Axe [H]: Is there a way to properly expose residence-hosted services on the internet?

Having computers in a network is nice. Having useful apps running on top of it is even better. But we're living in the information age. A time when mega-corps and governments are racing to simultaneously gather our information and more or less curate what comes our way, too. Oppressive communist parties, blood thirsty warlords, faceless socialist hellhole dictators, protectors of freedoms and democracy.

Sounds somewhat political? Maybe it is. But I need a technical answer.

I built my own web chat that's been serving me very well on daily basis. It's stupid to send bits all the way to the US or some other place just so you can talk to me wife two rooms across our home. Easy, don't even need https. But what if at least one of us is somewhere else. What do we do then? We default to the usual suspects, of course. But I don't want to do that.

So, should I even think about opening 443 to the outside world? The only alternative I could think of is to host a separate instance and DB somewhere in a datacenter and possibly sync them every now and then but. It all sounds bad.

How does one roll their own thing and feel good about it?

Why is this in the News section?

There's a secure messaging app called Signal. You should really look into it. Works on your phones, and your PCs. It's the most secure/private way to communicate. You can even place encrypted calls to each other over it.

Otherwise, you might want to setup your own encrypted communication via an OpenVPN server running on your network, or something similar.

I feel here the issue is not that much the security of their comms rather more likely the needless bits round triping to the US and back if all they need is the local LAN they use. Opening the already established chat on his server to the internet is the logical way to do this stuff. I did the same back in the time when I was running a local Asterisk to connect my family through an (SIP) app on our phones.
Now, I don't want all the burden surrounding all this stuff, messengers etc, and we just use what's available like Signal, Whatsapp, Viber, Messenger etc. Text chat bits are small enough . And I think there are CDNs and local servers spread around the world for most of those big services anyway.

As has already been pointed out the remote user can VPN into the home network and connect as usual. You can use the same method even if both users are remote. This way you don't have to worry about building encryption into your chat system as the VPN will handle the encryption.

Going the VPN route sounds even worse to me. I am not too worried about encryption. Really not sure if my raspberry pi will be able to handle the load when I add voice/video chat, even for a handful of users.

I am not looking for someone else's secure chat app. Just wondering if it makes any sense to expose the home network to the outside world. I think it's not. I'd be better off having two discrete instances: public and private. One at cloudflare or whatever, and another one at home.

The traditional answer for this type stuff is a router/firewall gizmo that provides a DMZ port. Put your chat running device in the DMZ and create the appropriate rules in the firewall. Unless you have a fixed IP from your ISP, you will likely need to account for and handle the dynamic IP changes. Be realistic and assume the device will get comprimized at some point and keep regular backups.

To properly do this and host an application on the web you need a WAF (web application firewall). There are paid options from Barracuda and F5, but ModSec is free and works well. I run a set of Barracuda WAF 660s in Rev Proxy and they work really well.

https://en.wikipedia.org/wiki/Web_application_firewall