Switching to a VPS with Cloudflare for DOS protection sounds like a smart move to avoid hefty charges. Your step-by-step guide makes it much easier for others to follow suit. Appreciate the insights!
Just get a ddos protected VPS from OVH, Path you can find providers easily. (Ex. Vibegames path) Which will basically make the server not be able to be hit on L4 and also better specs then Digital Ocean.
I don't know why anyone would waste time DDOSing your system. You're just a nice guy posting fun educational videos. I am probably to lazy to come up with a reason.
@@WebDevCodyye maybe it's just random but it feels targeted from your point of view. It does increase the potential revenue of amazon or cloudflare which might benefit the attacker. Don't know if you can just change the IP..
If its just for side projects, its a lot easier having your service go down and just rebooting it all back up rather than paying a hefty bill. Cloud is strictly for high traffic businesses in my opinion. Plus you learn so much more setting up your own VPS and securing it yourself.
True. I think it's great knowing how to run a node/go/whatever app and setup nginx or caddy to proxy to it. You realize how much you can do and what problems those managed services actually solve for you. Also in some enterprise cases you cannot just deploy to whatever cloud service and must deploy on premises or are potentially only allowed into VMs so having this knowledge is beneficial.
If you are using a VPS you should set it up to reject all connections except HTTPS coming specifically from Cloudflare's IP ranges (and ssh traffic if you don't have another console available).
Great content, your DDOS protection series are basically showing a process how human being is learning from it's own mistakes :D Hopefully it will save some money for others too! One tip from me, you can move this push-image script to a github action, that will build and push image to ECR automatically on every push to master(or only when you manually trigger it). This way you will have kind of automated CD pipeline for your project. GH actions are also free up to 2k run minutes per month making it a decent solution for hobby projects
I had some hobby projects on AWS, and is scary that any error or DDOS can give you a 2000$ bill. Paying 5$ dollar a month for a VPS for projects that make no money is better than being worry about that.
Love how he learned and changed totally the argue that we should host everything on managed services like cloudfront, vercel, netlify etc instead of doing custom VPS setups. :)
Thanks for sharing how you are working through this situation. I'm though really sorry about the AWS charges. That just sucks. I'm hoping their understanding and helpful about a credit or refund.
You definitely want to make sure to block all incoming traffic on port 443 and 80 except for cloudflare ips in a firewall like ufw on the backend server. If you dont do that, crawlers will be able to resolve your domain to your backend ip, leaking the ip, bypassing any cloudflare protection.
If you proxy to your website using CloudFlare DNS, how do you know those IPs? Are they listed somewhere, is there documentation that lists all those IPs?
@@groff8657 There are websites & tools to scan pretty much the entire web, if you render your pages on ips too, or have any correlations to your domain, they will be able to link the ip back to the domain
Can't wait for SST ion to have all of this ready :) I don't want to use docker stuff, that hustle annoys me a lot. Way to much effort. Preferably with SolidStart (and Protection enabled)
Thank you for sharing all these videos, been insightful especially as I am looking to move from Vercel to AWS and some of these issues I never thought of.
Hi, thanks for what u've done so far. Yours is probably top youtube channel out there. I have some questions if u don't mind: - Take example you are using docker-compose to serve traffic & app. What if u need to horizontal scale. What kind of infra u'll choose in this case? K8s or sth?, or maybe docker-swarm I guess? - What is different between nginx and caddle u r using, what is the pros/cons of it
As bad as it may sound now, I think it's good that you got ddos'd. That's how you and we learn. Thank you for your amazing content. And too bad for the 700$.
Maybe I'm just too new to the web dev world but this seems entirely convoluted! Just to stop a DDOS you have to apparently run and use like 8 build tools and different services and providers?!? What the hell has the Internet become?
Great vid!! I wonder if this would help too: SST is moving to Ion apparently next week and making it so you can setup cloudflare as well as AWS resources, so you can mix and match cloud providers in your infrastructure as code. Would love to see you do the move to Ion and deploy your next.js site to cloudflare
You can configure a cloudflare tunnel which runs on your droplet, and avoid configuring ssl in both places but also you can avoid exposing your droplet
There we go! Lol I remember you yelling us to 'watch our dev ops privilege' or something like that when we called these cloud services out. You were junior and a cloud fanboy, I think this was last year 😂 It's really interesting to watch you grow man
@@lukasberk9303 at least you’re all learning together? 🥴 lol unless yall are just here to stare at his face for minutes on end which I guess is cool too 🫠
@@WebDevCodyto be fair you could have (and still can) contact aws support. They would give credit to cover the full cost and help you protect in the future most likely. You also can get $1000-100000 based on being a startup, that could also help. It’s a shame you decided to fully make up your mind so soon.
Such good content. this could be a 5 hour paid tutorial with a next.js/VPS hosting stack. sst, docker compose, caddy, TLS, cloudflare etc. would love to know the performance loss with cloudflare in front.
