[treesknees]

Another option is to use a VPS + nginx + a wireguard VPN.

Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.

Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.

[dusted]

That's what I do, but without a real VPN (I don't want secrets on the VPS)

http://dusted.dk/pages/aWayOut/

[treesknees]

Oh interesting, so you only drop a public key onto the VPS, and you forward TLS to the VM at home instead of terminating on the VPS. That's a neat idea.

So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.

[dusted]

Yes you are right.

If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.

For plain HTTP, of course all traffic would be easily intercepted and readable. For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.

So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)

I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.

[feet]

This is a great option IMO, I use it myself to host multiple services. A VPS can be had for $5 per month or less