How to Secure a Website at Home
-
A proxy in front make almost no difference from a security perspective.
It will just pass on any malicious request to the webserver.
If you wanted to go that route you would need something that can detect and filter the request. Basically a web application firewall (WAF) in front.
What kind of website is it and who is going to access it?
-
@pete-s said in How to Secure a Website at Home:
A proxy in front make almost no difference from a security perspective.
It helps, but yes, EXTREMELY little.
-
@jaredbusch said in How to Secure a Website at Home:
@hobbit666 said in What Are You Doing Right Now:
Didn't want to start a few thread at the moment,
Always make a new thread. make it way the fuck easier to find this recommendation later.
Only asked in "What your Doing" thread as if people said don't bother no need for a thread lol
-
@pete-s said in How to Secure a Website at Home:
What kind of website is it and who is going to access it?
It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.
I'll only be a few people accessing when working together to diagnose the pcb.
-
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
-
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
What kind of website is it and who is going to access it?
It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.
I'll only be a few people accessing when working together to diagnose the pcb.
If you are concerned about security, use a static generator to output WordPress to "not WordPress", or just stop using WordPress. Your security issues are 99% WordPress, 1% everything else. So since you aren't using WP for anything, don't have it deployed.
-
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
What kind of website is it and who is going to access it?
It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.
I'll only be a few people accessing when working together to diagnose the pcb.
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.
Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.
-
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
-
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
-
@pete-s said in How to Secure a Website at Home:
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
What kind of website is it and who is going to access it?
It's a Wordpress site at the moment, but it's simple going to be static pages showing images and test. Showing repair jobs and meter reading, so everything is in place.
I'll only be a few people accessing when working together to diagnose the pcb.
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
Then you don't have to worry about incoming traffic, bandwidth, security of your LAN or anything.
Well, unless you want to do it for fun or learning of course. But then I think you need to go all in.
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
-
@scottalanmiller said in How to Secure a Website at Home:
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
GitLab Pages is where my poor under populated blog resides.
-
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
-
@stacksofplates said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.
-
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
@stacksofplates said in How to Secure a Website at Home:
You could just put an API gateway in front. They are usually easier to configure for auth than a reverse proxy.
Krakend is just a json config: https://www.krakend.io/docs/authorization/client-credentials/
Kong has an open source plugin for oidc.
They're both easy to configure. Then you could just limit logins by Google account or whatever through something like Auth0.
You could do that on wordpress directly too I believe.
This blocks you before you even hit that though, so you don't need to worry about vulnerabilities in WordPress. Then just pass the JWT through to WP.
True, but you can authenticate directly on apache too - before wordpress is involved. Apache can do both oidc and saml. Nginx can only do oidc afaik.
Only nginx plus can do oidc. Apache can but it's more difficult which is why I mentioned the gateways. It's much easier to configure auth and things like rate limiting with an API gateway.
-
The reverse proxy aspect only really adds benefit when you need to load balance across multiple services.
-
@jaredbusch said in How to Secure a Website at Home:
@scottalanmiller said in How to Secure a Website at Home:
If he wasn't on WordPress, he could host for FREE with GitLab, CloudFlare or several other free enterprise hosts.
GitLab Pages is where my poor under populated blog resides.
I'll give gitlab a go
-
@pete-s said in How to Secure a Website at Home:
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
But that will cost me
this is only to host a few static pages. -
@hobbit666 said in How to Secure a Website at Home:
@pete-s said in How to Secure a Website at Home:
I think it would be easier to just setup a $5/month vultr instance. From what you say, there is no real reason why it has to be hosted at home.
But that will cost me
this is only to host a few static pages.You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
-
@obsolesce said in How to Secure a Website at Home:
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
I tried WordPress free hosting, but to use plugins you have to pay
Never heard of Gitlab before until Jared mentioned it. AWS / Azure wasn't aware of any free teirs after trial periods have finished, but will look closer see what I can find.
-
@hobbit666 said in How to Secure a Website at Home:
@obsolesce said in How to Secure a Website at Home:
You can do that for free at Gitlab, GitHub, AWS, Azure, GCP, etc...
Why wast time and resources doing it at home?
I tried WordPress free hosting, but to use plugins you have to pay
Never heard of Gitlab before until Jared mentioned it. AWS / Azure wasn't aware of any free teirs after trial periods have finished, but will look closer see what I can find.
GCP has an always free tier. GitLab pages and GitHub pages will host static sites for free.
I have my wife's business site on gitlab pages and I have a static site for documentation for an API I wrote on GitHub pages and I have a project I wrote on Vercel. Vercel is by far the most featureful and IMO better than the others. It will host the static sites and server less functions.
They work really well.
