Best way to deploy HTTPS and FTP servers

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1653
Location: WV, USA

PostPosted: Tue Jul 16, 2024 4:57    Post subject: Best way to deploy HTTPS and FTP servers Reply with quote
I have so many spare dd-wrt routers and Lenovo servers. I want to make one of these into a HTTP and FTP server (but not today). Maybe even with video streaming too. I have a static IP but no actual domain right now, but would get one if I deem there is a secure way to do this.

I absolutely hate the idea of putting any part of my LAN on the world wide web. There is simply no way to keep it 100% safe, I know that.

Is putting it on a DMZ the best option and let it fight for itself? Maybe doing a vlan is with proper iptables rules? I just am not sure which is best and most secure as there are a plethora of options I think (including Cloudflare).

Opinions?

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Tue Jul 16, 2024 14:48    Post subject: Reply with quote
Depends on your audience.

If it's just for YOU and your trusted family and friends, then establish your own VPN server on the LAN. Cloudflare will work too, but it's probably overkill, and unnecessarily introduces a third-party. You might also limit access by VPN clients to specific LAN ips and ports via the firewall just as a precaution.

OTOH, if it's for the wider public at large, then use Cloudflare. Now your public IP remains hidden (static or dynamic, doesn't matter). You're protected against DDOS attacks. You can add additional layers of authentication and geo blocking w/ little effort.

Of course, if you're behind CGNAT, then Cloudflare becomes a necessity, regardless of the above two scenarios. Not unless you're prepared to roll your own VPS solution.

BTW, if you do expose the router's http/s and ftp services for the wider public, I'm not so sure it's a good idea given the questionable quality of their respective implementations. Like most services on the router, they've been hacked, modified, and crippled to make them just barely suitable for LAN side access (where trust is assumed), NOT the internet at large.

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1653
Location: WV, USA

PostPosted: Tue Jul 16, 2024 15:31    Post subject: Reply with quote
First, thank you for your reply and advice.

This would not be for wide public access. Mostly just family/friends. I am not behind a CGNAT and presently subscribe to a ddns service even though I have a staic IP. My ISP switched everyone over to static IPs around 3 mos ago.

If I were to do this on an old router, I would use Entware for both the https and ftp servers. I would not use the built in ones for sure but I will probably just use one of my many Lenovo servers running Fedora or some RHEL spinoff such as Oracle.

I am not planning to do this real soon, probably this Fall/Winter. Just wanting some advance preparation for it. Presently I am concentrating on a full rebuild of my 45 year old Pioneer SX-780 receiver which died this past weekend. Ugh!

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15205
Location: Texas, USA

PostPosted: Tue Jul 16, 2024 16:29    Post subject: Reply with quote
I am currently looking into this myself. Simply to provide an un-censored resource. Seems that gmail, gsuite, et al are not too keen on certain content or email addresses.
<off-topic>
lexridge wrote:
Presently I am concentrating on a full rebuild of my 45 year old Pioneer SX-780 receiver which died this past weekend. Ugh!

Radio Shack / Realistic had a similar unit way back when. Love old stereo hardware, but if I had any, my neighbors wouldn't love it as much as I do Cool Rolling Eyes Laughing
</off-topic>

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 1653
Location: WV, USA

PostPosted: Tue Jul 16, 2024 17:30    Post subject: Reply with quote
Oh yeah, an email server would also be a huge plus! I have been trying like hell to de-Google myself as best as possible, even 100% switching to duckduckgo nearly a year ago on all my computers and phone. Google still mostly controls the phone however, no way around that really without flashing a de-googled ROM to it. I don't do Apple either!

<off-topic>
Re: Old stereo equipment. Hoping to fix this SX-780 sooner than later. I have had the rebuild kit for it for nearly 18 months because I KNEW it would fail sooner or later, just because of the age and capacitors just don't have the best of life. I am also going to replace the Darlington power packs with modern replacements which are cleaner and slightly higher output (50 watts vs 45 watts p/c). I don't have to worry about neighbors.Very Happy This amp is both louder and cleaner than my modern Onkyo which is rated at 120watts p/c. The difference between Class A and Class D amps I guess....and beautiful old build quality.

I believe many of the late 70s Radio Shack receivers were built by either Technics or NEC, depending on the model. Good stuff too, as was the JCP MCS series.

_________________
- Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: WDS-AP, VLANs, Samba, WG, Entware - r58662
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk - r58662
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r58662
- Linksys MX4300 (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r58662
- Linksys MR7350: Testing r58662
- Linksys Velop WHW03v1 x2: OpenWRT w/GRETAP tunnel for VLANs on VAPs
- OSes: Fedora 39, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.

- Forum member #248
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum