I'm now VPS red pilled (and protecting with CloudFlare)
Вставка
- Опубліковано 5 чер 2024
- link to code:
github.com/webdevcody/single-... (docker-compose & caddy)
github.com/webdevcody/webdevc... (nextjs14 & dockerfile)
My Products
📖 ProjectPlannerAI: projectplannerai.com
🤖 IconGeneratorAI: icongeneratorai.com
📝 ThumbnailCritique: thumbnailcritique.com
Useful Links
💬 Discord: / discord
🔔 Newsletter: newsletter.webdevcody.com/
📁 GitHub: github.com/webdevcody
📺 Twitch: / webdevcody
🤖 Website: webdevcody.com
🐦 Twitter: / webdevcody
Next step: hosting everything on Raspberry PI 5 in your room.
Let’s go!
unironically yeah
Babe wake up the daily Web Dev Cody DDOS video just dropped
😂😅
Oh god I hope this doesn’t become a daily thing, I will have to start up an onlyfans 😅
Digital ocean DDOSed you because of your "Why I'd never host my apps on a VPS" video.
probably 🤣
isnt aws vps stuf
Makes sense it's their style
Just get a ddos protected VPS from OVH, Path you can find providers easily. (Ex. Vibegames path) Which will basically make the server not be able to be hit on L4 and also better specs then Digital Ocean.
@@AndrieMC if you use AWS for VPS (ec2 as they call it) alone, you probably shouldn't be using AWS.
Switching to a VPS with Cloudflare for DOS protection sounds like a smart move to avoid hefty charges. Your step-by-step guide makes it much easier for others to follow suit. Appreciate the insights!
Chatgpt ahh comment
This is wild, thank you for sharing these videos with us. Happy to see you got things resolved!
If its just for side projects, its a lot easier having your service go down and just rebooting it all back up rather than paying a hefty bill. Cloud is strictly for high traffic businesses in my opinion. Plus you learn so much more setting up your own VPS and securing it yourself.
True. I think it's great knowing how to run a node/go/whatever app and setup nginx or caddy to proxy to it. You realize how much you can do and what problems those managed services actually solve for you.
Also in some enterprise cases you cannot just deploy to whatever cloud service and must deploy on premises or are potentially only allowed into VMs so having this knowledge is beneficial.
I don't know why anyone would waste time DDOSing your system. You're just a nice guy posting fun educational videos. I am probably to lazy to come up with a reason.
sometimes a DDoS attack is just random; someone finds an open machine after scanning ip addresses and attacks it; but yes this seems targeted 🤣
@@WebDevCodyye maybe it's just random but it feels targeted from your point of view. It does increase the potential revenue of amazon or cloudflare which might benefit the attacker. Don't know if you can just change the IP..
Dude I feel the attacker wants to DDos protect their app, so wants a tutorial from Cody for it 😂
@@rahultech77 that’s probably it 😆
Hackers and script kiddes (especially) loves attention
Thank you for sharing this! These couple of videos have been really useful. Great content
This is starting to be a series, But this content is very real and educational
Thank you for sharing all these videos, been insightful especially as I am looking to move from Vercel to AWS and some of these issues I never thought of.
Thanks for sharing how you are working through this situation. I'm though really sorry about the AWS charges. That just sucks. I'm hoping their understanding and helpful about a credit or refund.
Nice to follow your journey. Thanks for sharing.
Thanks for sharing these situations with the rest of us. Helps everyone!
Great content, your DDOS protection series are basically showing a process how human being is learning from it's own mistakes :D Hopefully it will save some money for others too!
One tip from me, you can move this push-image script to a github action, that will build and push image to ECR automatically on every push to master(or only when you manually trigger it). This way you will have kind of automated CD pipeline for your project. GH actions are also free up to 2k run minutes per month making it a decent solution for hobby projects
Great vid!! I wonder if this would help too: SST is moving to Ion apparently next week and making it so you can setup cloudflare as well as AWS resources, so you can mix and match cloud providers in your infrastructure as code. Would love to see you do the move to Ion and deploy your next.js site to cloudflare
If you are using a VPS you should set it up to reject all connections except HTTPS coming specifically from Cloudflare's IP ranges (and ssh traffic if you don't have another console available).
thanks for the suggestion, I ended up adding that today as well
Love ya! ❤ you’re doing a great job
thanks sexy!
