Regarding security: you might want to have a look at cloudflared. This is a (free for small projects) service by Cloudflare where your server (Raspberry Pi) connects to cloudflare, and all HTTP traffic is proxied through Cloudflare. This has multiple advantages:

- you don't need to open a port on your router that forwards to your Pi, which is good for security and simplicity (some routers don't even have this option)

- you get all the cloudflare protection with the click of a button, including HTTPS with automatic Cloudflare certificates, DDoS protection, etc

- you don't need DynDNS to point to your dynamically changing IP

I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.

Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.

Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.

http://dusted.dk/pages/aWayOut/

So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.

If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.

For plain HTTP, of course all traffic would be easily intercepted and readable. For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.

So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)

I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.

I would still consider it very nice of them to offer this free service that let's you break free from your dynamic IP, crappy router and at the same time giving you protection that you couldn't set up yourself.

I think many people just want to be able to make their device available from the internet - this type of liberty is not really important for many people.

I've had a previous RPI SD card get corrupted this way and I've been hesitant to do anything useful with home-hosting on one since I had that problem.

Corruption has always been an issue with using standard SD cards as a boot system. It's just something these cards were never meant to do. I run multiple Pis at home, one of them as a scraper/site hosting/MariaDB/Wireguard. Power outages would almost always corrupt the file system, and a few times, damage the SD card. Once I switched to high endurance cards, I haven't had a problem.

Sorry I don’t know that I’m being helpful here. I had the same issue and just ended up with an ups - but I also ended up plugging my networking rack into it (router, cable modem, switch, nas) as well. We’ve only had one real outage since I set this up, but it kept my network alive for 90 minutes or so and then the power came back up.

There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.

Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.

Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.

Also test your backups.

1: https://forums.raspberrypi.com/viewtopic.php?f=63&t=253104&p...

You aren't tied to Cloudflare in the sense that there are other CDN services to choose from, each with their own pros and cons. With the servers on your own infrastructure you can choose the provider you like and easily switch between them. I also have ports forwarded for services that I don't want to proxy.

( Your ISP should give you at least a /56 : https://www.ripe.net/publications/docs/ripe-690 )

Even funnier that you think you'd even be accessible if you put your website on IPv6 only

I guess this depends a LOT your ISP, and especially the router they gave you, how much IPv6-only friendly are they ?

Yes, you can buy your own router, but this come with even more complications and potentially negotiations with the ISP.

(And to be extra clear, this question mark indicates a question, albeit a rhetorical one.)

If you’re wiping it and installing Linux it’s like any other server, but if you’re running macOS you’re open to a wider spectrum of vulnerabilities that wouldn’t normally apply (desktop software). Your apps could also have vulnerabilities that expose access to personal credentials, etc (e.g. filesystems, apple id) depending on your setup.

You can insulate yourself a bit with tunnels/proxies to expose specific services (e.g. cloudflare, ngrok).

I had a lot more peace of mind buying an old, cheap computer, raspberry pis, and eventually NUCs.

https://fatcity.it/

One thing you really need is an SSD, though. I use a cheap Kingston, it works great but you must pay attention to the right USB->SATA adapter, picking one that's fully compatible with UAS drivers. For booting directly from the SSD with Ubuntu there is this useful guide:

https://jamesachambers.com/raspberry-pi-4-ubuntu-20-04-usb-m...

Performance wise, this little computer runs mostly like a common VPS, I think on par with a droplet from Digital Ocean, for example. Here some benchmarks:

https://pibenchmarks.com/benchmark/62022/

If you don't want to share your IP, a Cloudflare tunnel is a great alternative:

https://developers.cloudflare.com/cloudflare-one/connections...

Also, another essential tool is Tailscale, with it I can access my home server from basically everywhere just like a LAN connected device: https://tailscale.com/

PS: You can also do your own tunnelling with OSS alternatives, if you have enough patience/time.

Anyway, feel free to ask anything.

- Jellyfin - Media Server for all my tv, music, and movies

- Nextcloud

- Photoprism - Picture Manager

- Yacy - Private Search. I run this in 'robinson mode' and basically use it to replace all my bookmarks

- Homeassisant

- Frigate - Monitors my cameras and does object recognition. I use Coral USB to move detection to hardware

- Snapdrop - AirDrop replacement

- FreshRSS - RSS Server

- Bitwarden - (bitwarden_rs/vaultwarden)

- Imapfilter - Filter/tag/run external software on incoming emails

- Vikunja - Task Manager

- Dolibarr - ERP Manager for side business

- Bookstack - Wiki

- Several Static Websites

- NFS (as a NAS)

Frigate takes the most CPU, even with the Coral, but it is doing object detection on several high-res Remote Cameras. Even with that, my load is < 1.

