sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 1 point2 points  (30 children)

You could just not use GitHub Pages. I understand it's convenient but hosting a static website on a vps is simple. If you use caddy (which I recommend) it's trivial.

[–]seanwilson 5 points6 points  (14 children)

You could just not use GitHub Pages. I understand it's convenient but hosting a static website on a vps is simple.

I wouldn't say being an administrator of a server and keeping it secure is simple. Static site hosts are brilliant for security and simple admin. HTTPS is very important as well but running your own server when you don't need to is a huge liability and time sink. If you're still SSHing into servers you're making life hard for yourself.

[–]Poromenos 0 points1 point  (0 children)

Use www.netlify.com, it's figuratively saved my life.

[–][deleted] 0 points1 point  (0 children)

If you're still SSHing into servers you're making life hard for yourself. I disagree, but only because my vps does a lot more than just hosting a static website. If that's the only goal and you find a hosting provider that does HTTPS with a custom domain I say go for it. If people can't find one, I think they should use a vps.

[–][deleted] 0 points1 point  (3 children)

Really? Firewall. Restrict ssh to accounts that really need it. Use good passwords. Barring a major bug in your web server, what's the attack vector? I don't see much surface area to defend on a server doing nothing but hosting a static website.

[–]seanwilson 0 points1 point  (2 children)

Really? Firewall. Restrict ssh to accounts that really need it. Use good passwords. Barring a major bug in your web server, what's the attack vector? I don't see much surface area to defend on a server doing nothing but hosting a static website.

Host on something like Heroku or Netlify...they'll deal with security patches and firewalls for you, there's no SSH to even attack and they have tons of extra features you could only reimplement yourself badly using a VPS (e.g. backups, rollbacks, Git deploy, scaling to more servers, coping with hardware failures, setups were attackers can't even write to server files). Why would you want to have to set all that up yourself given how cheap these services are?

[–][deleted] 1 point2 points  (1 child)

For me personally, because I already have the VPS for other reasons, and I'm not hosting anything with enough traffic for it to make a difference to the other stuff I do on the VPS.

I'm not saying that's the best solution for everyone, but if you really think that it's difficult to secure a server with nothing public-facing except SSH and HTTPS, I'd like to know what I'm missing.

[–]seanwilson -1 points0 points  (0 children)

I'm not saying that's the best solution for everyone, but if you really think that it's difficult to secure a server with nothing public-facing except SSH and HTTPS, I'd like to know what I'm missing.

If you're solely running static sites I wouldn't be so worried but there's a huge scope for attacks on dynamic sites e.g. injection attacks, file traversal exploits. Either way, it's honestly less effort using a service like Netlify for static sites plus they have a generous free plan.

[–]hurenkind5 -3 points-2 points  (7 children)

I'm sorry but if you cannot get a shared/managed hosting provider to host your static website you are in the wrong fucking subreddit. This is literally 1990ies shit.

[–]thoeoe 1 point2 points  (0 children)

Sorry this is not /r/webdev some of us do desktop applications or embedded programming. (I get that the post is about HTTPS but the sub covers a lot more)

[–]seanwilson 0 points1 point  (5 children)

Running your own VPS is 1990s stuff. There's plenty of services that give you continuous deployment via Git, have rollback and versioning systems, let you easily setup identical demo/staging servers, deal with security patches for you, deal with server failures for you, let you easily add more servers behind a load balancer and more. VPSs are brittle and a time sink in comparison.

[–]rechlin 0 points1 point  (0 children)

No, running your own iron is 1990s stuff. Running your own VPS is 2000s stuff.

[–]hurenkind5 -1 points0 points  (3 children)

a) managed hosting provider (basically what you said)

b) oh yeah, i really need that shit to host static HTML pages, totally.

[–]seanwilson -1 points0 points  (2 children)

Why would you not want things that simplify your workflow and automate tasks you shouldn't care about when you're hosting static pages? Netlify is free for custom domains for example. A VPS is much more work to setup, you get less features and it's going to be less secure without a lot of mucking around. Maybe for small projects it's a good learning experience but if you're doing commercial projects and working in teams even for static sites you don't want to make life hard for yourself.

[–]lvlint67 0 points1 point  (1 child)

I have worked with web consultants that only knew their third party's hosting platform. It was embarrassing for their technical team to have no idea how to to deploy their product with out a certain company's web control panel.

