I’ve wanted to do this for a long time. My current ADHD hyperfixation is NodeBB, but I think my questions fit most anything that you want to be available to the general public and not just yourself and your friends.
Basically, I want to host a NodeBB instance intended for the general public out of my house. What are the risks of doing this? In particular, what are the risks of doling out a web address that points to my personal IP address? Is this even a good idea? Or should I just rent a VPS? This is 80% me wanting to improve my sysadmin skills, and 20% me wanting to create a community.
I have a DMZ in place. Hosts in the DMZ cannot reach the LAN, but LAN hosts can reach the DMZ. If necessary, I can make sure DMZ hosts can’t communicate with each other.
I have synchronous 1 Gb fiber internet. Based on the user traffic of similar forums, I don’t anticipate a crush of people.
I know the basics of how to set up a NodeBB instance, and I’ve successfully backed up and restored an instance on another machine.
I’m not 100% on things like HTTPS certs. I can paste a certbot command from a tutorial, that’s it.
Anything else I should know? Thanks!
EDIT:
I also have a domain, a couple of them, actually. They’re like potato chips; you can’t stop at just one.
I don’t plan on self-hosting email used for forum registration and announcements. I’m not a masochist.
The DMZ is the right idea. But it’s the old way. You definitely want whatever is serving your website to be separated out from your house. You’re hosting should be on an isolated VLAN. The internet should only be able to talk to the server it needs to talk to, no other ports. That box should only be allowed to talk to what it absolutely must talk to and only on the ports that are required. You should run an independent firewall on each one of the boxes that are involved in the hosting with only the proper ports open.
Giving up your private IP Will definitely give away your general location to everyone and your precise location to the authorities.
I would highly recommend using cloudflare or one of the other funnel options. A lot of people don’t like cloud flare because they can capitalize on your traffic, The cloudflare also just won’t shut you down and sell you out like your ISP will at the first request, They don’t do shit about anything until there’s a warrant or a court filing. On the upside you don’t give out your private IP to anyone. You have DDOS protection, and a reasonable layer of anominity.
You need to check daily to make sure all of your software is updated. We’re talking OS, middleware, plugins, application. Preferably via automation. All of the software and plugins you use for this type of hosting end up getting vulnerabilities.
Security is especially difficult on forums. There’s lots of opportunities there for skilled people who are pissed off at what you or someone else is saying to get butthurt. People know exactly what you’re running, then they do some magic behind the scenes next thing you know there’s a bunch of admins you didn’t create.
You don’t need to be hosting your own email but you are going to need an SMTP provider, most free services won’t let you masquerade the from address.
Doesn’t Cloudflare cost money for DDoS protection?
You get some coverage for free but if you’re really getting slammed I wish to stay up they’re not going to do everything for free. I believe They click here to prove you’re not a butt is gratis.