This is my first post on my new site, I hope someone finds it helpful!
first thing is to install snapd an a perfectly fine debian 12???
I know I know. If you wanna install certbot another way feel free. Share it with me I’m sure it’ll take up less space. I only did it that way because it’s the certbot official©®™ instructions. That and the I had issues with the other method I tried.
apt install python3-certbot :)
I can really recommend acme.sh if you wanted to try a certbot alternative.
Or a docker image with Nginx Proxy Manager. You get a working reverse proxy, an automatically renewing certbot, easy to use UI, plus a working nginx install that you can use for serving static files, forward proxy etc.
Awesome I’ll look into it for sure!
Another thing you could check out is Caddy, comes with a lot of stuff onboard and has an optional crowdsec module (though I should point out that I never used that module myself so I can’t make guarantees how well it works) https://caddyserver.com/
Excellent thank you! I’ll check this out.
I like docker and traefik, traefik has let’s encrypt built-in.
I’ve got plenty of experience with docker and I’ve heard of traefik but never used it. Thanks, I’m gonna look into it.
Thanks for sharing! TIL about crowdsec
Is it just as secure doing this (with crowdsec) vs hosting on a rented server from a cloud provider?
My site is on a rented server at digital ocean. Some providers do more or less to protect you themselves though. I don’t think digital ocean does much monitoring or protecting, I’ve had servers on there compromised in the past that would have been caught by my current setup. It can’t hurt in any case.
I also run crowdsec on my home setup but I don’t have any open ports at home and never get alerts. I had suricata running and plugged into crowdsec as well so it would handle blocking for both, but suricata never got to get any action with crowdsec blocking malicious activity, so I disabled it to save resources.
I don’t mean about relying on the protection from these providers. I am talking about the inherent increased security of hosting on a server that’s on a different network than your local network.
Oh gotcha. It was late when I replied :p. You absolutely get security with a layer of separation from hosting remotely. I monitor my home network and have a similar setup but I don’t host anything from here. I never get attacked or probed at all compared to my remote server. Just having those open ports makes you a target. Once a few scanners pick up on you hosting content you will absolutely start getting attacked. Another benefit is you don’t have to have any passwords on your remote host, just an ssh key. They can bruteforce all they want, good luck without a zero day. You also keep your personal IP address out of peoples scope by not hosting from the local network.
I used to run much heavier protection on my home network, but after keeping an eye on all the logs and alerts for a while I realized I was just wasting ram and storage space mostly. Sane firewall settings is enough for a typical home, and something like crowdsec is probably overkill.
Now if you are hosting stuff it’s a different story. I would actually harden my local network MORE than I did the remote one due to much more of my personal stuff being on my local network. My remote host being compromised would be a mild hassle at most, It does self backups once a week, and I have my entire site in a private git repo I sync to. It would take a few minutes to throw up another server, if my home stuff got compromised a lot more damage could be done.
Hey,
cool seeing another bearblog in the wild (I also use Hugo + Bear for my blog).
Quick question: Why do you deploy the Hugo dev server and don’t build your page to static HTML?
Just to keep it short. I was debating adding another article continuing this one using nginx for that part. I could add a section to this one though. Or would you use something other than nginx, I’m open to suggestions. I checked yours out, it’s a bit snappier than mine :) . What are you running?