I run all these in docker (each that needs a DB has its own DB instance too), with nginx-proxy and letsencrypt-nginx-proxy-companion in front of it.

Most of these are internal only (I use the access=internal), and have an always connected wireguard VPN on my mobile devices and laptops. A few are public, but pretty low traffic.

I have a static IP, and am running this on DSL that is 30M/7.5M. My router is a netgear with DD-WRT installed.

Did you consider any alternatives when putting together this setup? Or for others reading, are there similar fanless options to compare?

I also use several raspberry pi for some smaller iot things, but I find it is nice to have one decently powerful server to run a whole bunch of services on.

It also has two external 8Tb drives in software raid0 that I use for my NAS storage.

With this setup, how do you deal with data backups, especially if multiple of your docker instances have databases of their own?

Everything is backed up daily using rdiff-backup.

How do you handle backup?

You don’t seem to me running RAID on the NAS?

A NAS is an abstracted away concept from the OS or FS, so the type of memory isn't broadly relevant.

1. https://louwrentius.com/please-use-zfs-with-ecc-memory.html

Already have an old pc hanging out somewhere? Good - don't buy anything new. Run the HTTP services from there and set up port forwards in your router, and DNS with your domain registrar (or set up cloudflared as other commenters noted). You're done.

Step further, you can go with a RasPi or a similar SBC, but just be aware running with ARM can have its' own challenges.

I'd recommend a cheap x86_64 machine from ebay, such as an HP t730 plus thin client. Native SSD support, higher/upgradeable ram capacity, and better IO would all come together to make a better server machine. The RasPi would win out on a few points (power draw, memory speed), but in this scale it likely wouldn't be noticeable.

Lastly - don't be afraid of cloud services. A GCE/EC2/vultr/hetzner server can get you pretty dang far for just a few bucks a month. Also, this makes it easy to get some exposure to infrastructure provisioning tooling (I prefer Terraform and Terragrunt) and server configuration management tooling (I prefer ansible).

Having a battery specific to your server allows the UPS for your network to last a lot longer.

I use one of the 1500VA class desktop UPSes to run my home network, the largest variety normally sold for use with a 15 amp circult. It's good for about 30 minutes with my server turned on, or three hours just running the router, switch, and WAP.

If I were able to use a laptop as a server I could instead have the big brick doing just the network and then the "server" could get a few hours of runtime on its own.

But only if you don't live in Europe, as old laptops tend to be quite energy inefficient by modern standards, and at the current energy prices, you'll see the difference on the yearly bills, between an old laptop and a new one running 24/7 in your house.

You can get chines barebones with modern quad core 11th gen Intel Celeron chips that sip power for about 150 Euros. The best part is that some are even flanless so they're dead silent and there's no more worrying about cleaning the dust from the fan every few months. Just chuck it somewhere out of sight and you never have to thin about it physically.

Pick some machine in your house. Make it a wireguard client connecting to the vps. Run whatever web server/app you want. Make sure your home router is running something like fq_codel.

Done. You don't need dynamic dns as your home client will just reconnect. Your ISP won't see any ports open because there aren't any. Your SSL certs and all data live in your house, not on the vps. There is nothing to backup at the vps except for yanking some logs.

If you have just one backend server instance, you could also use a DNAT iptables rule instead, which would have the advantage of not hiding the originating IP from the backend. Or am I missing something?

Regardless, I would host an NGINX proxy in front of some docker containers. It’s the easiest and classic way to front apps with custom domains very very easily. Traefik is also very nice and fast (Go based) reverse proxy.

If it’s purely for personal use, then check Cloudflared to tunnel into your network and access it like a VPN.

Again, if it’s Public be weary of DDOS attacks, port scans, etc. Personally I wouldn’t self-host a public web app from my house and instead would use a 4/mo VPS from Hetzner

It's YOUR internet connection. Who's going to ban you for opening ports and running a server? I've been doing it with comcast for 20+ years.

Maybe not all my server traffic goes through port 80 or 443, but my server is also my torrent seedbox which is high traffic and just another port. WHATEVER.

My server is just a Windows 7 PC in the living room with no monitor, no keyboard, and no mouse. Only connected power and ethernet. I remotely control it with RealVNC and it's extremely stable. The only time it goes down is a power outage because I don't use a UPS.