Thanks for sharing your experience!
Hi, thanks for what u've done so far. Yours is probably top youtube channel out there.
I have some questions if u don't mind:
- Take example you are using docker-compose to serve traffic & app. What if u need to horizontal scale. What kind of infra u'll choose in this case? K8s or sth?, or maybe docker-swarm I guess?
- What is different between nginx and caddle u r using, what is the pros/cons of it
Idk I plan to just scale up vertically as much as possible and see how far it’ll take me. Caddy seems simplier, nginx is probably feature rich
Can't wait for SST ion to have all of this ready :) I don't want to use docker stuff, that hustle annoys me a lot. Way to much effort.
Preferably with SolidStart (and Protection enabled)
GREAT technical video, looking to see more content in your channel on Deployment solutions and options. Great work man
These videos are so helpful. Thanks so much man
VPS, Caddy, Digital Ocean, docker-compose...
Let's go, Cody! This is the way!
Thank you for sharing rare experience to the public.
Thank you for the great content as always. One question @WebDevCody. Deploying on vercel also doesn't save you from ddos?
They can be nice and forgive you the charge, but it will definitely break your free tier and scale your charges like crazy, a lot more expensive than AWS for sure
Thanks for sharing this with us!
Hey, great videos! Learned a lot. I have a question: if you host it on the VPS, would you still get a higher bill if you get DDoSed without Cloudflare? Or do you only pay for the instance and it would just get laggy or go down?
your instance would crash; therefore, there is no extra bandwidth you'd get charged for. It's just a trade off, would you rather have 100% uptime (you probably want serverless), or reduce your chance of getting a $600 in one hour.
I had some hobby projects on AWS, and is scary that any error or DDOS can give you a 2000$ bill.
Paying 5$ dollar a month for a VPS for projects that make no money is better than being worry about that.
Thanks for the video, that was very helpful, but I have a few questions, first is why are you using AWS for docker containers?
Can I just put my container straight to the DigitalOcean?
Second, is there some throwbacks for deploying nextjs to somewhere else instead of Vercel? And maybe there is some frameworks, that are more "deploy where you want" friendly? And I'm mostly talking about Nextjs as full-stack? Or do I need to split my backend and front end as different applications?
P.S. I'm just starting to learn more about other frameworks and I'm considering switching from Nextjs (cause I'm stuck at Vercel)
You can deploy next anywhere. It should have the same feature except edge computing. I was nit deploying containers on aws; I was using serverless
Nice walkthrough. If you still get into the same issue, perform those extra dance I posted in your last video. Good luck!
could you explain why AAAA would help out? if it's behind cloudflare, why would it make any difference?
@@WebDevCody Most of the internet still use IPv4 so most of the devices participating in a DDoS attack are presssmably using IPv4. If your VPS blocks IPv4 altogether, there will be one way to ping your server - that is through Cloudflare. Now someone can scan the ports of AWS to find the servers that have port 80/433 open and send an HTTP request to your server. However, if you don't use catch all block in Caddyfile: it sends something like 422 to deny requests. That's good but still it receives the HTTP request. Setting up IPv6 with AAAA record will future-proof your server as well. Also, users with IPv6 enjoy faster performance.
@@WebDevCody I wrote a long reply but it's not showing up here. Joining your Discord if we can have chat there.
Cheers for the insight my duuuude
Love how he learned and changed totally the argue that we should host everything on managed services like cloudfront, vercel, netlify etc instead of doing custom VPS setups. :)
😆 a $1,500 bill created in a few hours will do that to a dev
Nice. I remember commenting on last video asking why you didn't use CF. I mean you could use CF with EC2 if you want.
