Hosting your own web server at home isn’t for everyone, but I’ve been doing it for the better part of two decades now. I think it’s good operational experience. My stories of running my own web server get mixed reactions at work, but some people certainly take interest in my experience dealing with it, especially since such stories tend to be rare from a security professional. I think hosting my own web server helps me stay in touch with the rest of the IT world.
The upside of hosting your own web server at home is that you can throw more disk space and RAM at your system than you could if you were buying a virtual host. Do I need 128 GB of SSD space, four cores, and 16 GB of RAM? Not at the moment. But every server I’ve built was overkill for its day, and I outgrew three generations of servers. I like to overbuild them a bit to extend their useful lifespan.
There are some caveats to running your own server vs web hosting via a VPS or some other datacenter-based option owned by someone else. If your ISP doesn’t allow it, your Internet connection is slow or unreliable, or your electric power is unreliable, you’ll have downtime. You’re also mostly on your own for tech support.
But if you’re an IT professional and you like to learn, hosting your own web server at home is a fantastic learning experience.
The first really big caveat is to make sure your ISP allows you to run a server. AT&T doesn’t care what you do with your DSL, U-Verse, or Fiber line, except they block port 25 so you can’t spam. They were fine with me running webservers on ports 443 and 80. The workaround for e-mail alerts was to install a plugin that allowed WordPress to use my Gmail account.
Charter Spectrum doesn’t allow servers on residential lines, period. They do allow it on a business subscription. With a business subscription, I haven’t run up against any port limitations. I need port 80, port 443, port 25, and sometimes port 22. All of those are open.
You also want a fast-enough upstream connection. The faster your connection, the better search rankings you get. The upstream speeds on non-fiber options in my neighborhood are pretty anemic. I’ve noticed a bump in my traffic after upgrading to higher speeds. Hosting your own server is one possible justification for splurging on gigabit Internet.
The other big caveat with hosting yourself is downtime. An hourlong outage at 2am doesn’t affect much, at least not for me. A four-hour outage on a weekday afternoon is devastating.
I don’t get as many power outages as I used to get, but brief outages or brownouts are definitely a normal part of life in St. Louis in the summertime. Having a UPS on your web server is a must. Get one that has a replaceable battery to control your costs in the long run.
The other thing to look out for is your upload speed. Typically your download speed will be much faster than your upload speed. Upload speed is what your web server needs. So, assuming you have a choice of ISPs, pick the one with the faster upload speed, even if it means getting a slower download speed.
If you don’t have a static IP address, you can use a dynamic DNS provider. These used to be free but usually cost money these days. I’ve been using Dyn.com for years. If you have or prefer to get a static IP address, expect your monthly fee to increase a bit, but then you can register a domain name against that address and have a more conventional something-dot-com or something-dot-net address.
I run Linux, for several reasons. First, having operational Linux experience is good for your career. Even places that officially are Microsoft shops can’t escape having some Linux or Unix in their environment. Second, Linux is free. I know Windows better than Linux, but a Windows Server license costs $1,000 and is good for about 10 years. When you’re running a personal blog, that thousand bucks is a significant expense. Third, WordPress runs better on Apache and PHP, and while Apache and PHP run on Windows, why not run them on their native platform?
All of this runs just fine on a Mac, of course, but I don’t see much reason to tie up an expensive piece of hardware. Linux will run happily on very inexpensive and very efficient PC hardware, so it makes sense to take advantage of it.
Besides, you can just download a free server appliance from Turnkey Linux and be up and running in minutes just by answering a few questions. Turnkey Linux makes it easy to set up your own web hosting server. If WordPress isn’t what you’re after, look at the dozens of other appliances they have. They may have a ready-to-go solution for whatever you want to run. If not, just download one of their more generic setups and build from there.
I do think it’s good practice to install Apache, PHP and MySQL and set them up and get them talking to each other. It’s a good skill to have. Do it at least once. But when you don’t have the luxury of time, using an appliance is nice.
When you have a computer running 24×7 with little idle time, you’ll notice it on your electric bill. My current iteration runs on an Asrock Q1900M motherboard, which has a 4-core low-power Intel J1900 CPU. It handles my traffic well, much better than I expected. I’d rather have something based on an Intel J4205 CPU, such as an Asrock J4205-ITX. But the Asrock Q1900M is quite a bit less expensive and has expansion slots, so I can plug server-grade network cards into it rather than living with the cheap built-in RTL8168. Secondhand Intel or Broadcom PCIe NICs often cost less than $10. There are some advantages to an Intel card over a Realtek.
Use an SSD, of course, for better speed, reliability and life expectancy. Also use high quality memory, for stability.
