(Author here) I mostly worry about security for this. If you have nothing private on your network it's probably fine, but if you have, say, a NAS that isn't using proper authentication (pretty common), an os/nginx vulnerability could end up exposing stuff.
Of course there are much simpler ways to lock things down also :)
Obviously your server would be on a DMZ vlan, probably on its own. Set it to automatically take security updates every night and aside from some zero days I'm not sure what security issues you'd have.
Then why are you intentionally adding another dozen attack surfaces and bleeding edge stuff constantly full of exploits? nginx remote exploits that matter are a once in a decade thing. Your setup is incomparably more insecure than nginx and a port forward.
I've been running a static webserver from my home for more than 20 years now. By avoiding dynamic languages, databases, and buzzwords, I've never been hacked. Never had any issue.
Thank you for a great article! I recently took the plunge of building-and-hosting a blog too - but, due to security concerns, I took the entirely opposite approach of making it fully cloud-based (Git repos for infra and for content -> AWS CodePipeline, Hugo during CodeBuild -> S3 and CloudFront). This was sadly ironic since I'd mostly wanted to blog about my experiences with homelabbing, but I didn't trust myself to open a port to the outside world. Thanks to your blog I might finally learn Kubernetes and use a Cloudflare tunnel to implement a similar truly-selfhosted blog!
I've done something similar to the author but with only ufw and port forwarding.
My closet server is set up with a cron job that runs daily and updates my domain's dns on Cloudflare to my currently allocated dynamic ip.
U
Port forwarding sends the 80/443 requests to my closet server.
Closet server only accepts 80/443 requests from Cloudflare's published ip addresses via ufw rules so that all traffic must pass through Cloudflare to be accepted.
Nginx on closet server routes it to the appropriate internal port for that service.
Maybe someone has broken into my home network, but I hope this solution works relatively well!
I would say you don't really need Kubernetes for this sort of setup (I already was running all the K8s stuff which is why I went with it, but docker compose or even just running things in systemd without containers would work too).
I think the main thing is to have some sort of network isolation (like a separate VLAN or a server that blocks outbound traffic) between stuff that's exposed to the internet and stuff that's private on the network.
I have one small VPS with access to wireguard network, wireguard rule to forward certain traffic to a virtual machine running on my desktop, fairly easy to setup tbh (and I add/remove devices constantly). I am not a networking person, my understanding of iptables is shaky but I also ran a similar setup with Nginx. Could also use TailScale, but I found the wireguard CLI very easy. Straightforward to add more networks and isolate stuff from each other (tbh, I only run one network that doesn't isolate my web-facing stuff from other stuff I run privately...as I said, I am not a networking guy so have no idea how bad of an idea this is given that the only way in is traffic on certain ports being forwarded).
Huh - I'm using Wireguard as my VPN into my home network (the only port that I have opened to the outside world), but I didn't know that you could also use it to route incoming requests to a certain VM. There's always something else to learn! Thank you :)
Ah, I see - I misread and got the impression that `cloudflared` could only connect to Kubernetes pods, but I see from reading the docs[1] that it can connect to traditional apps-on-ports as well. I'll have a poke around - thanks again!
Of course there are much simpler ways to lock things down also :)