Great video, i will try to replicate this setup. I dont want to go homeless
You definitely want to make sure to block all incoming traffic on port 443 and 80 except for cloudflare ips in a firewall like ufw on the backend server. If you dont do that, crawlers will be able to resolve your domain to your backend ip, leaking the ip, bypassing any cloudflare protection.
If you proxy to your website using CloudFlare DNS, how do you know those IPs? Are they listed somewhere, is there documentation that lists all those IPs?
@@groff8657 There are websites & tools to scan pretty much the entire web, if you render your pages on ips too, or have any correlations to your domain, they will be able to link the ip back to the domain
@@groff8657there are 255^4 ips in the world. Its not so hard to crawl all of em
@@groff8657 Yes there is, just type cloudflare ips in any search engine
@@groff8657 It's in cloudflare docs. You can google and you'll find it.
Extremely useful video, cheers
There we go!
Lol I remember you yelling us to 'watch our dev ops privilege' or something like that when we called these cloud services out. You were junior and a cloud fanboy, I think this was last year 😂
It's really interesting to watch you grow man
lol you’re probably part of the crew doing it huh?
Next video "Why should you should host simple projects on a VPS instead of AWS" ...............
@@lukasberk9303 at least you’re all learning together? 🥴 lol unless yall are just here to stare at his face for minutes on end which I guess is cool too 🫠
all it took was a DDoS attack and an AWS linked to my credit card to change my thought process 🫠
@@WebDevCodyto be fair you could have (and still can) contact aws support. They would give credit to cover the full cost and help you protect in the future most likely. You also can get $1000-100000 based on being a startup, that could also help. It’s a shame you decided to fully make up your mind so soon.
Such good content. this could be a 5 hour paid tutorial with a next.js/VPS hosting stack. sst, docker compose, caddy, TLS, cloudflare etc.
would love to know the performance loss with cloudflare in front.
I hope you make a detailed video on how to deploy next.js on VPS windows server .
But why would someone DDOS you ?? You're the chillest dude on web dev yt
Because there is a lot of room in hell and someone is reserving their slot
@@WebDevCodyI’m stealing this answer 😂
THANKS CODY I LOVE YOU. I'm actually dogshit at Docker. Always have setup my garbage apps just manually. Always have just used Docker for spinning up DBs, not for containerizing the whole deployment. This was interesting. More Docker vids would be cool!
Can you also do a vid setting up coolify on a VPS next? Everyone's been going wild with it.
Really awesome to see how youve done it.
Interested to know why you didnt go down the using of apps in digitalocean, you can literally just throw a docker container into it so you never need to ssh in etc.
Though i definitely see some pros and cons to both approaches
Because I like wasting time 😂
I never search for cyber security so much like in the last night haha, I guess I learned your lesson too
Hey one question, why did you choose to move to digital ocean, was it an option to just add cloudflare in front of aws setup? Tnx, great video like always! 😊
Since this video I’m actually using railway now. Honestly I just wanted a service that has automatic billing limits which will kill my services if I spend too much money. Not many services provide this. Some have primitives I could use to build a kill switch from scratch, but I don’t have time to waste on that
Tnx for the answer, yeah I guess kill switch is a great feature! Didn't use railway will look into it 😊
You can configure a cloudflare tunnel which runs on your droplet, and avoid configuring ssl in both places but also you can avoid exposing your droplet
I’ll check that out, sounds easier
I am a bit new to tgese concepts. Can you explain why you shifted to a vps? Couldn't you have connected cloudflare to your cloud formation distribution?
Do you have to scp the certs to your vps everytime they expire or is there a way to automate that?
While I have some hands on experience with dockerizing our apps, I’m new to other stuffs discussed. Can you please make a short video on how to have this set up from scratch to deployment ❤
Can't wait for the attacker to ddos test the new setup :D
if he does I'm quitting
@@WebDevCodyNo need to worry you are fine now unless you are charged for your AWS servers running in the backend per request you're fine. I would recommend not using AWS at all it's overpriced and trash IMO.
You could also integrate cloudflare with aws loadbalancer, unless they attack you with cloudflare bypass; then maybe you still get charged.
Not sure if this is a stupid question, the bulk of the AWS bill comes from Cloudfront HTTP requests.
