[BBLISA] self-hosting

Tom Metro tmetro+bblisa at gmail.com
Tue May 27 21:59:18 EDT 2014 

stephen g. wadlow wrote:
> I used to host a lot of stuff at home, but honestly...it wasn't worth it. 

"Worth it" as in offering cost savings, then yes, I believe that's
correct. The options for shared, virtual, and co-located hosting are
going to be highly competitive with the cost of maintaining your own
servers and sharing your home or small office bandwidth with the
servers. Especially if you opt for a net connection that provides good
upstream bandwidth.


> The important stuff I put someplace reliable, so that I don't have to
> worry about the last mile nearly as much.

I think it is wise to outsource or properly co-locate anything that is
customer-facing or accessible by the general public.

There are, however, other reasons to self-host.

We had a thread some months back here about self-hosting a mail server.
The upside there was getting increased flexibility. Configuration
options that a typical mail provider won't offer. Though if that's your
only concern, a VPS would still do the job.

Another consideration is privacy: what if you don't want private
personal or business records to reside in the cloud? For example, a few
decades of email archives, an internal web-based accounting application,
business dashboards, time tracking, or project management. These
services may need to be accessible off-LAN by yourself or a limited
audience, possibly via VPN, but are not public facing. They don't need
high bandwidth and can tolerate some down time.

Another consideration is legal: while hopefully this never becomes
relevant, it has been shown that there is a rather low barrier for 3rd
parties (notably the government) to obtain access to your data stored in
the cloud, and to do so without your knowledge.

Until Homomorphic encryption[1] becomes a reality, these last two
considerations will be with us for certain types of data, and certain
types of people that have a high privacy threshold.

1.
http://en.wikipedia.org/wiki/Homomorphic_encryption#Toward_fully_secure_Internet_applications

Probably the biggest down side to self-hosting is that now it is your
responsibility to keep the server secure, fully patched, and monitored.


Rich Braun wrote:
> At $50/mo for a 55-megabit down/5 megabit-up connection that simply NEVER goes
> down, I don't see the point in "business"-class service.

Lack of blocked ports and bandwidth caps?
Potentially better support? Possibly an SLA?

Like you said, you might be lucky such that these limitations don't
apply to the consumer-grade service you can get, but they apply to the
consumer-grade services here.


> I don't get to control the PTR record but it really doesn't matter.

Only if you are self-hosting a public-facing mail server or outbound
mail relay.


> If I want a stable end-point, I'm going to use an encrypted VPN anyway.

That'll work, but that's anther piece if infrastructure to
rent/operate/configure/troubleshoot.


> I'm not ever going to use a service that attempts to authenticate my
> origin based on a DNS entry...

No...


> ...and filtering by origin-IP is at best a secondary line of defense.

True, I wouldn't depend on it exclusively, though as I understand it,
there is a pretty high barrier for hijacking an IP for a TCP connection
(much more involved than spoofing an IP on a UDP packet).

I do take advantage of having a static IP to narrow the scope of
acceptable connection points on some off-site services I use.


> As for stability of "dynamic" IP addresses:  I've had the same IP for two
> years and counting with Astound, and with Comcast I recall one stretch of
> about 7 years without any change.

Another thing I use static IPs for is to run services, like a listening
VNC viewer, that I want colleagues and clients to be able to reach on a
known DNS address. With a rarely changing dynamic IP, dynamic DNS is a
possible, but a static IP, if available, is better and simpler.


> My personal domains don't require more than 3-nines availability,
> which my current setup provides.

Right, and that's an appropriate fit for a self-hosting setup.


> I'm actually surprised the consumer-grade services provide a stable public IP
> address to each customer, in this era of NAT, at a time when 99.9% of
> customers wouldn't even notice the lack of inbound reachability.

The main reason why they wouldn't notice is that all the services, like
peer-to-peer file sharing, VoIP, and multi-player games, have already
been redesigned with NAT in mind due to home routers, and the
inconvenience of opening ports.


> I think even the cell-phone providers give you a public IP whenever
> you're connected.

I thought they were NATed. Probably varies by carrier.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/

More information about the bblisa mailing list