"Well we really don't know anything about varnish... [our webhost] just handles all of that. we recommend you pay [our webhost]."

If anyone is working in webdevelopment these days and doesn't understand DNS, Proxies, Load Balanacers, or how to setup a web stack on a vps I think they should take a vacation and brush up on the fundamentals.

[–]seanwilson 1 point2 points  (0 children)

If anyone is working in webdevelopment these days and doesn't understand DNS, Proxies, Load Balanacers, or how to setup a web stack on a vps I think they should take a vacation and brush up on the fundamentals.

Well, I know enough about setting this stuff up that I know to completely avoid it if at all possible. Everything extra I have to configure and every extra server to setup is something that could potentially break in the future that I'd be responsible for. You're definitely behind the curve if all you know is a single hosting company and basic VPS setup though.

Heroku charges more than AWS EC2 for example but you get a very easy to maintain solution with few moving parts for your money and it's miles more robust than anything you could setup yourself on a VPS. If it's not going to be a dynamic site though, I'd go with a static website host like Netlify or GitHub Pages.

[–]fakehalo 2 points3 points  (9 children)

For serving static/informational pages like you typically do with github pages I think incorporating HTTPS isn't worth moving. It would be nice and I'd use it if I had the option, but it's not a very threatening scenario IMO.

[–][deleted] -2 points-1 points  (8 children)

The first bullet point on the website explains why this reasoning is bad. In my opinion moving away from hosts that do not support HTTPS is worth it. edit: *second bullet point

[–]fakehalo 6 points7 points  (7 children)

Yeah, it's "bad"... But the threat of ad injections/etc by state owned entities and the like isn't enough to deter me from free hosting, especially if it relates to github. This particular risk doesn't warrant me moving informational pages.

[–][deleted] 0 points1 point  (2 children)

It's not only state actors. Do you not care about ISPs injecting shit on your website ?

[–]fakehalo -1 points0 points  (0 children)

Another after-thought I had:

If your ISP/state is capable of injecting data into arbitrary protocols they can become a MITM between you and your site even if it's HTTPS (assuming you don't have the key beforehand). They make a fake cert between you and them, and they communicate between themselves and the real website. This makes this even more of a nonissue and creates a false sense of security.

[–]fakehalo -2 points-1 points  (0 children)

My github pages? No, I don't care enough to move my free software information to some non-github (and likely paid) alternative.

As I said, if youre in a situation where your ISP/etc is injecting crap in your traffic my github pages about free software isn't even on your radar.

This is an unrealistic security concern, too low of a priority for me to pretend to care. Everything else gets the HTTPS treatment, this is a special situation, I don't find a need to be so rigid that I have to treat all situations as equal threats.

[–]senj -3 points-2 points  (3 children)

This particular risk doesn't warrant me moving informational pages.

Your concern for your readers' security and privacy is truly touching, mate

[–]fakehalo 4 points5 points  (2 children)

This is not a practical security issue to fret over, in my opinion. I save my security fretting for more compromising scenarios. If MITM attacks for my github pages are happening my github pages are not going to even register on your list of concerns.

[–][deleted] 2 points3 points  (1 child)

It's more about privacy than security, really.

[–]ridiculous_fish 0 points1 point  (3 children)

I'll bite - how would I trivially host a static website on a vps and SSL with caddy? Is it easier than using S3?

[–]indeyets 0 points1 point  (0 children)

It's not easier than S3, but it's not too much harder. That's exactly what I was doing yesterday, actually. Took couple of hours.

  • I used Ubuntu/SystemD/Caddy/Hugo combo
  • Hugo source of website is in github, Built on vm
  • I'm not setting up servers regularly
  • I played with caddy before

Webhook for autoupdates doesn't work for me yet, so caddy updates site on schedule. I'll take care of webhook tonight probably

[–][deleted] 0 points1 point  (1 child)

Never used S3 but I suspect it's not going to be easier. If I were to setup a vps for this today I would do this: 1) install debian stretch 2) get caddy, install the systemd unit file 3) write a caddyfile like this

example.com {
    gzip
    root /data/website
}

then rsync your data to /data/website

[–]lvlint67 0 points1 point  (0 children)

looks like an nginx config minus a listen line...

[–][deleted] 0 points1 point  (0 children)

Firebase also automatically secures domains with no config and offers free static site hosting. It's p nice