Can you just change from using cloudfront as CDN to cloudflare? Instead of moving out of AWS completely?
cloudfront has a bunch of path rules that know how to invoke lambdas on requests. It wouldn't be an easy refactor
You don't need to use Cloudflare's origin cert if you already have a valid cert. I also use Caddy and just let it do its default Let's Encrypt or ZeroSSL behind Cloudflare, reducing the amount of manual setup and configuration needed. The origin cert or another trusted cert is what you need for the "Full (strict)" option instead of just "Full".
Ahh ok good info!
"if not good luck" says a whole lot LOL. but thanks this is valuable.
Sorry to hear about AWS bill. But did you not have cloudflare setup already in front of AWS? Because you mention WAF. Did it not work properly?
He had cloudfront, which is AWS's CDN
I thought you said we should avoid hosting on raw servers as much as possible. What makes this project a plausible use case for VPS hosting?
This is quality content
Brother, it's amazing and I am thankful to you for sharing such helpful videos. I have one wish: can you create a full-stack college website?
It would be fun if you could got a AWS engineer who helps you to secure you instances and let you make an interview about it to educate people who like us who are watching your channel. I mean it would also benefit them because your and other people with small side projects are more onto their products.
Might also make sense to look at dokku
Much appreciated!!
Cody at 6:28 if you're using Cloudflare generated cert then you can safely turn on the full (strict) option in SSL
awesome, I'll turn that on
Are the certs free to generate? I'm currently using Let's Encrypt cert on my VPS and thinking of adding cloudflare for extra protection.
yes those are absolutely free and even you can select the term like 3months, 1years or even 15 years@@kamehameha38
DigitalOcean also has a container repository service, any particular reason to keep it on AWS ?
I've always used a VPS for personal projects for this very reason! Companies I worked for all use AWS and the bills in dev environments alone put me off of using it...
Ah that would definitely hurt my wallet too. I was planning to use vercel and use cloudflare over it. Any chance you can make a tutorial for this?
Doesn’t DO offer DDOS protection, or is that not available for their droplets/whatever you used for the VPS? Naturally any and all protection sounds good lol
I don't remember the steps, but you can set your VPS to not accept connections that are not on the internal network and not from Cloudflare. Just remember to allow ssh over a custom port.
I did that today, I setup a DO firewall rule and only allow inbound requests from cloudflare specific IP addresses.
Why did you use a custom TLS cert with caddy when configured caddy to do it automatically?
You have to use the cloudflare cert or else you have to do a bunch of extra work
yesterday we were talking in your discord about this issue, it's good you bring this type of content but at the same time is bad, there's a lot of people looking for "targets" and this type of videos bring a lot of attention.
Am a frontend developer and would love to transition to fullstack and master these deploment stuff, do you have a course on this or one you recommend ?
Maybe I'm just too new to the web dev world but this seems entirely convoluted! Just to stop a DDOS you have to apparently run and use like 8 build tools and different services and providers?!? What the hell has the Internet become?
I always knew vps hosting was the right way 😎
what people gain from making this type of attacks? also if you use vercel the price will be i think 10 times how do you protect if you use vercel. thanks in advance😊😊
Could also host your own docker registry on the vps to store image?
I’ve never done that actually; but I’m sure it’s possible
next: setup traefik on the VPS instead of caddy (Labels in composefile set up the config for Reverse Proxy)
Great explanation.
can we use github repository to store docker image
Does cloudflare also have free DDoS protection for static websites and serverless functions that they host?
6:06 CloudFlare can inspect all of your traffic in plain text.
(This might be obvious, but I think it's always good to at least point out.)
right, I guess you have to trust cloudflare doesn't sell your data or forward it to the NSA 🤣
@@WebDevCody I feel like they definitely do forward it to the NSA. We need end to end encryption on our applications starting on the client
How are you able to be consistent with learning and spending good amount of time in front of the screen learning new technology and basically working all the time with producing technical content as well, I have many things on the to do list and I've been getting burnt out a lot lately to the point where sometimes I don't wanna do anything or that I can get high motivation for a day then it goes down drastically, how can I improve this situation from your experience? Thank you
I find learning new things fun. When I start to get bored of doing the same thing every day at work, I reach for making UA-cam videos or learning new stuff
does it not make sense to just use cloudflare with your aws project. Or is it necessary to use a vps to prevent the DOS attack?
