How I Built This

How I Built This

Learning the ropes the hard way. Let’s blog about it and get some insight on how this place works.
Lego Star Wars cut scene when Luke and Obi-wan first approach the Millennium Falcon, where Luke exclaims 'What a piece of junk!'

I’m by no means a web developer, and this was an excuse to get out of studying for a certificate, yard work, etc. There’s plenty of other things I should be doing but here I am.

Here’s how I have things setup as of now, in the dismal year (at least for me) of 2022. Let’s start off with a network diagram.

A flowchart diagram of the current setup of how this site was built. Your browser connects to the internet, which then goes through Cloudflare's services, which then takes an encrypted tunnel through a Cloudflare Tunnel to a virtual server hosting this website.

Let’s go over what’s going on here. As of this writing, I’m hosting this site on a Turnkey Linux LXC on my Proxmox server. On that container, there’s obviously WordPress and a service from Cloudflare called cloudflared. With a little setup magic, cloudflared sets up an encrypted tunnel to Cloudflare’s services to distribute out the webpage you’re reading. Cloudflare’s services go out to the internet, which then ends up in your web browser whenever you go to this site. Notice that I didn’t mention any other networking items, especially regarding how my lab is set up; Cloudflare’s tunnel takes care of all of that as long as the appliance hosting whatever application you tell cloudflared to publish can connect to the internet. It’s almost as if this WordPress box was sitting in Cloudflare’s datacenters, to some extent.

So let’s go over my choices when I was contemplating rolling this out. I could have paid a premium hosting provider to manage my domain, DNS, security, and hosting needs, but I was certainly looking for more of a learning experience and challenge. To the other extreme, I could self-host and self-manage. The latter is what I personally opted-in for a few reasons…

  1. I wanted to learn more about Cloudflare’s services and how DNS works
  2. I wanted to learn more about WordPress
  3. I wanted to have ultimate control over my site and what services it could potentially deploy
  4. I’m cheap, who want’s to pay $20/month for a handful of static sites?

Now there are some caveats to self-hosting. One of the many concerns that one of my peers brought up was that the IPs handed out to residential customers are typically dynamic. Mine is actually one of those, but only if I ask for a new IP, a serious outage occurs, change my modem, or the MAC address on my router/firewall changes. That’s easily circumvented by subscribing to a Dynamic DNS service, or you can use Cloudflare tunnels.

Another concern brought up was that since I’m self-hosting, my public IP to my home would be published to this site. Given you know a site’s public IP, you know the user’s ISP and their general location. Add in a bit more OSINT, you’ll basically know who somebody is and where they live. This is a big no-no for opsec reasons, and let’s just say consumer routers are not the best firewalls. I’m only allocated one IP from my ISP, not a block like some business customers have. One option would be to set up a proxy, but that’s another server I would have to spin up elsewhere and another cost to a dumb site. Cloudflare tunnels to the rescue again. As stated previously, that encrypted tunnel essentially makes my website service show up as if it were in Cloudflare’s network. Snazzy.

Here’s the final concern, and the biggest one that plagued me: my ISP. My ISP has been known to downright block inbound requests for people who self-host at their network level just on a whim. Anecdotally, some ISPs have a team scanning their customers typical service ports looking to see if things come up. They’re looking for web servers, ftp servers, DNS, email, etc. Sure, they’ll let you get away with some things but as soon as they see you hosting a site that looks like something that a business would run, but on a residential service account… *gasp* PULL THE FIRE ALARM AND BLOCK THAT PORT! I can see the security concerns of letting this happen, but dangit I’m paying for access to the internet and I’m not going to let them nanny me. Ahem mucho amor a mi amigos at my ISP 💘. Once again, Cloudflare’s tunnel was the answer to that.

A looping animation of neon hexagons twisting and zooming into frame.
Tunnels are kinda like this

My choice of OS mostly handles all the updates to this site/service automagically, which is the magic of Turnkey Linux. It already has some cron jobs running to keep WordPress and its plugins up-to-date, though some manual intervention is still necessary for larger feature updates in case if things break. I still have some fiddling around to do with that.

This is how things are working out so far. Site’s live and stuff. Dunno what the heck else I’m going to do with this. Off in to the void you go.

WordPress Appliance - Powered by TurnKey Linux