that were all in the sidebar before) decided I really don't like it. So now I'm going to try getting rid of the sidebar entirely and see ho w I like that. I've a feeling it will make my life a lot simpler.

#
SylvatiCodes i'm sure you can now boot from usb ssd on rpi now, at least with all the main linux distros
#
SylvatiCodes sidebars are a pita
#
jeremycherfas Then I'll be able to bug FrESH tonight about laght:dark mode :)

#
jeremycherfas Why do you say that SylvatiCodes ?

#
immibis a pita to design or to implement?
#
SylvatiCodes pita to change after implementation... at least it it if you have you work with a couple of devs who think lines of code == good
#
jeremycherfas To change content? Or to change implementation?

#
SylvatiCodes i guess if solo then it is easier... i feel i have ptsd from my current job haha
#
SylvatiCodes change how it is implemented on the page/s... but in your case it will be easier because it's a solo project... don't listen to me, i haven't had the correct caffeine dosage today
#
jeremycherfas Fair enough. I definitely only an amateur dabbler with only myself to please, really.

#
SylvatiCodes immibis i guess the thing is stuff that needs passwords to go over the wire e.g. nextcloud, irc relay and so on. I'd say i'm over cautious in comparison to the next person... but because I know I know very little, i prefer that stance if that makes sense
#
SylvatiCodes bear in mind i use different passwords for everything so i guess that point is 99% moot
#
immibis I have quassel open to the world with just TLS and password protecting it (i.e. the default and the same as 99% of websites) and haven't noticed a problem yet
#
jeremycherfas I've just discovered that I like writing html and CSS in BBedit because it is so easy to preview

#
immibis SylvatiCodes: almost all exploits happen in the application itself, not in an nginx reverse proxy. If you are running a web application you don't trust to be free of exploits you can protect it behind a password or mutual TLS, implemented in nginx, so that people who aren't you can't even get to the application.
#
SylvatiCodes thank you for this, immibis... i guess i needed to 'hear' it in conversation
#
immibis if you're hosting static files there's basically no risk from that (and nginx can serve them directly because it has that feature)
#
SylvatiCodes so e.g. nextcloud self hosted behind nginx rp or pm is secure essentially because it is the nginx that has to be exploited before the nextcloud can be, unless you have weak passwords on nextcloud?
#
immibis if nginx locks nextcloud behind a password then you can't send any request to nextcloud without using that password (I don't actually know how nextcloud works btw)
thegreekgeek joined the channel
#
[Joe_Crawford] [jeremycherfas] yes! FrESH is best when folks have a specific itch to scratch!
#
jeremycherfas Hoping to be there!

CRISPR joined the channel
#
jeremycherfas Actually, I probably won't be ready to ask a focused question, but I'

#
jeremycherfas ll still be there.

[KevinMarks] joined the channel
#
carrvo Teca, immibis, SylvatiCodes we have a page for that! And edits are welcome.
#
carrvo What is home server?
#
Loqi A home server is a machine you keep at home to host some of your services https://indieweb.org/home_server

#
carrvo What is self-hosting?
#
Loqi self hosting is the practice of running the software for your personal website on hardware under your own physical control, typically on a home server, or sometimes refers to only the aspect of running web applications on a (possibly virtual or shared) server under your control but not necessarily in your home https://indieweb.org/self_hosting

#
carrvo My experience (as someone with a home server) has been favourable so far with a couple of caveats.
#
carrvo 2 security notes: make sure to configure the webserver and it's apps/content securely; and your router IP is an identifier that you are exposing (if you don't put something like CloudFlare in front). Though this identifier can be exposed with everyday browsing!
bterry, barnaby, [dave] and nemonical joined the channel
thegreekgeek_, thegreekgeek, [lazcorp] and [mattl] joined the channel
sebbu2 and geoffo_ joined the channel
#
sebbu2 https://csrc.nist.gov/pubs/ir/8475/final I'm sure this will interest a lot of people, but it's probably technical, so I'm posting this here
#
Loqi Web 3.0 (AKA #web3) is a phrase used to pitch visionary sequels to the popularity of "Web 2.0" to advocate for particular plumbing solutions looking for problems, starting with the "Semantic Web" in the late 2000s, decentralization in the 2010s, and now mostly blockchains & cryptocurrencies; the IndieWeb instead focuses directly on user-centric goals, with technologies only as a means https://indieweb.org/web3