I'm sure it's possible, but I'm a bit tired of serverless
when to use next js instead of react?
Weren't you using Amazon Shield Standard with Cloudfront? It appears to be free and protect against DDOS.
yeah, but it obviously isn't blocking all the DDOS traffic
me looking at your bill: I'd be back to eating instant ramen for meals if that happens to me
good to see people moving back to non-serverless stuff
Why don't you use cloudflare + aws (sst)? Is there a way for it? I really like sst and aws deployment and would like to use cloudflare in front.. What made you go vps instead of this setup (if exists)
Honestly, I’m kind of just tired of serverless and lambda at work we use lambda and I can’t even count how many hours I’ve wasted trying to get binaries to run on lambda ran into lambda size limits, run into API Gateway timeout issues run into having debug permissions over and over again Execution roles having to deal with cold starts that make the application. Just feel slow when you don’t already have a ton of users. Honestly, I think just hosting a single node executable on a VPS or a container runner is extremely low maintenance compared to anything you can hack together in the AWS ecosystem.
damn feel bad for u
🤷♂️ you live and you learn
Is that tls stuff necessary? I thought caddy did that automatically
if you use caddy self signing certs, it's a bit more complicated; you'll have to build caddy using xcaddy with a cloudflare plugin so it can know how to validate your self signed certs against cloudflare using your cloudflare api key. I started looking into all of that and said screw that noise
how do you handle ci/cd when you push to one of those repo's?
I’d probably build the image in GitHub actions, publish it to a container registry, then ssh into the machine and rerun docker compose up
You got ops for real 😂 Would be interesting to know what other options are available within AWS without having to pay 3k per month 😢
Also, how much are you paying for Cloudflare? I see that they have a higher level of protection provided apart from the one in the free tier. Keep us updated if you get ddos again. Not bad for content right? 😂
nice stuff, why not use aws vps with cloudflare?
Because if I want a vps, DO or railway has a much better ui for cheapee
waiting for a DDOS hat-trick, 3 consecutive days damn
Out of curiosity, can’t you achieve the same thing with aws api gateway and EC2?
Same thing, meaning ddos protection or hosting your api?
@@WebDevCody Actually I just thought about it, api gateway, EC2 wouldn’t work against ddos protection but will work with API hosting.
I feel bad for you that somebody out there is eager enough to DDOS you. But this video was very helpful, thanks!
so does cloudflare not work with lambdas?
Well well well
With caddy you don't need to specify the `tls` field for having https working, by default caddy will create a tls certificate for you.
Right but for some reason I can’t get it working with cloudflare full mode. Maybe I’m doing something wrong
@@WebDevCodyAll of my websites use cloudflare full mode and caddy haven't had an issue yet... so idk
@@fredheladrienkissie1404 hmm I’ll look into this more soon
Just curious, why didn’t you deploy this NextJS app on Vercel’s free tier?
that is the same issue as AWS, just at least 5 times more expensive (free tier is a auto-upgrade if you hit the limits, you still owe money even if no card is linked)
Vercel free tier license states it can’t be used for commercial apps; my app getting ddos is making money
Good for you :D You could simplify the setup with cloudflare tunnels instead of having caddy + managing certificates, but still, congrats, you have escaped paying for shit that is not your fault :)
are tunnels a paid plan feature?
@@WebDevCodyno. There might be a limit to a number of them, but you could think about hosting all your projects on a single instance and have a wildcard dns record that would point to it. Then the cloudflare agent would act as a "reverse proxy" to your local ports :)
my g
I don't see it in the video, so I would assume that you don't apply that. I would recommend you set up your firewall to only accept connections from Cloudflare. In case someone gets the IP address, Cloudflare sometimes leaks the host address...