💾 Archived View for dfdn.info › dfdn › selfhost.gmi captured on 2024-06-16 at 12:30:49. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-05-10)

-=-=-=-=-=-=-

Why self host? Why not use Wordpress, or "The Cloud"?

Self hosting is like owning your home instead of renting it (and putting up with a restrictive landlord!). I have full control over my own server, have my own policies, and ethos too.

The Self-Hoster's Worst Nightmare. This is not my tale - but the points raised apply equally to me too! It puts my ethos in sharp focus

For someone running a server in his physical possession, his worst nightmare is the server going off line while he is traveling for an extended period of time. When this happens, he likely has only one recourse, temporarily re-hosting with a web hosting service--and fast!

After nearly five years of hosting my websites on a Raspberry Pi 3B in my home--during which I have made several out-of-town trips that lasted for weeks at a time--the nightmare scenario finally materialized. The United States experienced a record heatwave over the Summer with power outages predicted even before the hot weather arrived. I did my best to prepare by making sure that my UPS worked correctly and had a good battery. I even tried using a LiFePO4 battery that should have powered my routers and server for about 9 hours. Unfortunately that battery did not work as advertised, so I had to resort to a lead-acid battery that would power everything for no longer than two or three hours. Well, the power went out. I don't know for how long, but apparently it was for longer than the lead-acid battery could handle. After a loss of power, my routers and web server must be restarted in a specific sequence for my home network to function properly. Obviously, that did not happen.

When my server and the rest of my home network went down, I did not have a commercial hosting service in mind, so I had to find one in a hurry. What followed was a 14-hour ... process. I would say that finding a hosting service, creating an account, configuring a shared server with my website files, and editing my DNS records was an ordeal, but actually, it went more smoothly in some ways than I had expected. Although this experience was in some ways mildly traumatic, it taught me a few things.

(My own note: Remamber, hosting providers are obcessed with the web. I am - for various reasons, interested in using other services, Gopher and Gemini which comprise parts of the so-called 'small internet', which are high performance, low bandwith, high reliability services - and free of the tracking, security and privacy threats, and wasteful resource consumption of the web. I am unaware of providers which support the small internet.).

Wasting resources that other people are paying for is part of the problem with the current Internet. Once JavaScript allowed website creators to pass much of the computational costs of their websites to users, creators were freed of the burdens of running their bloated inefficient code. This meant they could put much more of it on their websites. Of course, those who understand the history of communism could have predicted the effects of JavaScript on the Internet. Thanks to human beings' unwillingness to work without being compensated in proportion to their labour, communism often ends in near starvation. Those who are capable of leaving, do. Unfortunately, the engineers and computer scientists who write the software that runs the Internet are not known for their prescient predictions of economic outcomes based on their keen understanding of historical principles and human nature. As an engineer who has worked shoulder-to-shoulder with computer scientists and engineers for decades, I am qualified to make that criticism. Efficient use of the end user's bandwidth, power and hence money is one of many reasons I have to use networks such as Gemini and Gopher.

The Costs Associated with a Web-Hosting Service

Having only tried one web-hosting company before this year, I consider myself a newbie in this area. Out of pure curiosity, I have window shopped for hosting services in the past, but I have never actually needed one. Unfortunately, with my server out, I had no time to engage in an in-depth comparison between different services. Knowing what I know now, that probably would not have made much of a difference anyway. Better web-hosting deals likely exist, but I can only write about what I know--in this case, my experience with one web-hosting service this Summer.

