I'm putting this under security because i'd like to keep this a private server for family:
that said, I'm wondering if you fine people can help me with the best way to set up a web server in my house to host the files on my external hard drives for family members in other cities/countries while, again, keeping it private and secure over the internet.
I'm looking into ngrok for url handling, but am not sure exactly if this is the best way to go.
Can anyone save me time and possible heartache and failure and provide me (and possibly others) with a walk-through of which software to use. Would love to do something like free, but may have to get a paid unique domain from, say, ngrok, to make it easier for family members to connect up.
Help me, Obi Wan Kenobi... you're my only hope!
(Score: 3, Informative) by urza9814 on Saturday January 20 2018, @02:11AM
This is how I'd do it...although I tend to always have a couple Apache instances running anyway, so that's just easiest for me. If you don't need it to look fancy, you can potentially use the index pages Apache generates...or for images you can easily put together a very simple gallery page with about a dozen lines of PHP. For file uploads I just use sshfs to mount the web server's filesystem to my local machine and copy/edit files from there, but that won't work as well if the remote users also need to be able to upload. You *could* code a file upload in a couple lines of PHP too, but I wouldn't recommend it. If that's what you're trying to do -- or if you just want something a little nicer than a raw list of HTML links -- use existing cloud software like NextCloud or Sandstorm.
One additional detail to consider though is that .htpasswd isn't particularly secure on its own (*especially* if your site accepts any actual user input, but it's not great regardless). Depending on the configuration it may be sending the passwords in plaintext and even the hashed version can be vulnerable to certain kinds of replay attacks. So I'd suggest grabbing some certs from LetsEncrypt, and either blocking port 80 entirely or setting up an .htaccess file to forcibly redirect to HTTPS.
Then either put the web server in the DMZ or forward the appropriate ports...and make sure you've got everything else firewalled off too. You could also consider configuring Apache's mod_security to better secure the web server (can help against brute force attacks for example.)
And for a domain name...there's a lot of dynamic domain services that others have already posted, and those should work well enough. Depends how often your IP changes and how memorable you need that domain to be though. My IP is mostly static unless there's a power outage, so I purchased a full domain from Gandi.net and just have a small cron script that uses their API to check and update my IP when needed. That does mean that if my IP changes, there's two or three hours of downtime while the change is detected, updated, and propagated through the nameservers...but in my case that happens at most once a year so it's not really an issue, and it gives me a domain that's marginally easier to remember or to read off to someone over the phone or in person.
I'm not sure if that's really a GOOD way of doing it...but it's what I would do :)