I was scared to move the cloud for this reason. I was used to running to the server room and the KVM if things went south. If that was frozen, usually unplugging the server physically from the switch would get it calm down.

Now Amazon supports a direct console interface like KVM and you can virtually unplug virtual servers from their virtual servers too.

I started to DBAN (wipe) my internal drive once instead of an attached drive. That was the last time I ran DBAN on a machine with any drives of value plugged in.

Yes. I used to use Knoppix. It was cutting edge for the time. Similar in concept to immutable distros today that allow you have some mutable data storage.

The requirements asked for a web UI. You are right though, except for that, other kind of shared folder solutions might work.

Wordpress has become an all-purpose CMS known security vulnerabilities via unsafe plugins.

Ghost has APIs instead of plugins for nearly everything, so it eliminated a lot of security and maintenance headache that way.

Ghost focuses on just a few features centered around independent content creators: blogging, email newsletters and subscriptions.

So features for sending bulk emails and accepting payments are built in, but you won’t find native support for other things like podcasts or recipe markup.

Ghost meets my need, and I love not dealing with 30 plugins at risk of being exploited if I don’t upgrade them promptly.

Exactly. It’s not just downtime to worry about, either. It’s disks filling up. It’s hardware failure. It’s DNS outages. It’s random DDoS attacks. It’s automated scans of the internet targeting WordPress. It’s OS, php and database upgrades. It’s setting up graphing, monitoring, alerting and being on-call 24/7 to deal with the issues that come up.

If these businesses are at all serious, pay for professional hosting and spend your time running the business.

Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:

https://github.com/immich-app/immich/tree/main/e2e/src/api/specs

As a popular open source project, that would be e glaring security hole.

Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.

It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.

A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

It’s extremely difficult to attack a service with only GET requests.

The security of which URLS are accessible without authentication would be up to immich.

The whole spectrum: First a bought a pre-built board, then had a friend build one for me. Finally, I got over my fear of solder, bought the inexpensive equipment and gave it a tried. Made one $10 mistake on the first try and did a good-enough job on the second try.

I look forward to fixing more things now that I have this skill. I already used it to help repair an e-bike connector that came loose.