If you’re reading this now, it’s been freshly served to you from my new VPS (virtual private server). Previously, this site was hosted on Cloudflare Pages, a generous free hosting option. You just point Pages at a hosted git repo and it will rebuild your site every time you push an update, up to 500 times per month.[1] It was super reliable (I wasn’t even affected by the recent outages), and pretty much effortless. So why did I just make life harder for myself?

  1. Greater flexibility. I know you can use Cloudflare Workers to do more fancy server-side stuff, but honestly I think I’d rather just play around on the actual (virtual) server.
  2. Opportunity to learn. I’ve been using the Linux desktop for over ten years now, and I’ve been learning a little about how this web malarkey works for around three years. It’s time to go to the next level by managing my own web server.

As for why I didn’t go “all the way” and host the site from some old hardware at home (I was tempted), there are a few reasons.

  1. Security. I’m a beginner at this and don’t know a whole lot about security, but I suspect inviting the whole internet to interact with a device on my home network presents a non-zero security risk to the other devices on the network.
  2. Energy efficiency. While an argument could be made that hosting at home prevents old hardware going to the landfill and reduces the local impact of data centres, running and cooling an old machine at home is almost certainly less energy efficient than the economy of scale offered by a data centre.
  3. Potential ISP issues. My ISP terms of service state I cannot use the service for anything beyond “ordinary residential use”. Is hosting a small website ordinary residential use? I don’t know, I have no idea what you perverts get up to in your homes. But I’d rather not risk it.

So far, I have taken some basic security measures such as configuring the firewall and disabling root access. Since I don’t handle sensitive data and have a very small audience, the risks are mostly vandalism, or having malicious content added to my site, both of which are unlikely for a site of my size, so I don’t think I need to go crazy. But if you have ideas for other things I should be doing to secure my site, please send them my way (with links to reputable source, please).

Then I cloned my site to the VPS, configured the web server to serve http and was delighted when it worked (after several headaches with the configuration).

Finally, I had to point my domain thetangent.space to the new host, and set up an SSL certificate. That’s the reason for the bit of downtime today while all that stuff propagated.

One thing that shocked me on reading the server logs for the first time was the sheer number of bots already making requests — even before the domain name was pointing toward my server. The requests were weird — strange long urls made by concatenating bits of actual url on my site. Also some that were clearly malicious, requesting files that could reveal security vulnerabilities (if I were careless enough to leave such files lying around in the public folder).[2] I know this kind of thing is probably not new to anyone who has hosted a site before, but it was all pretty surprising to me. I know I have a small human readership; however, I seem to be serving hundreds of thousands of bots. For this reason, I decided to continue proxying through Cloudflare to hopefully provide an extra layer of defense against the relentless botspam.

Still on my todo list is setting up a webhook so my site automatically rebuilds when I push to my git remote. And after that, I’ll enjoy tinkering and using it to add new features to the site. Maybe I’ll have comments online by Blaugust.

  1. I know not everyone is a fan of Cloudflare ↩︎

  2. Maybe I’ll start leaving rude messages in suspiciously named files. ↩︎