Thread: My Own Personal Website
View Single Post
  #9  
Old November 4th 19, 12:44 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
  
Posts: 11,873
Default My Own Personal Website
FreeBurn wrote:
I need to update my website easily with my personal information that I
do not want out on some freebie provider.

Static address 12.34.56.78

Purchase a domain name: mynewhomesetup.com
which will map to 12.34.56.78. There will
be a recurring renewal fee every few years.

(The domain purchase leaves some of your personal
information on the domain registrar site. I believe there
are shielding options, for removing part of that. In
particular, if you leave a contact email address for
the domain in plain site, you will start receiving phishing
mails "to renew your domain registration". These are attempts
to get you to double click the "invoice" which is attached
to the email (which contains ransomware). They try to use
your personal information, to craft a credible phishing story,
to suck you in.)

Next, find LetsEncrypt on the web and apply for a free certificate.
The certificate helps make "https" work. The certificate file
will be installed inside your web server. Part of its function
is to make the crypto work for the encrypted https pipe.

The domain name is necessary, as the certificate only works
with a domain you define when you apply for the certificate.
I don't think you can get a certificate for 12.34.56.78,
and the certificate is against mynewhomesetup.com .

You need to do Port Forwarding on the router. Attempts to
reach 12.34.56.78:443 will be redirected to 192.168.1.3:443,
where your web server lives on the LAN. The router should
have a page for defining Port Forwards (as long as it isn't
an ISP rental, it will have such a thing visible).

Some ISPs have rules about what a "home account" may run
on the address provided. For example, no ISP will allow
a home account to do "mail forwarding". Attempts to port
forward SMTP to a LAN machine, the Deep Packet Inspection
(DPI) box at the ISP, can "sniff" and detect email forwarding
attempts, and the machine will automatically close the port
and cause the protocol to drop dead on the spot. If they
want to, if they "sniff" HTTP protocols inbound towards
your home account, they could in theory stop those too.

Now that your port forward is set up, you can install a
web server.

WinXP Pro probably has "IIS" in Add/Remove Programs and
Add/Remove Windows Features. The only problem with this,
is patches for IIS would have stopped in 2014, and there
could be any number of exploits for IIS in WinXP since then.

https://en.wikipedia.org/wiki/Apache_HTTP_Server

"As of August 2019, it was estimated to serve 29% of all
active websites, ranked 2nd after nginx at 32%, and 32%
of the top million websites, ranked 2nd after "Other" with 33%."

https://en.wikipedia.org/wiki/Nginx

# Does this sound encouraging ?

http://nginx.org/en/docs/windows.html

https://en.wikipedia.org/wiki/Compar...erver_software

Anyway, set up your chosen free server for https and port 443.

https://en.wikipedia.org/wiki/List_o...ll-known_ports

Apache is turnkey, in the sense that if you do this from
a second machine after the install is done.

http://192.168.1.3

it should respond with a web page with a "indian feather in color" on it.

You need to make sure you've modified any insecure stuff,
before you allow that default install to be accessed
from the Internet. Script kiddies love it, if they can see that
feather, because they'll assume the install is insecure,
and they'll pound on it to find holes.

Now, you install the LetsEncrypt certificate, and set the
server to respond to HTTPS only. Leaving the page with the
feather there is just fine for the moment.

Next, when you finally hook up the server to the Port Forwarding
router, run this on a web browser (on some other machine if
you want).

https://www.ssllabs.com/ssltest/analyze.html

ask it to analyze "mynewhomesetup.com"

It will tell you things like, what version of
TLS the server supports (SSL should be disabled).
TLS 1.2 is a good choice, as TLS 1.3 may not be
stable enough yet.

It will also tell you which exploits your server hasn't
been patched for, such as HeartBleed ot the like. That page
is really handy for uncovering issues with your setup.
(Including perhaps, DNS mistakes by your domain
registrar).

On the browser you intend to run from Starbucks parking
lot, run this test. This too, will indicate which version
of TLS it supported. You want your server and your
browser, to both support a common "good" choice like
TLS 1.2.

https://www.ssllabs.com/ssltest/viewMyClient.html

Once the standard is selected, there is also a subsection of
that, with the crypto underneath, such as CHACHA20. On your
web server, you want to disable any crypto options with
40 bit or perhaps 128 bit crypto, and only use the
more modern options. The SSLLabs scan will highlight
in red, the crypto suite items that should be disabled.

That's a start at setting up a website. Now you can test
from a relatively trustworthy external location first, and make sure
everything looks good. Don't do the StarBucks test case,
until all the bugs are ironed out.

I'm not "encouraging" this project, because running
web servers from your home is an "attack surface". When
you examine the Apache log file, you're going to find a
ton of probes against your server. The LED will be flashing
non-stop once they find out there is a web site there. Google
is just one of the miscreants. The others will be there
to try to break, deface or exploit your site.

It's about as wise as running vanilla FTP from your home.
Don't do that! Use SFTP at least, something with SSL or
TLS to protect the password.

How the HTTPS works, is sorta like an encrypted pipe.
First the pipe goes up, then the comms inside the pipe
are protected from prying eyes. If you want to use a
username/password on the entry web page to your site,
you can, because the HTTPS is going to encrypt the
comms for you. The crypto standard used (it's a suite
with multiple choices), should be much better
than 40 bit.

When you run the ssllabs evaluation of your web browser,
it will list 30 or 40 different crypto items in the suite,
and some will be marked in red as "do not use". Using
those examples, you can see which ones should be
disabled on your web server, so they're not used by
accident (with an older browser). A good one, might be a
polynomial with a "five digit name" X12345 or similar,
which is supposed to be pretty good. And the other one
is CHACHA20. And there is a bunch of older rubbish in
the "do not use" category, which is there so decrepit
browsers can work (IE5?).

Have fun (and be careful!),

Paul
Ads