I work in tech and am constantly finding solutions to problems, often on other people’s tech blogs, that I think “I should write that down somewhere” and, well, I want to actually start doing that, but I don’t want to pay someone else to host it.

I have a Synology NAS, a sweet domain name, and familiarity with both Docker and Cloudflare tunnels. Would I be opening myself up to a world of hurt if I hosted a publicly available website on my NAS using [insert simple blogging platform], in a Docker container and behind some sort of Cloudflare protection?

In theory that’s enough levels of protection and isolation but I don’t know enough about it to not be paranoid about everything getting popped and providing access to the wider NAS as a whole.

Update: Thanks for the replies, everyone, they’ve been really helpful and somewhat reassuring. I think I’m going to have a look at Github and Cloudflare’s pages as my first port of call for my needs.

  • Gooey0210@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Can i ask you to elaborate on this part

    Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don’t use it for DNS don’t use it for DHCP, Don’t allow You’re network users or devices to see ARP traffic from it.

    I used to have a separate box, but the only thing it did was port forwarding

    Specifically i don’t really understand the topology of this setup, and how do i set it up

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      You need to have a rather capable router / firewall combo.

      You could pick up a ubiquity USG. Or set up something with an isp router and a PF sense firewall.

      You need to have separate networks in your house. And the ability to set firewall rules between the networks.

      The network that contains the hosting box needs to have absolutely no access to anything else in your house except it’s route out to the internet. Don’t have it go to your router for DHCP set it up statically. Don’t have it go to your router for DNS, choose an external source.

      The firewall rules for that network are allow outbound internet with return traffic, allow SSH and maybe VNC from your home network, then deny all.

      The idea is that you assume the box is capable of getting infected. So you just make sure that the box can live safely in your network even if it is compromised.

      • Gooey0210@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        (I just noticed i replied to your another comment, but still to you 😬)

        Now i’m a little bit confused, what does it do then?

        If the box doesn’t have access to anything on the network, how would it do anything?

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          The box you’re hosting on only needs internet access to connect the tunnel. Cloudflare terminates that SSL connection right in a piece of software on your web server.

    • chiisana@lemmy.chiisana.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Cloudflare tunnel is a thin client that runs on your machine to Cloudflare; when there’s a request from outside to Cloudflare, it relays it via the established tunnel to the machine. As such, your machine only need outbound internet access (to Cloudflare servers) and no need for inbound access (I.e. port forwarding).

      • Gooey0210@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thank you for your reply, but i actually was asking about the network stuff 😅

        I used to use cloudflare tunnels for many years, now i’m a bit too tin foiled to use any cloudflare 😅

        • chiisana@lemmy.chiisana.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Ah sorry I went down the wrong rabbit hole.

          I’d imagine an isolated VLAN should be sufficient good starting point to prevent anyone from stumbling on to it locally, as well as any potential external intruder stumbling out of it?