Blog indexRolling🥎blogPermalink

Guest Questions, I

Jake Thoughts09 Jul 2022 16:40:54 -0400

Recently someone left a comment on my website with the following message:

I wonder how your website is setup, not the html but the server side of things like

- os you run
- web server
- those weird .shtml files you have
- do you use ansible or do you manually install it
- is it self hosted or is it a vps
- how are you paying for domains
- and possibly something importent i missed?

I know i could check some of these things my self but there are ways to obfuscate them for instance whois privacy and nginx mirror/cache, i would love a blog post about this if you dont mind.

I will be glad to answer these!

OS

The OS of the system really doesn't matter but right now this website is on a Debian server. The reason I write that it doesn't matter is because jakesthoughts.xyz went from CentOS -> Arch -> FreeBSD -> Debian and in the future I will probably go to another OS. Once you understand 'leenix' enough you understand it for nearly every distro. The difference at that point becomes 'distro-isms'.

That said, don't use 'bleeding edge' distros because new updates can have bugs that could lead to your stuff getting hacked (poser's word for crack).

Webserver

Jakesthoughts.xyz is proxyed from Apache to NGINX.

I do this because Apache does CGI and NGINX does not. If this seems dumb and wasteful then you are correct. I know that NGINX has fcgi but I've had it set up in this way since ... transferring over to Debian and have been meaning to 'fix it' since I set it up. I'll fix this eventually, probably just removing NGINX from the whole mess.

It resulted like this because I badly wanted to use CGI and when I first started using ganoo/leenix I could not figure out how to get NGINX to do CGI nor could I figure out how to proxy to Apache, so I just used Apache which does CGI if you uncomment some CGI modules and write which file types should run as CGI, among other details I do not recall.

Most people just recommend NGINX. I have no strong preference but will note that Apache has specific features that can be useful.

Weird .shtml files

In my previous section I wrote `which file types should run as CGI', these .shtml files were that. I no longer do that because it '.shtml' looks ugly but instead just treat each page as '.html' a CGI script using Server Side Includes which runs CGI then returns what it outputs the onto page.

If the last sentence seemed really dumb then you are correct, there is a 'XBitHack' option which treats '.html' with the executable bit set as needing CGI/Includes treatment but I apparently do not use it.

You're not actually supposed to find the .shtml files, I suppose I left links linking to them by accident somewhere.

Ansible or manual install

I manually install everything, I haven't experimented with Ansible yet. It really isn't so hard to install everything when you know the software somewhat. The 'hard part', maybe, is when you are unfamiliar with the 'distro-isms'.

Debian for instance puts all the modules in their own directory and has 'apache2.conf' use files in 'mods/enabled/' which are just symlinked to something in 'mods/available/'. Every other distro I've used just has their 'httpd.conf' with each unused module commented out. With FreeBSD, if you install a module, the relevant details end up in a module directory and 'httpd.conf' has already been configured to load installed modules from that directory.

Self host or VPS

At the moment it is VPS but I am very strongly considering self-hosting again.

When jakesthouhts.xyz was on Arch, that was actually self-hosted from a Raspberry PI (again maybe do not use 'bleeding edge' for services).

Let's do the math:

Raspberry Pi 4 with 4GB of memory
    Tech:
        100% of a CPU that maybe isn't the best
        4GB RAM
        You can have storage size of anything that the RPI will take
        Unlimited bandwidth implied (except maybe what is imposed by an ISP (rip Americans))
        Access to the hardware
        Maybe you have a static IPv4 Address
    Cost:
        One time payment to get the SBC
        Payment for the other things like power supply and SD card
        Electric bill maybe go up a few dollars
    Fun:
        Can hide at your friends house and use their internet to host your stuff for 'free'

Current VPS that is hosting jakesthoughts.xyz:
    Tech:
        15% of a good CPU
        512MB RAM
        10 GB storage
        Unlimited Bandwidth explicitly mentioned
        Guest Machine that is ran along many other Guest Machines
        No hardware access
        Guaranteed static IPv4 Address
    Cost:
        Depends. I pay about 3 dollars a month for what is in 'Tech'. Better tech = more money spent.
    Not Fun:
        VPS provider can take away your VPS for any reason
        Sometimes the VPS node goes down and you have to wait hours for it to go back up
        FBI/your-local-equivalent can raid your VPS provider and force them to give a copy of *everything*

VPSs have a use but using one just to host your website is very much overkill. It is cheaper to just hook up an unused computer to a router and just have that as the server. Plus you probably will have significantly better tech than what a VPS provides.

Maybe the issue most people will have with self-hosting will be related to internet reasons. Not every ISP gives their customers a dedicated IPv4 address and even with IPv6 becoming a thing, some ISPs cannot figure it out - even though they offer it to their customers.

