Add a cache, remove an attack vector, learn about the Cloud

By | May 31, 2011

So, you run a small webserver, maybe even on your home DSL? Yes, I do too.

A couple of years ago I was toying around with some ideas and almost created an Amazon EC2 account, but didn’t at the last moment. I’m glad I didn’t.

I went to check something out at Amazon’s EC2 site, and found their free introductory pricing. With the signing of a new account, as an incentive to dive in and try out their services, they are offering the AWS Free Usage Tier.

What good is this? Well, for a year you can run a “micro” Linux instance, and as long as you don’t drive a lot of traffic, it’s free.

So I installed a minimalist Linux instance (choosing Amazon’s own AMI). After logging into my new instance, I installed Varnish caching software, changed the default setting to use a 300MB memory (malloc) cache, pointed it at my home server (which serves up this blog and a few other meaningless sites), and changes all the DNS pointers to my Amazon instance.

What does this do for me? Well, a few things:

  1. Amazon instances have an external firewall configured at instance creation. I chose to expose only SSH and HTTP (I could even turn off SSH later). This firewall is independent of iptables or other local software firewalls.  This reduces any attack vector on the cache.
  2. My home web server can now operate on an alternate port, to avoid all but the most thorough port scans.
  3. I can use my home router to only allow access on that alternate port from the static IP address of my Varnish cache
  4. If for some reason someone DOES break into my Varnish cache, there is no security information stored in that instance that can help them attack the server at my house.
  5. By moving the public IP address of my website to the Amazon cloud, I “hide” my home IP address from all but the most prying eyes. This makes the remaining attack vectors at my home slightly more obscure.
  6. Potentially I am making the site slightly more responsive by putting it in a cache in the cloud.
  7. I get to learn more about Amazon EC2

Downsides? Someone could hammer the cloud instance and I could ring up a bill at the end of the month. I will have to keep an eye on this and determine if I can set up a tripwire to avoid this scenario.

[edited later: I’m also finding out that WordPress doesn’t cache well with Varnish due to the cookies… ugh]

What else could one do with a free micro Linux EC2 instance? Let me know what you think!

Category: How-To Tags: , ,

About Bill Plein

I've been in the data storage industry since the 1990's, most recently with 3PAR, Fusion-io, and Pure Storage. I'm now with Diamanti, where we make Kubernetes easy and fast. I'm attracted to bright, shiny new objects.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.