Selfhosted

I'll let folks with more security experience dive into your specific question, but another option is to host your website on something like Github pages (using a static website generator like Jekyll) and point Cloudflare at it. That way you don't need anything pointed at your local network, get the uptime of Github, and still benefit from your own domain name.

That's what I'm doing with my own blog and it's been great. Github provides the service for free but if they ever charge for it I'll just start hosting it locally.

I know it's not technically "self" hosted but I'd get a cheap yearly VPS somewhere and run a webserver off of that.For me its worth the peace of mind to keep my network a temple instead of a bus terminal. I paid $13 usd for the year for mine

The first worry are vectors around the Synology, It's firmware, and network stack. Those devices are very closely scrutinized. Historically there have been many different vulnerabilities found and patched. Something like the log4j vulnerabilities back in the day where something just has to hit the logging system too hit you might open a hole in any of the other standard software packages there. And because the platform is so well known, once one vulnerability is found they already know what else exists by default and have plans for ways to attack it.

Vulnerabilities that COULD affect you in this case for few and far between but few and far between are how things happen.

The next concern you're going to have are going to be someone slipping you a mickey in a container image. By and large it's a bunch of good people maintaining the container images. They're including packages from other good people. But this also means that there is a hell of a lot of cooks in the kitchen, and distribution, and upstream.

To be perfectly honest, with everything on auto update, cloud flares built-in protections for DDOS and attacks, and the nature of what you're trying to host, you're probably safe enough. There's no three letter government agency or elite hacker group specifically after you. You're far more likely to accidentally trip upon a zero day email image filter /pdf vulnerability and get bot netted as you are someone successfully attacking your Argo tunnel.

That said, it's always better to host in someone else's backyard than your own. If I were really, really stuck on hosting in my house on my network, I probably stand up a dedicated box, maybe something as small as a pi 0. I'd make sure that I had a really decent router / firewall and slip that hosting device into an isolated network that's not allowed to reach out to anything else on my network.

Assume at all times that the box is toxic waste and that is an entry point into your network. Leave it isolated. No port forwards, you already have tunnels for that, don't use it for DNS don't use it for DHCP, Don't allow You're network users or devices to see ARP traffic from it.

Firewall drops everything between your home network and that box except SSH in, or maybe VNC in depending on your level of comfort.

Cloudflare tunnels are layer 7, so it's not unlimited access by any means. This also means that certain things will break btw, for example if your website uses websockets to load information, that isn't supported.

Next, I'd put the computer that is going to be hosting into an isolated vlan of its own and access via external URL only.

If you're going to use docker images, make sure to vet that they're updated often and always spin up the latest.

You'll be fine enough as long as you enable MFA on your Nas, and ideally configure it so that anything "fun", like administrative controls or remote access, are only available on the local network.

Synology has sensible defaults for security, for the most part. Make sure you have automated updates enabled, even for minor updates, and ensure it's configured to block multiple failed login attempts.

You're probably not going to get hackerman poking at your stuff, but you'll get bots trying to ssh in, and login to the WordPress admin console, even if you're not using WordPress.

A good rule of thumb for securing computers is to minimize access/privilege/connectivity.
Lock everything down as far as you can, turn off everything that makes it possible to access it, and enable every tool for keeping people out or dissuading attackers.
Now you can enable port 443 on your Nas to be publicly available, and only that port because you don't need anything else.
You can enable your router to forward only port 443 to your Nas.

It feels silly to say, but sometimes people think "my firewall is getting in the way, I'll turn it off", or "this one user needs read access to one file, so I'll give read/write/execute privileges to every user in the system to this folder and every subfolder".

So as long as you're basically sensible and use the tools available, you should be fine.
You'll still poop a little the first time you see that 800 bots tried to break in. Just remember that they're doing that now, there's just nothing listening to write down that they tried.

However, the person who suggested putting cloudflare in front of GitHub pages and using something like Hugo is a great example of "opening as few holes as possible", and "using the tools available".
It's what I do for my static sites, like my recipes and stuff.
You can get a GitHub action configured that'll compile the site and deploy it whenever a commit happens, which is nice.

If it's a static site, you can host that anywhere for free on the big cloud providers, aws has s3 storage, Microsoft has blobs, github has pages, all which can be configured to run a site well under the paid tiers.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

8 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #384 for this sub, first seen 29th Dec 2023, 14:55] [FAQ] [Full list] [Contact] [Source code]

If you're exposing via cloudflare tunnels instead of pointing at your public IP then eveything other people have said covers it. If you are using your public IP then it's worth blocking non-cloudflare IPs from accessing the site directly

I'm definitely a fan of Gitlab pages for simple webpages I just want on the Internet. It's nice to have the code hosted anyways (gives me that off site back up safety so my stuff at home can go down if needed).

if you setup everything with even moderate attention to the security involved, youll be fine. sounds like youre already there.

this is a common scenario, not a crazy idea or implementation. just keep your shit up to date

New Lemmy Post: How safe is self-hosting a public website behind Cloudflare? (https://lemmy.world/post/10093430)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md

If you concerned about your exposed services being hacked, why not learn how to protect them properly from bad actors? There exists a wide range of solutions that attempt to specifically solve this problem.