A howto guide on setting up a simple and secure blog server using haproxy to serve https, hugo to serve the website, cerbot to generate the tls certificate, and crowdsec for defense
This is my first post on my new site, I hope someone finds it helpful!
Another thing you could check out is Caddy, comes with a lot of stuff onboard and has an optional crowdsec module (though I should point out that I never used that module myself so I can’t make guarantees how well it works) https://caddyserver.com/
Awesome it is good to see the bearblog getting some love. Just to keep it short mostly. I was debating adding another article continuing this one using nginx for that part. I could add a section to this one though. Or would you use something other than nginx, I'm open to suggestions. I checked yours out, it's a bit snappier than mine :) . What are you running?
I'd love to see more on something like Envoy as the reverse proxy. I tend to think of reverse proxies in "generations":
Apache and Friends
Nginx and Buddies
HAProxy and Pals
Envoy and Associates
I'm rather familiar with 0-2 from my previous work. It's really a pity, to me, that nginx is favored so heavily over HAProxy as in all perf and HA testing that I've done has resulted in nginx being left in the dust. The benchmarks that I've seen for Envoy show similar standings. I just haven't spent the time yet to get familiar with it.
I use CI to compile the page and add it to nginx, which I then build into a docker container. Once it's finished, I deploy it to my server and it gets served by traefik.
That's another thing I was curious about. Is there a reason why you didn't use docker?
You mentioned in another comment, that you used snap, because it is used in the official certbot instructions. Did you intend this to be 100% faithful to official docs?
My site is on a rented server at digital ocean. Some providers do more or less to protect you themselves though. I don't think digital ocean does much monitoring or protecting, I've had servers on there compromised in the past that would have been caught by my current setup. It can't hurt in any case.
I also run crowdsec on my home setup but I don't have any open ports at home and never get alerts. I had suricata running and plugged into crowdsec as well so it would handle blocking for both, but suricata never got to get any action with crowdsec blocking malicious activity, so I disabled it to save resources.
I don't mean about relying on the protection from these providers. I am talking about the inherent increased security of hosting on a server that's on a different network than your local network.