I use it for a website (nginx/let's encrypt), Jitsi Meet, Mumble, Ventrilo, FTP, proxy (8080), and of course torrents. Not afraid of port scans.

I use a couple of DDNS domains that I give people but I can disable the public one I give to people and change my IP any time I want.

NOT VPN. NOT Cloud. NOT VPS. NOT pay monthly to someone. You can do it all yourself for free and have been able to for decades. Quit being so scared, cell phone generation.

"use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers;"

https://www.xfinity.com/Corporate/Customers/Policies/HighSpe...

Just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.

Why do you think routers have PORT FORWARDING in them? Is that just for fun? Think about it. I can go to ebay and buy Microsoft Windows NT Server 4.0 from 1996 and run whatever DNS or IIS server I want, however outdated it is.

It's absolutely absurd to think you have to pay to host things even though you have all the equipment and bandwidth to do it yourself. I only have 1000/42Mbps but I've got a friend who just got fiber in CA who has 10Gbit both ways. With speeds like that, do you think we're just going to upload Linux ISOs AND not RUN servers on all sixty five thousand ports?

Ha ha ha haooowww

Again, just because you've been getting away with it doesn't mean the risk of having your account suspended isn't real or worth considering.

You're not wrong, but as far as I know there is no human on earth that owns "their own internet connection", everyone's network connects to an upstream network. Every upstream service has rules their customers must abide by.

Unfortunately not everyone may live in a region with multiple internet providers, such that they can switch to a different one if banned.

You pay your internet and electricity, no?

1) internal HDD can be replaced with cheap, big SSD

2) Computer is absolutely silent

3) everything in one package, no mess of cables

4) very reliable

5) very low power usage

MacOS isn't the best OS for running a server, but I'm used to it so I don't mind setting up launch agents instead of systemd units

Much better value and power over a raspi.

- https://www.servethehome.com/introducing-project-tinyminimic...

- https://www.servethehome.com/tag/tinyminimicro/

If you put them into a cupboard, those PSUs take almost as much space as the computer itself.

That being said, if you use the Mac as a server, behind a NAT/Firewall with only some ports open, use up to date server software, and don't use it to surf the web, then the security impact of using an outdated OS is minimal.

You could of course also just install Linux on it.

[1]: https://dortania.github.io/OpenCore-Legacy-Patcher/

I have choosen to treat IPv6 as the default stack as I can point directly to the address from outside without any NAT. A reverse proxy handles all "legacy" IPv4 requests. My IPs do change once in a while, but I have made a little bash script that updates the DNS via my domain registrars API, works like a charm!

I would also put your app behind CloudFlare.

Also- if you are able to afford an intel NUC ($200?), and the app is low resources enough to be able to run on a Pi. You could also consider getting a VPS ($10/month).

[1] Something like https://www.newegg.com/dell-optiplex-7090-business-desktops-... - but older, and found on a local recycling center.

That said, unless you have an ideological reason for hosting it from your own home there are many platforms out there that can comfortably fit most non-critical webapps in their free tier with even less hassle than setting up a pi.

What are "the best" at the moment? (best being whatever metric one feels is relevant for this scope)

Or the other way round, which IMO would not be so serious (ie your already compromised personal computer being used to access your public webserver...)

You could try to isolate your webserver, but would need a dedicated router with specific features to do it (best being able to do VLANs).

Even if you don't get storage with its own power supply, you can use a "Y" USB cable for extra power, provided the same power source is used for the Pi and for the storage. This can have the added benefit of backfeeding power to the Pi, which, again, is fine so long as the power sources are the same.

While my Pi 4 is colocated, it has a Flirc case so it can run all four cores at 100% without ever having thermal issues, and the two USB attached disks are mirrored (raidframe), and it has been 100% stable for many, many months of heavy use.

https://www.hardkernel.com/shop/odroid-h3/

I serve a website for my 3D printers from a Raspberry Pi (some are 3B+, some are Zero-W). It's just for "the set of people in the house who use the 3D printers", so the Pi is fine and obviously a viable candidate.

I have an ESP32 (or it might be an ESP8266 even; I'd have to look) that serves a status page for the boiler and near-boiler temps. That's also in-house only, but even that's on the slow side. https://imgur.com/a/JmeXYnj

What is the load this site is expected to serve? To what visitors? How static/cacheable is it? For me, an RPi goes a long way for anything in-house. Out of the house traffic, I'd look at a cheap VPS pretty early in the journey.

