Secure Hosting at Home

A website to prove viability of securely hosting a website at home. Specifically testing on Starlink.

Website

Hosting

This is on a home computer running Linux with nginx.

Static IP?

The internet service provider (ISP) doesn't supply a static IP. The method to bypass the firewall also grants a static IP.

Bypassing the Router and Network Firewall

To bypass all the restrictions caused by the ISP is to use an inexpensive virtual private server (VPS), then using a SSH tunnel to forward ports from the VPS to the local machine. The VPS does not host a reverse proxy or cache, so this website will maintain availability equal to the local connection, or worse if the VPS is down or the connection is interrupted for any other reason. On the positive side this method keeps encrypted data encrypted through the VPS, which is important for security if you do not trust the VPS provider.

Why host at home?

It may seem unnecessary to host at home, especially when paying for a VPS anyhow. For this site that would be true, but heavy CPU, memory, storage hungry, or high security applications either become very expensive to host with an outside provider, or may not be an option to begin with. The VPS is only used to transfer data from the website to the client. If this is encrypted data then the VPS has no ability to read it on this setup, unlike a reverse proxy. Also, a simple port forwarding solution or reverse proxy would require on a static IP on the local machine, which most consumer ISPs do not provide.

Network data

Speedtest-cli is running as a part of a script. These tests will run randomly and could be effected by other usage on the local network. The test is running over a virtual private network (VPN) and my ISP is starlink. This project began by testing starlink specifically but has grown as the findings are applicable to most consumer internet. There is also a ping and a log of when the website is live. Consider that the use of a VPN helps increase the overall security of the system by preventing the ISP from knowing that you are hosting anything at all and the VPS provider from knowing your ISP but it will reduce speed and increase ping accordingly.

Tor

Hosting over an onion service is the most secure and easy to do from the home but has major drawbacks like slow speed and requiring onion routing capabilities which have to be specifically added to any device you want to use to connect. You can access this site over Tor here.


Network Statistics

Data may be delayed if you visit the site often. My browser seems to be catching the include files. You can view them directly: Speedtest, Pingtest, and Website Live.

Speed

Ping (Starlink satellite, over VPN)

Website Live


How to Reproduce

Not unique

This method works for just about any network that is plagued by restrictions and is a common tool to proxy websites into China so residents can easily access, but without having to host the data in China.

A VPS

A VPS is a "Virtual Private Server". It's a server that you have full access to, but is usually virtual (running on another server). You can rent a VPS from a number of companies, I recommend Luna Node because they accept bitcoin and the lowest cost VPS is $3.50 per month, and there's no reason to overspend if you only need it to foreword data.

You will need a SSH key to automate the tunnel.

You also need to enable gateway ports. To do this run "sudo nano /etc/ssh/sshd_config" then scroll down to remove the # and replace no with yes so it looks like "GatewayPorts yes" then run "sudo service sshd restart" to load the new settings. You may also want to add "PasswordAuthentication no" to the bottom to prevent passwords from being used at all to access over ssh.

This is all you need to do with the VPS. I would recommend securing with UFW and fail2ban, just in case.
sudo apt install ufw fail2ban
sudo ufw default incoming deny
sudo ufw allow ssh
sudo ufw allow www
sudo ufw enable

Create the tunnel

From your home system running a Debian or Ubuntu based Linux distribution:
sudo apt install autossh
autossh -f -N -i /path/to/your/ssh/key -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" user@[VPS IP ADDRESS] -R 80:localhost:80 -R 443:localhost:443

You can make this command auto-run at boot by adding it to your crontab
sudo crontab -e
I choose nano as my editor.
at the bottom add:
@reboot autossh -f -N -i /path/to/your/ssh/key -o "ServerAliveInterval 5" -o "ServerAliveCountMax 3" user@[VPS IP ADDRESS] -R 80:localhost:80 -R 443:localhost:443

You can add or remove ports with "-R 9999:localhost:9999" at the end replacting "9999" with the desired port.

Maintaining the tunnel

Unfortunately autossh seems to miss one issue and as of yet a good fix hasen't been found. I've written a script to help that will reboot the VPS if the website is down but the internet is up. This fixes the problem which seems to be the VPS reserving ports after autossh is disconnected unexpectedly. Use this script or make a better one.

A simple website

You can install nginx with "sudo apt install nginx" on your home system, once done you can see the default starter page if you visit the IP address of your VPS because the data will be accessed through the SSH tunnel. You can create your own simple html website by adding/editing the files in /var/www/html or use this setup with any other hosting needs you might have. This how-to was not meant to cover how to host a website, or how to do so securely, please do your own research! Hopefully this can be added to later.