How can I securely and safely run a self-hosted website from my home office you may ask? In a word, curiosity.
The Pi serving this page has no original data, only copies. So there isn’t a concern with data loss. The first line of defense is a strong password, done. Second is a strong firewall and no unnecessary ports opened, done & done. Next use secure connections, note you are on HTTPs, just like shopping or banking online.
Securing the Lan is on me. I’ve enlisted one of the web’s bigger players, Cloudflare with their zero trust account, to create a secure encrypted tunnel from my Lan to their servers. They also provide the secure connection between your browser and their servers before putting you into my secure tunnel.
I’m less than a gnat on the behind of the elephant that Cloudflare is. I’m hiding in their shadow while they keep the internet safer. The Pi shop holds no secrets and is an underpowered computer well suited to small time serving needs. I doubt I am of much interest to nefarious players and have little to lose, at worst reformat and rebuild the Pi.
Part of the zero trust account is that Cloudflare takes care of the malicious traffic. Supposedly only legitimate web requests get sent to my server, time will tell.
In order to create a zero trust account with Cloudflare requires having a domain name. A website was not on my radar when I started my Picture Pi project but became easily possible with the groundwork already laid.
As I built out the Pi shop I realized accessing it from the wider web would be more than cool, it would be helpful. How can you use a private cloud if you can’t get to it when out and about?
Your ISP has provided you with a public IP address for your home Lan/router. Unlike the phone company or the post office, who don’t change your number or address, your ISP does change your public IP address periodically, unless you pay extra to have it not change.
What address or phone number would you give out if it changed once a year? That has been the problem trying to access self-hosted services from the internet; here today, gone tomorrow, because the address changed.
One of the earlier ways to get around this change of address was through the use of a third party who would listen to a periodic ping from your system, when it noticed the Dynamic IP address changed it would update it’s records to the new address. This way it could route traffic intended to your network correctly. Duck DNS is one provider for this type of access. I didn’t start there.
I started with Tailsscale. This is a node based architecture requiring a small piece of software be installed all the computers or smart devices you want to connect with, up to 1000 of them per user. And you can add two friends, all for free, after you create a Tailscale account.
Tailscale uses that installed app to create secure encrypted tunnels, but these are node to node (device to device). I’m using this as a secondary access for my Pi shop services now, relying on Cloudflare for primary access.
If I encounter problems I can always lock things down, page by page, the entire site, the entire tunnel or a combination of each of those means. My preference is to leave the website open as it is, while keeping the rest of the Pi shop locked down for my use. I’ll see where usage leads.
Leave a Reply