This runs from using a webhosting service to self-hosting your web content. In tonight's blog post I will go over using a third-party to manage all the webserver, DNS, and database stuff, to running it on your own hardware in your own home.
A buddy of mine (who will remain unnamed, but runs this site), has been having some trouble recently. Starting December 15th, he kept getting error reports about his site redirecting to porn. He posted about this on Twitter, and not much recourse was available to him. So, he reached out to me, with my constant bickering about needing an RSS feed on his site, he reckoned I knew a thing or two about web hosting (in addition to the fact that I am a diehard supporter of running your own shit). Luckily for him, I am somewhat familiar with the scene.
First thing that came to my attention is the odd sort of way these malicious requests happened. Headers for the malicious hijacker were not the same for legitimate requests, they removed the "Server" or "Software" header that is often included. GoDaddy, the third-party webhosting service my buddy used, handles the majority of their traffic through Apache webservers. From there, content is load balanced through several machines across the world. Now, this is a decent way of setting things up, while I might disagree with webserver choice, having load balancers greatly decreases the amount of network traffic needed to host things with a wide audience (remember this for later, as we will get back to it).
So, GoDaddy takes my buddy's html and serves it to a wide audience, what's the big deal here? What's a few redirects to porn gonna do? Well, aside from the obvious, these porn sites that were being redirected to are particularly malicious. Nigh all of them were cam sites, which are not the greatest when it comes to ethics. Anyway, how was this traffic even started in the first place? It appears that some of GoDaddy's load balancers have been infected with malware to redirect to these sites. As I am not too privy to details, I'll spare them.
This, of course, would be solved if my buddy had HTTPS through GoDaddy, but this is where things get annoying. For GoDaddy, they *CHARGE* for HTTPS. That's right, to have the priviledge of something that takes maybe 30 seconds to set up on a decent Debian VPS with NGINX and Certbot, you must pay a rediculous price. Fuck right off, GoDaddy.
My buddy is now hopping on my bandwidth (soon to change, the wiki for the site is already hosted on a VPS he owns). Setting up a VPS is not for the faint of heart, but realistically a noob can have one up and running within a weekend. Luke Smith, an interesting character in the least, hosts a great website that is a one-stop-shop for self-hosting (usually through a VPS) webservers, gopher, gemini, email, you name it. If you need a place to start, start there.
VPS hosting is not exactly hard, but does take some getting used to. Like starting a job in a new field, you are not going to be great at it day 1. Have fun if you try it, it is very rewarding.
This involves running your website on hardware you own, in your own home. There are challenges to this, but mostly the only thing you'll be concerned about other than the setup you'd get on any self-hosted option, is uptime. Many issues can cause this, what if the power goes out? Even if you get a UPS for your website's machine, what if your connection to the Internet goes out? Even if you get a business line, there are times where your ISP will have to do maintenance on that circuit.
This is a slightly better option than running a machine in your own home. Here, you get guaranteed power and guaranteed Internet access, but you lose constant physical access to the machine. An option for not trusting the people who run the datacenter you rent from is implementing some sort of physical security, a killswitch for when the lid is opened, port security, hard drive encryption, but any mitigation can be exploited.
There is no perfect answer. But fuck GoDaddy.