My experience re-emphasised to me that most web-hosting services charge significantly more than the widely-cited $3 a month. Try $15.99 per month for a month-to-month plan for multiple websites and SSH access. That was for Hostinger, the hosting service I chose. For $3 a month you probably get locked into a one or two-year plan, hosting for only one website, maybe no SSH access, less storage, fewer other features, and most importantly, after the teaser period ends, your monthly cost will likely more than double. If I had chosen a two-year plan, my $15.99 per month cost would have been reduced to $9.99 per month after the 2-year teaser term expired. For that price, one can normally buy a fully-equipped Raspberry Pi every year, pay for the electricity to run it, and have a significant amount of money left over. By my calculations, Hostinger's two-year plan costs more than four times what I pay for equipment and electricity to self-host my websites from home. Note that Hostinger changed its prices and the details of its plans a short time after I opened my account. If I had continued relying on Hostinger for a number of years, I definitely would have been annoyed at being forced to periodically determine which new plan met my needs, especially if I had made the mistake of choosing the wrong one.

Customer Service

Another thing I learned was that when it comes to getting a website up and running on Hostinger, customers on the lower-cost plans are completely on their own. I guess this is what Hostinger means by the red "X" next to "Priority Support" on the web page where it lists the details of the web-hosting plan I chose. Although Hostinger says it has 24/7 support via live chat, I was unable to connect to it. In order to get priority support, customers apparently have to pay $19.99 per month (after teaser rate ends). Fortunately, Hostinger has excellent documentation, but customers who run into problems have no one to call, not even the Ghost Busters. Let me repeat that. Hostinger appears to have zero customer service on its lower-cost "single, "premium", and "business" web-hosting plans. Although I do not know for a fact, from what I have read, I suspect this is now typical of web hosting companies. I wanted to add a link to a 12bytes.org article that touches on this issue, but as luck would have it, the site is largely off line due to problems with its hosting service!

Backups

After setting up an account with Hostinger, the next challenge was backups. The latest backup that I had was from 5 days before the server went off line. That meant DFDN would be missing 5 days of users' posts and comments until I could return home and access them on my Raspberry Pi server. Surprisingly, no one on DFDN complained. Fortunately, I had everything I needed to fully restore the content.

Making backups of everything I put on Hostinger's server was no problem. Since I had SSH access, I could use my normal Linux tar-and-scp method. This was in stark contrast to the experience I had about three years ago with the free hosting service, Byet, which would only let me copy one file at a time off of its server.

Security and DDoS Protection

When it comes to security and DDoS protection, I am not clear on exactly what Hostinger provides. On my home server, I am completely responsible for blocking robots and spammers, so I know exactly what I am blocking and what I am letting through. On Hostinger's server, its sysadmins supposedly do that. Actually, they let many of the robots through that I normally block, especially those coming from other hosting services like Linode, Ponynet, and Hetzner. I was surprised by just how much they let through. This is despite the green check mark next to "Enhanced DDoS Protection" on the details of my plan. I guess technically if a robot is hitting a website thousands of times over a few hours from multiple IP addresses, it may not be considered a DDoS attack if the robot is not trying to deny other people access. But for a slow server with very limited bandwidth, the intention of the robot may not matter. This behaviouwr may affect the performance of the server. Are you getting the impression that the support you actually receive from a web-hosting service depends on the definitions of the vague terms they use, and that you may not understand what they mean until you have perhaps made the mistake of locking yourself into a 2-year plan?

Hostinger's web-hosting service blocks some IP addresses regardless of your wishes. I saw at least one Tor exit node access my Hostinger server, so I assumed Hostinger was not blocking Tor, which is my preference most of the time. Then, one of DFDN's users contacted me to tell me he was unable to access the site via Tor. As far as I could see, Hostinger had no setting for blocking or unblocking Tor, and I had no customer service support to ask about possibly making a change, so I had to tell the user to wait until I brought the Raspberry Pi server back on line. In addition, I had to cross my fingers and hope that the long-term "spammer" who had been periodically "DDoSing" some of my websites with "spam" from over 2000 IP addresses since November did not decide to strike again while I was using Hostinger. I might have had a harder time blocking her, and that was kind of scary. It meant that if I had planned to use Hostinger for more than a few weeks, I might not have been able to let visitors use the wide-open forum on the DFDN or even comment on articles.