My current setup with two hubs has been working reliably so far, but in spite of it all being USB3 it's still not that fast (about 100MB/s serially top--I'd hope that the 3.25'' disk drives (new 4 TB drives, WD Elements 2620 and Seagate Basic STJL4000400) could do more, but maybe I'm wrong). So for my next tiny servers / appliances, I want to try either of the following instead, which have SATA which should be more reliable and faster:

https://www.pcengines.ch/newshop.php?c=48881

https://www.olimex.com/Products/OLinuXino/Home-Server/LIME2-...

Also, since Pi 4's are unobtainable here (Switzerland) currently: the Tinker Board 2 seems to be a bit faster than the Pi 4, and it has its wifi board as a plug in board, and I have been wondering if that can be replaced with a SATA interface, but haven't investigated.

Edit: seeing achairapart's comment, I realize that going directly from USB to SATA and then attaching disks there might have been a better option.

https://wiki.pine64.org/wiki/ROCKPro64#Booting_from_USB_or_P...

Static IP is most difficult, if you got that, you're good to go... If your website or app is light enough, sure, go with a pi4 or similar, don't put a fan on it, maybe a nice enough heatsink (use real thermal glue, NOT adhesive tape, some of the cheaper stuff actually melts and the block falls off).. Consider a 3 way router, like an edgerouter lite, so you can have a DMZ for the "server" so that if someone decides to visit, they're isolated from your other LAN machines.

I'd say unless your web app is resource-hungry, the Pi is totally viable as an option.

If you want to go with a more traditional x68 any of the many intel n4000/n5000 series systems being sold on aliexpres and similar sizes by no name brands as firewall appliances or network something do support modern m.2/nvme storage.

Just be sure to have a decent backup system in place as consumer grade equipment like the above may fail rather abruptly with little route to recovery.

Edit: you may want to check out Jupiter Broadcasting's Self-Hosted podcast. The show is very much geared towards DIY enthusiasts/small businesses.

If the energy of your server is green and the heat is reused, as some modern datacenters do, the only concern becomes EOL of hardware and how quickly they change it.

Otherwise, yeah, shared cloud vm is always more economic than single hosted hardware of any kind.

Maybe I'm wrong, but I thought AWS' free tier only lasts a year. Then you have to tear everything down and spawn a new account and re-upload and re-configure everything, which is burdensome?

https://docs.aws.amazon.com/whitepapers/latest/how-aws-prici...

Security is a bigger issue IMO though.

My most bomb proof SFF servers are a fit-pc3, still running since 2014, and a lattepanda alpha, which has been running for about 2 years. Of the two, I’d choose a fit-pc3 or whatever the most up to date model from compulab currently is.

1. Having a no break with surge protection: I have my router and Rpi connected to a no-break, so even if the power goes down my site stays up.

2. Configure port forwarding in the router: I forward port 443 to some higher port, so in the Rpi I don't need root for anything.

3. If your traffic is very high consider getting another internet link.

My go to setup plan right now is 3 8 core 16 thread mini pcs because they dont use anywhere near as much power as a full setup and still allow me to run a small kubernetes cluster.

My main reason for the cluster is not because its fancy, but this way i can actually update my services without downtime and the underlying machines too.

As other have mentioned, make use of cloudflare and the different services it provides and you shall have a simple secure setup that can handle a magnitude of loads.

As for the app: the true enemy will be rate limiting for you. But if you decide to take a frontend that is chacheable by cloudflare you should be golden with a queue based setup. Pingdom does that perfectly for instance with their speed tests for websites.

There are a lot of alternative SBCs to the Raspberry that are easier to find these days.

If you plan to use the SDCard make sure you do not write logs to it or that you change it regularly. I recommend that you mount a harddrive/ssd or usb stick for the logs if you really want them.

I know it's point-and-click to run Apache on it. (I personally haven't set it up.) At some point I might try to set up NodeJS to run some blog software I wrote between jobs.

The cost of a Pi would likely also pay for a decent low-end VPS for a years or so.

Find three of said types of places and run kubernetes and you're good, no?

btw. i recently watched a video, in which the creator compares different used smaller formfactor pcs from ebay

* https://www.youtube.com/watch?v=rXc_zGRYhLo

As far as exposing to the net, ngrok seems cool.

Additionally, keeping a laptop shut and running usually messes with its thermal design as the heat can't escape to the top via the keyboard, further heating up the battery.

serve a lightweight static website from RAM or a well-optimized webapp and it will handle a decent amount of traffic

I do

You know that water pipes are in those walls too?