Traefik basically has certbot built in so when you configure a new hostname on a service it automatically handles requesting and refreshing the cert for you. It can either request individual certificates for each hostname or a wildcard certificate (*.yourdomain.com) that covers all subdomains.

The neat trick is that in Docker you configure Traefik by adding Docker tags to the other containers you want to proxy. When you start up a container, Traefik automatically reads the config from the tags, does any necessary setup, then viola it’s ready to go!

Basically the Cloudflare tunnel client connects from the computer running your services (or proxy) out to Cloudflare’s edge servers and your DNS hostname is set to the IP of one of Cloudflare’s edge servers. Cloudflare acts like a reverse proxy by sending incoming SSL requests for your hostname to your tunnel client through their own network. The DNS record doesn’t expose your public IP and the Cloudflare tunnel client easily works behind firewalls, NAT, and doesn’t need a static IP because it connects outbound to Cloudflare’s network.

The biggest limitation is that this only works for SSL traffic because it can be routed by hostname in the SNI without needing a client on the client side. They do offer tunnels for other connections, but that requires their client running on both sides so it’s more like a traditional VPN again.

I’d add that Traefik works even better with Docker because you tag your other containers that have web ports and Traefik picks that up from Docker and terminates the SSL connection for them. You don’t even have to worry about setting up SSL on every individual service, Traefik will take care of that even for services that don’t implement SSL.

It is possible to get wildcard certificates from LetsEnrcypt which doesn’t give anyone information on which subdomains are valid as your reverse proxy would handle that. Still arguably security through obscurity, but it does make it substantially harder for anyone who can’t intercept traffic between the client and server.

The biggest reason to use VPN is that some ISPs may take issue with you running a web server over a residential service when they see incoming HTTP requests to your IP. If you don’t want to require VPN, then Cloudflare tunnels are perfect for this and they also solve the need for dynamic DNS if you want to use static domain because your domain points to the Cloudflare edge servers and they route it to you wherever your tunnel endpoint is running.

Past that, Traefik is a great reverse proxy that can manage getting LetsEnrcypt SSL certificates for you even with wildcard domains and would still work fine with dynamic DNS.

I just wanted to mention the esoteric programming language INTERCAL, which was created with the idea to be unlike every other programming language as much as possible.

For example: The creators wanted to include GOTO because of how maligned it is with programmers, but since GOTO exists in many languages already they instead created the COME FROM statement which also makes the arbitrary jumps in execution even more confounding when trying to read the code.

Well from personal experience with a small website the biggest things you have to deal with are web crawlers trying to vacuum up every last ounce of data they can find and web crawlers trying to find obvious backdoors like trying default WordPress logins (even if you’re not running WordPress). Make sure your software is properly configured and up to date and you’re safe. Some isolation is still a good idea but don’t lose sleep on which one because they’re all still overkill in this case.

On the other hand if you’re running a service that would be actively targeted by a large government enforcement agency or some other very wealthy and highly motivated entity, then complete physical isolation would be the only acceptable answer but with even more protocols to prevent contamination or identification as there have been attacks demonstrated that could infiltrate even air-gapped environments and that’s assuming you could hide it well enough for them not to just come physically compromise it (without you even knowing).

Keep in mind if you want to use any of these technologies because you want to learn them or just think they’re neat, then please do! I suspect a lot of people with these types of home setups are doing it mostly for that reason and not because it is absolutely necessary for security purposes.

I just run Docker and my router maps ports to it. Container isolation and a basic firewall is more than enough for me.

Like are we talking what’s good enough security for hosting an anime waifu tier list blog or good enough security for a billion dollar corporation?

They only have to moderate content from users on their server, and the idea would be that only CBC employees (or programs) would be given accounts which also verifies they are legitimate. Readers subscribe to those accounts from their own instances.

It’s the eternal cycle:

• Small platform has quality experience because most users are genuine and engaged, and user base is too small to be “worth it” for corporations and trolls
• Platform grows slowly until it reaches tipping point of popularity and network effect
• The platform has explosive growth, drawing interest of corporations and trolls
• Corporations enshittify while trolls crank out misinformation and rage bait
• Users reach tipping point and leave large platform to smaller platforms that don’t have corporate interests and trolls
• Repeat due to network effect

When did people stop wanting to learn anything? Everything has to be dumbed down to the level of toddlers otherwise people can’t be bothered.

To me the fediverse is great because you need higher than a room temperature IQ to use it so the posts are already far greater quality and the interactions are more meaningful than any other social network. Meta can keep all the screaming adult children in their platform.

I’ve started using Obsidian with a kanban plugin, though any sufficient kanban style solution would work. I have a to-do column (aka backlog), an in-progress column, and a finished column. I add notes to the cards about what I did and I never delete stuff from the finished column so I can review if I need to re-open or re-do a task in the future.

Okay, well try this one:

Take any media publicly uploaded by a major artist on X and repost it to YouTube unaltered. You should be able to defend any copyright strikes because of your “publicly available” argument, right?

Allowing public broadcast once doesn’t void the rights of the creator to control when and where that content gets broadcast again.

Does that mean every TV show broadcast over the air, every song on the radio, and every book in a public library is now “free” to pirate on the Internet because they were made publicly available? There’s a reason that social media companies include clauses in their EULA that posting content gives them (and only them unless otherwise noted) the right to reproduce that content.