Comment by dudeWithAMood

I've hosted at home for years and if you have it properly setup it's not any more risky than using a VPS. I have 443 open on my router and basically all web traffic is routed to a container on my server. The container is on an isolated vlan and basically runs nginx as a ssl reverse proxy.

The actual web services behind the proxy run in their own containers and with proper isolation and firewall rules the effects of a security compromise are limited. At most an attacker will be able to take over the containers with an exploit (and they could do that with a VPS as well) but they won't be able to access the rest of the network or my secure internal systems.

If I was this guy and wanted to let people connect directly to my vapeserver I would simply host it on another vlan and port forward the HTTP connection. Even if someone manages to take over such an obscure system they're not going to be able to do much.

Open a port or if their router supports it, assign their device to a DMZ.

Why do you think it’s risky? Maybe we can talk about ways of securing it.

Like any server, it’s as safe as the server software (and its configuration).

> What were you doing to get traffic from the open Internet to your webserver at home? I always felt that was a risky proposition,

How times change.

Once nearly every self respecting IT pro ran servers from there home network. The modern drive to outsource and consolidate the interweb to a handful of big players I find rather odd; perhaps even counterproductive in the long run.

Done it since before I properly knew what I was doing. Haven't had issues. Even though n=1, also now that I'm actually working in IT security, I don't think the risk was ever much bigger than what I could oversee

The main thing is that, if someone gets onto the server system, then they're in my network and they can do attacks on other devices in that LAN (guest wifis are a nice way to isolate that nowadays; that didn't exist back when I started). Same as when I take my laptop to school for example, then others can reach it. I've had issues with others in school doing attacks because the internet was unencrypted http back then (client-side hashing in JavaScript limited the impact though), but not from anyone who tried to hack into the server. Only automated scans for outdated Wordpress, setup files for Phpmyadmin, ssh password guessing... the things they simply try blindly on every IP address. If any of this is successful, you're most likely going to be turned into a spam-sending server or a DDoS zombie; not something with lasting impact once you discover the issue and remove the malware

Most attackers don't do targeted attacks on your system or network unless you're a commercial entity that presumably can pay a nice ransom, or are a high-profile individual. Attackers aiming for consumers send phishing emails and create phishing advertisements, look for standard password vaults if you run their malware, try using stolen credentials on Steam and hope you've got a payment method stored... the usual old things. Having a server doesn't make any of those attacks easier, and besides, self hosting is very uncommon. Even if you and I had a similar enough setup at home with a straightforward path to exploitation, it's a few thousand people that self-host in a country with millions of people. It's not worth developing attacks for

VPS with public ipv4, connected to home network over Tailscale and forward the traffic with socat. You'd probably be fine opening a port directly but a small VPS is free most places so might as well make the most of it.

You can put the public facing stuff on a separate VLAN and have firewall rules that don’t give the VLAN access to LAN stuff. I only know how to do this with IPv4 though, IPv6 confuses me and I’m scared to get it wrong so I disabled it.

People might hack your toaster and burn your house down? Smart ovens? Smart microwaves? Smart fires?