Axe [H]: Is there a way to properly expose residence-hosted services on the internet?

Discussion in 'Networking & Security' started by dgz, Apr 7, 2019.

  1. dgz

    dgz [H]ardness Supreme

    Messages:
    5,084
    Joined:
    Feb 15, 2010
    Having computers in a network is nice. Having useful apps running on top of it is even better. But we're living in the information age. A time when mega-corps and governments are racing to simultaneously gather our information and more or less curate what comes our way, too. Oppressive communist parties, blood thirsty warlords, faceless socialist hellhole dictators, protectors of freedoms and democracy.

    Sounds somewhat political? Maybe it is. But I need a technical answer.

    I built my own web chat that's been serving me very well on daily basis. It's stupid to send bits all the way to the US or some other place just so you can talk to me wife two rooms across our home. Easy, don't even need https. But what if at least one of us is somewhere else. What do we do then? We default to the usual suspects, of course. But I don't want to do that.

    So, should I even think about opening 443 to the outside world? The only alternative I could think of is to host a separate instance and DB somewhere in a datacenter and possibly sync them every now and then but. It all sounds bad.

    How does one roll their own thing and feel good about it?
     
  2. mashie

    mashie Mawd Gawd

    Messages:
    4,173
    Joined:
    Oct 25, 2000
    If you are away, get something like OpenVPN clients running on the remote systems connecting to a server on your home network. That way you will have a very secure entry point to your network. At that point your remote clients will act as if they were on the same LAN.
     
    Nicklebon likes this.
  3. alxlwson

    alxlwson You Know Where I Live

    Messages:
    5,782
    Joined:
    Aug 25, 2013
    Why is this in the News section?
     
    SticKx911 likes this.
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,340
    Joined:
    Jul 6, 2013
    There's a secure messaging app called Signal. You should really look into it. Works on your phones, and your PCs. It's the most secure/private way to communicate. You can even place encrypted calls to each other over it.

    Otherwise, you might want to setup your own encrypted communication via an OpenVPN server running on your network, or something similar.
     
    IdiotInCharge likes this.
  5. tedych

    tedych Limp Gawd

    Messages:
    372
    Joined:
    Jan 18, 2013
    I feel here the issue is not that much the security of their comms rather more likely the needless bits round triping to the US and back if all they need is the local LAN they use. Opening the already established chat on his server to the internet is the logical way to do this stuff. I did the same back in the time when I was running a local Asterisk to connect my family through an (SIP) app on our phones.
    Now, I don't want all the burden surrounding all this stuff, messengers etc, and we just use what's available like Signal, Whatsapp, Viber, Messenger etc. Text chat bits are small enough :) . And I think there are CDNs and local servers spread around the world for most of those big services anyway.
     
  6. Nicklebon

    Nicklebon Gawd

    Messages:
    550
    Joined:
    May 22, 2006
    As has already been pointed out the remote user can VPN into the home network and connect as usual. You can use the same method even if both users are remote. This way you don't have to worry about building encryption into your chat system as the VPN will handle the encryption.
     
  7. dgz

    dgz [H]ardness Supreme

    Messages:
    5,084
    Joined:
    Feb 15, 2010
    Going the VPN route sounds even worse to me. I am not too worried about encryption. Really not sure if my raspberry pi will be able to handle the load when I add voice/video chat, even for a handful of users.

    I am not looking for someone else's secure chat app. Just wondering if it makes any sense to expose the home network to the outside world. I think it's not. I'd be better off having two discrete instances: public and private. One at cloudflare or whatever, and another one at home.
     
  8. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,401
    Joined:
    Mar 4, 2013
    The traditional answer for this type stuff is a router/firewall gizmo that provides a DMZ port. Put your chat running device in the DMZ and create the appropriate rules in the firewall. Unless you have a fixed IP from your ISP, you will likely need to account for and handle the dynamic IP changes. Be realistic and assume the device will get comprimized at some point and keep regular backups.
     
  9. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,684
    Joined:
    Feb 15, 2003
    To properly do this and host an application on the web you need a WAF (web application firewall). There are paid options from Barracuda and F5, but ModSec is free and works well. I run a set of Barracuda WAF 660s in Rev Proxy and they work really well.

    https://en.wikipedia.org/wiki/Web_application_firewall