The infrastructure behind this blog, aka my sysadmin playground
Quick note : As a pentester, I know it is considered a bad practice to give out informations about the software and hardware stack of your applications. This is precisely what I am doing here :D I am quite confident in the security of my setup, this is why I feel comfortable sharing it here. Also, I think it can be interesting to see how I went from 0 to self-hosting my website and other applications.
Motivation
This project was driven by multiple aspects:
- I am really bad at system administration. But before this project started, I was even worse! I wanted to learn more about system administration, and be able to host my website. I thought it would be a fun way to improve, and it turned out I was right :) This is also why I chose to buy a Raspberry Pi, instead of using a VPS.
- Many times in CTF challenges, you have to host something on your machine, or get the server to connect to you. This can of course be done with tools like RequestBin and ngrok, but I wanted to have my own infrastructure to be more flexible (for instance, with the ngrok free plan, you can only have one connection open at a time).
The hardware setup
The hardware setup is pretty simple : my ISP router is plugged on fiber optics. My Raspberry Pi is connected to the router via an Ethernet cable, and 2 5TB hard disks are plugged in my Raspberry Pi for storage redundancy.
The software setup
The domain
I got to admit that I went for the easy choice here : I was familiar with Google Domains from a school project, so I bought bluesheet.fr here for 10$ a year. I then proceeded to set up multiple subdomains for the applications I was planning to host.
The applications : Docker and docker-compose
This website
I developped this website from scratch, using Flask. The back-end development was quick as this website does not offer very advanced features. However, the front-end development was a bit of a pain for me, as I am far from a web designer ! Also, I had to learn how to render and style markdown documents into web pages. Finally, I made sure to Dockerize the application following Docker best practices in terms of security (do not run as the root user, ...) as well as web security best practices (disable debug mode in the web server, do not leak information in HTTP headers, ...). This was a cool project, as it taught me a lot about web and infrastructure security, from a developer point of view.
The other applications I host
The other applications I host (mainly a Visual Studio web interface) are simply Docker images that I pull from the Docker Hub. I always write a docker-compose on top of them (to add Traefik labels, see below), as well as a Makefile to quickly start, stop and update the docker images.
The network
This is where the magic happens : I use Traefik, a Docker-based reverse proxy. When instanciating a Docker container, I add labels to the instance, describing the hostname of the container, the port it listens on, the protocol, etc... Traefik detects these labels, and sets up the routing accordingly. For instance, the Docker container for this websites accepts traffic coming from port 443, with the Host header matching bluesheet.fr or www.bluesheet.fr. It then redirects the www.bluesheet.fr traffic to bluesheet.fr, for SEO purposes, and makes sure that classic security headers are added to each response. All of that is handled by Traefik, and ruled by Traefik labels !
The future ?
I really want to learn about Kubernetes and load-balancing. This is probably the next thing I will try to incorporate in my small infrastructure, making it a cluster.