To clarify for some who may be offended by my use of the word "DDoSing" in the above paragraph. What do you call an attack that is effectively making a website unusable by flooding it with posts consisting entirely of random words and the attack is coming from over 2000 IP addresses? I don't know of a better way of describing that than as an application layer DDoS attack. But if you would prefer to call it "spam", go ahead.

A few days after moving my websites to Hostinger, a robot originating from a handful of Google LLC IP addresses began reading my latest DFDN article thousands of times over a period of hours. On my home server, that would probably have been blocked automatically. If not, I would simply have added the offending IP addresses to my spam list, and the problem would have been solved. On Hostinger's server, I had to block these IP addresses via the ".htaccess" file, which is not used by either of the web servers with which I had experience. A few days later, I learned to use the same file to block unwanted web-crawling robots by browser user agent.

I am perhaps overly sensitive about robot traffic for a few reasons. First, I self-host from home using a very small upload bandwidth, so robot traffic can delay page loads for human readers. I also try to get as accurate a count as possible of how many human beings are reading articles on the DFDN, and some robots interfere with that. And finally, I do not want to give my ISP any excuse to stop providing me with Internet service or to force me to switch to a higher-priced commercial Internet plan. My guess is that a large amount of robot traffic to my website might be enough to convince my ISP to act if they are already predisposed to be against me. On the other hand, my assumption is that few website owners care about robot traffic on servers that they rent from web-hosting companies because they don't directly see the effect of that traffic on their monthly bills.

Excessive robot traffic is partly a symptom of a larger problem associated with relying on a web-hosting company, which is access to configuration files and the ability to run security software. I had no access to the server configuration files on my Hostinger server. Nor, could I apparently run software that automatically blocked unwanted traffic based on predefined characteristics. In order to access the files that I needed to do a better job of blocking, I assumed (at the time) that I would have had to pay for a more expensive plan. Thanks again to Hostinger's vague terms, I did not know how much I would have had to pay.

A knowledgeable DFDN user pointed out to me that I could have had access to the web server configuration files and run any software I wanted by choosing one of Hostinger's VPS plans. After the end of the teaser period, the rates for these plans run between $7.99 and $49.99 per month with a one year commitment. A VPS is a "virtual machine" and its capabilities are specified more like a piece of hardware--in CPU cores, RAM, and bandwidth. So, why wouldn't someone choose a VPS over one of the other "web-hosting" plans? Perhaps because running a VPS requires more knowledge and administrative work. It is nearly the same as running a home web server, except of course that a VPS costs more than running a Raspberry Pi home server. Given my time constraints, I am not certain I would have chosen a VPS, because it would have taken longer to bring on line. If I had chosen to continue relying on Hostinger's service for several months or even years, I am fairly confident that I would have switched to a VPS.

After my experience with Hostinger, I think I better understand why so many who call themselves self hosters may be resorting to Cloudflare to protect their websites from spammers, hackers, DDOS attacks, and unwanted traffic in general. They lack the control over the web server (and in some cases the knowledge) required to deflect the easier-to-deal-with attacks. This may be part of the reason that when notabug.io was hit by what appeared to be the same spammer using the same robot, notabug.io went down forever, while DFDN merely suffered some minor temporary inconvenience.

A Variety of Lesser Issues

I also discovered that I could no longer reach DFDN via HTTP. I am not certain that Hostinger was at fault, because this could have been caused by my Firefox web browser. If Hostinger was to blame, this meant users with old browsers that do not support modern SSL certificates and encryption suites could not access DFDN while it was hosted on Hostinger. Obviously, this would have been significant for a website that is designed to be accessible from old computers! One possible way of solving this might have been to make DFDN an HTTP-only website by removing its TLS certificate, but that would have meant users with modern browsers would not have had the protection of the HTTPS log-on page. Whether the problem lay with Hostinger or Firefox, I guess this is just one more example of the people who run the Internet being out of touch with the way some of us prefer to use it.