VPS and self-hosting requires almost the same level of technical skill. Maybe with VPS, you can ask for tech support but I've never done that.

If you are wanting to do email then using VPS is probably the way to go because it is likely that your own ISP put your IP address on a blacklist and probably will not allow you to change the rDNS for your IP address.

Obviously hosting from your own house can be bad, since if you get 'HackerNews-ed' or whatever, then your home's IP address will be DDOS by people trying to visit. People might intentionally try to DDOS just for lulz.

This is something you will have to figure out yourself. If you do the self-hosting thing, make sure to put your stuff on a different vlan.

One idea I've considered but am not totally convinced by is having a VPS just reverse proxy what you serve on your home stuff.

How am I paying for domains

Normally.

Anything important

Whois protection should be offered by your domain registar, by default, for free. In my opinion, some registers like GoDaddy will make you pay money for it. GoDaddy, in my opinion, is a dogshit domain registrar who will call you in an attempt to up-sell stuff. In my opinion, do not use GoDaddy or transfer away from them.

Aside from that be mindful of the reputations of services that you must work with, VPS, domain registrars, etc. Some of them are ran by incompetent people, who have nice epic leaks that spill all your PII for the world to look at.

Some people might think: 'You should NEVER trust a company with your PII!' Well, you never really expect it to happen until it does, then you realize the amount of faith you put in random companies. "Do I really want to sign up with this company using the email address of: 'firstname.lastname.DoB@email.com'?"

I don't use NGINX mirroring or any kind of caching (besides maybe client caching, but I leave that to default settings), my websites do not get visited enough for me to even consider it.

Why dark net?

I put my websites on the 'deep web', so they can be visited via alternative routes, in the event of a DNS failure or I decide it is time to stop paying for my domain name or if ICANN/tld Owner decides to yank a domain from me for vague reasons which are never explained (This has happened to someone I know).

Honestly, a replacement for decentralized DNS needs to come soon.

Consider your tld

I am making a point to never buy another '.xyz' tld because the owner can yank your domain and there is nothing you can do about it. Jakesthoughts.xyz will one day be transferred over to some other domain.

Additionally, some tlds are seen as 'unprofessional' and email deliverablilty can be a hassle. For example. '.top' tld is considered suspicious by spam-assassin, a program that detects spam mail. Some services, like Steam, will not accept a '.top' email domain as your email address. If some firewall programs block '.xyz' tld entirely, so you can be sure they will block other tlds as well.

Also, some SMS/IM apps will not even display messages that contains a 'bad' tld, like jakesthoughts.xyz.

https://www.spotvirtual.com/blog/the-perils-of-an-xyz-domain/

The Tor project has made a PDF where they list each tld and rank them but I cannot seem to find it at the moment.

OpenNIC

I want to at least touch on OpenNIC, you can get tlds from them for free but the offset is you need to convince pretty much everyone to use a DNS server that supports OpenNIC tlds. Good luck.

DNS itself

Your domain registrar will probably do DNS for you. You can switch over to different DNS server, like FreeDNS from Afraid.Org or even yourself (I am not really sure what the purpose of that is besides bragging rights and having to do more maintenance on your stuff).

At first DNS is extremely confusing, but the key details are: A/AAAA points to your IPv4/IPv6 address respectively. For 90% of use cases that should be sufficient, there is also CNAME which just tells the DNS software to look at the CNAME result which I sometimes do for 'wildcard' subdomains.

Don't worry about breaking your DNS, you can always set it to something later, your domain will not cease to exist if you mess something up.

I cannot think of anything else so I guess that about wraps this article up. Thank you for the question, `random person from irc'!


Other thoughts

Jake on 2022-07-09,13:54:12 said:

I hope no one uses the elite hacker tool view-source on this page...

random dude from irc on 2022-07-11,00:16:36 said:

It was much longer and detailed then i expected (whitch i consider good) though i wish you would elaborate what you mean by "normally" in the domain section, i asume you mean you give them all your PII and CC? I totaly agree with the tld section, wish more people would use opennic and that opennic would improve, also for decentralised dns look at .bit however it uses blockchain tech whitch some may consider bad. Anyway i enjoyed the artical, im currently on a car ride so i appoligise for the poor grammer as im better at spelling on pc then phones.

Jake on 2022-07-11,06:08:13 said:

Yeah I don't use any kind of crypto. Maybe if I were to do it again: create the hidden site first -> then buy a domain with crypto. No point in paying with crypto now, when I've already paid with CC.


Be sure to submit your thoughts! Emoji Ledger (hover mouse over)!