You can get actual server hardware fairly cheaply. By that I mean you can get an off-lease rackmount server intended for a datacenter. But they’re loud and take up a lot of space. You can get an off-lease business-class desktop pretty cheaply too and slap an SSD in it. But if you’re comfortable with building your own PC, I think using a recent motherboard based on an Intel J-series CPU ends up being cheaper in the long run due to lower power usage. And it’s not very hard to slap a Q1900M into a chassis, plug in the power, plug in memory, a NIC, and an SSD, and close the lid. I built hundreds of PCs in my 20s, so I can do it in my sleep. Even if you haven’t, the project should take less than 30 minutes.
The other upside to going the Intel J-series route is that 1-2 fans is more than adequate to keep the system cool, so your basement doesn’t sound like an airport.
Of course, going virtual is an option. Any desktop computer worth having can handle the requirements of a personal blog without really feeling much impact. The downside of going virtual is that you have to keep both the host OS and the guest OS up to date, so that’s two series of downtime every month. If the host OS is Linux that’s not so bad since Linux tends to update and reboot pretty fast and you may only have to reboot a few times a year, but if the host OS is Windows, your system will have a few minutes of downtime every month. Major updates can take longer than that.
For these reasons, I haven’t been able to talk myself into going virtual yet. I could update one machine in the house, move the webserver to it, then update the other one, then move the server back. But it’s less work to just dedicate some hardware to it.
The next step is opening up your web server to the Internet. Configure your router to forward port 80 and port 443 to your web server’s IP address, which you can find with the command ifconfig eth0 from your web server.
Of course, you also need to work with your domain registrar to move your DNS record to your new static address, or point your dynamic DNS at your home address if it’s not static. Most routers have a client built in, or you can run a dynamic DNS client from any of the computers on your home network.
I only open port 22 from the outside if I’m traveling and need to get in, which is very rare. Don’t connect to your admin pages from outside home unless you have HTTPS enabled.
I also enable automatic upgrades on my Turnkey Linux machine at the OS level, and automatic updates on WordPress.
I also recommend you get an SSL certificate. It’s free now, you know, and not difficult. And here’s why serving up HTTPS web pages matters. Setting up SSL is another good skill to have.
I don’t recommend putting the server in your router’s DMZ, as that exposes it to everything. If you want to section it off from your home network, use a VLAN, or put your home network behind a second router plugged into your main router and plug the server into the main router.
WordPress needs a lot of memory. Apache and MySQL need a lot of memory when hosting a busy WordPress site. I can give Apache, PHP, and MySQL a couple of gigs of RAM apiece if I ever need to. Right now I don’t, but I don’t know about two years from now.
And if some other blogger with a VPS on the same hardware as me writes the next viral sensation, I don’t have to worry about it. I’m not sharing resources with anyone else. That’s the biggest advantage to hosting your own web server.
Hosting your own web server requires more upfront cost and the ongoing monthly cost isn’t zero. But it might be cheaper.
You can get a VPS for as little as $5 per month, which works out to $60 a year. I can get 4-5 years out of $200 worth of computer hardware. With low-power hardware, I spend around $20 a year on electricity. I could see you using quite a bit more if you use less efficient hardware. I have to use a costlier Internet connection to use a server, but I would probably have one anyway because of how much I work from home.
In theory I may not be saving much money by hosting my own web server, but I do get a more powerful machine and I don’t have to share it. My gigabit Internet connection is probably as fast as a VPS would give me, and the computer itself is faster. Given the way WordPress works, I think I’m better off with the more powerful machine. If I were in an area where Internet speeds top out at 25 megabits, I might be less bullish on hosting my own web server at home.
There are ups and downs with each approach, but every time I consider changing things, I come back to hosting my own web server.
Finally, I think hosting your own web server provides valuable professional experience. As a security professional, I have a lot more credibility when I speak from my own operational experience. Yes, I have my own WordPress blog running on PHP, Apache, and MySQL. Yes, I update them regularly. Bad things happen when I don’t. What kind of bad things? Getting hacked, that’s what.
The myth of patching is that it breaks stuff all the time, which is why Equifax got hacked. They didn’t update Apache Struts, and put their entire business in jeopardy as a result. I have experience patching the things nobody wants to update for fear of breaking something, and it’s something that supports a nontrivial revenue stream for me. Worse things happen from not patching than from patching, in my own personal experience.
Stories about that resonate with the IT directors I have to talk to on a regular basis.
In addition, being able to talk about handling things at the hardware and operating system layers resonates with system administrators. As a sysadmin, I dealt with clueless security analysts for half a decade. When sysadmins see me as a helpful resource, a guy who’s really seen this stuff somewhere other than on a test, and not that bureaucratic security dude, they’re much more willing to work with me.
Granted, running a Linux server out of your basement isn’t exactly the same as running a datacenter. But much of the experience does translate, and you’ll be better for having it.