I also realized that visitors to my websites would no longer have the same level of privacy that they enjoyed on my home web server. Hostinger runs its own analytics, which I could not shut off. I have no idea where else that data goes, but I would not be surprised if it is sold to whoever is willing to pay for it. The customers of hosting services really have no way of knowing what happens to any data that may be collected from the traffic to their websites. To what extent HTTPS mitigates this concern is still an open issue in my mind.

A couple of other problems manifested that I had never experienced on my home server. Some visitors' browsers began to complain that my server was not sending the "intermediate" SSL certificate. To my recollection, neither Lighttpd nor Nginx on my home server has ever raised these issues before. I tried entering Let's Encrypt's full chain certificate into Hostinger's user interface, but that did not solve the problem. I had no idea how to proceed, so I decided to ignore the issue until I no longer needed Hostinger's service. But, DFDN users complained, so I tried a second time, and somehow using the full chain certificate worked this time. The other issue on Hostinger's server was that I had no idea how to renew my Let's Encrypt TLS certificates when they expired. I have always done that with software that resides on my home server, and I did not have the permissions required to run it on Hostinger's server. Perhaps I would have figured this out too. Perhaps it would have been easy, but fortunately I was able get my home web server back on line before I had to deal with it.

The next problem occurred three weeks after creating my Hostinger account when I tried to renew it with a second credit card payment. Hostinger told me that it would not accept my payment because it suspected that I was committing fraud. This turned out to be my bank's fault. It is so over-protective that in its infinite wisdom it sometimes refuses to let me buy things on the Internet. I was really annoyed by the fact I had to waste more of my time on the telephone to resolve this. I have no idea how often I would have had to deal with this if I had continued using Hostinger, but I have reached the point of frustration with orgasizations that are apparently not competent enough to accept valid cheques and debit card payments and with banks that feel the need to block perfectly legitimate transactions, especially ones for so little money. The United States (and United Kindom) are not lesser-developed countries, but sometimes US/UK companies and government agencies act like they are. I can image having set up automatic payments to Hostinger and only realising my bank had decided to block one after my website went off line. That will never happen with my home server!

Final Words

After five or six weeks on Hostinger, I was eager to get my Raspberry Pi home server back on line. Renting a web server reminded me of renting an apartment--a nice alternative to owning a home when it's convenient, but you also have the anxiety of dealing with the unpredictable whims of a landlord. I appreciate that Hostinger was there when I needed it, but I would definitely not want to have to rely on it permanently. My own web server is much cheaper to operate, gives me a greater ability to detect and block unwanted robots and spammers than one of Hostinger's non-VPS plans, and ensures more privacy for my websites' visitors. And, I do not have to rely on a service that will not allow me to talk to a human being when a problem arises. On my home server, I am that human being.

At least, I claim to be human. The way freedom on the Internet is deteriorating, I may some day have to prove my humanity to some TLS-certificate-issuing authority. At that point, I may decide instead to move DFDN of the Web and ecluivelyonto some other networks - I already offer Gopher and Gemini after all.. I think the vast majority of more knowledgeable users would likely not have a problem with that decision. Let me take this oportunity to promote these services which, by their nature are inherrently private (they do not even support any tracking technologies!) and are inherrently bandwidth efficient. Which of course brings me to the whole point in running them! Note: Gopher, an old protocol, does not support transport layer security - but the modern Gemini does - in fact, it is an integral part of te Gemini standard.

I have one more piece of advice to offer any readers who may be considering a web-hosting service for their websites. Be sure you do not lock yourself into a one or two year plan until you understand what you are buying. Instead, pay for a month-to-month plan while you test it thoroughly. Then, if meets your needs, switch to a one or two year plan. Also, be sure you understand the differences between a VPS plan and a "web-hosting" plan.

If you have found this article worthwhile, please share it on your favorite social media.

You can find me on Gopher here.

And if you are reading this you are on gemini already (or usng a Gemini-HTTP gateway) - I personally endorse the Lagrange Gemini client - which in addition, supports Gopher and Finger) from the link below - and other goodies- including other clients, free software and beta apps for Android, too.

David

https://dfdn.info/downloads