THANKS CODY I LOVE YOU. I'm actually dogshit at Docker. Always have setup my garbage apps just manually. Always have just used Docker for spinning up DBs, not for containerizing the whole deployment. This was interesting. More Docker vids would be cool!
I've always used a VPS for personal projects for this very reason! Companies I worked for all use AWS and the bills in dev environments alone put me off of using it...
Thanks for the video, that was very helpful, but I have a few questions, first is why are you using AWS for docker containers? Can I just put my container straight to the DigitalOcean? Second, is there some throwbacks for deploying nextjs to somewhere else instead of Vercel? And maybe there is some frameworks, that are more "deploy where you want" friendly? And I'm mostly talking about Nextjs as full-stack? Or do I need to split my backend and front end as different applications? P.S. I'm just starting to learn more about other frameworks and I'm considering switching from Nextjs (cause I'm stuck at Vercel)
@@WebDevCody Most of the internet still use IPv4 so most of the devices participating in a DDoS attack are presssmably using IPv4. If your VPS blocks IPv4 altogether, there will be one way to ping your server - that is through Cloudflare. Now someone can scan the ports of AWS to find the servers that have port 80/433 open and send an HTTP request to your server. However, if you don't use catch all block in Caddyfile: it sends something like 422 to deny requests. That's good but still it receives the HTTP request. Setting up IPv6 with AAAA record will future-proof your server as well. Also, users with IPv6 enjoy faster performance.
You don't need to use Cloudflare's origin cert if you already have a valid cert. I also use Caddy and just let it do its default Let's Encrypt or ZeroSSL behind Cloudflare, reducing the amount of manual setup and configuration needed. The origin cert or another trusted cert is what you need for the "Full (strict)" option instead of just "Full".
A much easier way is to use Digital Ocean Apps pull your Docker Image from AWS ECR - it's web UI is very easy to setup, and the HTTPS certs are all automatically done for you (no need for Caddy and custom CF Origin TLS certs).
Not sure if this is a stupid question, the bulk of the AWS bill comes from Cloudfront HTTP requests. Can you just change from using cloudfront as CDN to cloudflare? Instead of moving out of AWS completely?
yesterday we were talking in your discord about this issue, it's good you bring this type of content but at the same time is bad, there's a lot of people looking for "targets" and this type of videos bring a lot of attention.
Really awesome to see how youve done it. Interested to know why you didnt go down the using of apps in digitalocean, you can literally just throw a docker container into it so you never need to ssh in etc. Though i definitely see some pros and cons to both approaches
They can be nice and forgive you the charge, but it will definitely break your free tier and scale your charges like crazy, a lot more expensive than AWS for sure
I am a bit new to tgese concepts. Can you explain why you shifted to a vps? Couldn't you have connected cloudflare to your cloud formation distribution?
It would be fun if you could got a AWS engineer who helps you to secure you instances and let you make an interview about it to educate people who like us who are watching your channel. I mean it would also benefit them because your and other people with small side projects are more onto their products.
Hey, great videos! Learned a lot. I have a question: if you host it on the VPS, would you still get a higher bill if you get DDoSed without Cloudflare? Or do you only pay for the instance and it would just get laggy or go down?
your instance would crash; therefore, there is no extra bandwidth you'd get charged for. It's just a trade off, would you rather have 100% uptime (you probably want serverless), or reduce your chance of getting a $600 in one hour.
Hey one question, why did you choose to move to digital ocean, was it an option to just add cloudflare in front of aws setup? Tnx, great video like always! 😊
Since this video I’m actually using railway now. Honestly I just wanted a service that has automatic billing limits which will kill my services if I spend too much money. Not many services provide this. Some have primitives I could use to build a kill switch from scratch, but I don’t have time to waste on that
While I have some hands on experience with dockerizing our apps, I’m new to other stuffs discussed. Can you please make a short video on how to have this set up from scratch to deployment ❤
Am a frontend developer and would love to transition to fullstack and master these deploment stuff, do you have a course on this or one you recommend ?
@@WebDevCodyNo need to worry you are fine now unless you are charged for your AWS servers running in the backend per request you're fine. I would recommend not using AWS at all it's overpriced and trash IMO.
what people gain from making this type of attacks? also if you use vercel the price will be i think 10 times how do you protect if you use vercel. thanks in advance😊😊
I don't remember the steps, but you can set your VPS to not accept connections that are not on the internal network and not from Cloudflare. Just remember to allow ssh over a custom port.
Why don't you use cloudflare + aws (sst)? Is there a way for it? I really like sst and aws deployment and would like to use cloudflare in front.. What made you go vps instead of this setup (if exists)
Honestly, I’m kind of just tired of serverless and lambda at work we use lambda and I can’t even count how many hours I’ve wasted trying to get binaries to run on lambda ran into lambda size limits, run into API Gateway timeout issues run into having debug permissions over and over again Execution roles having to deal with cold starts that make the application. Just feel slow when you don’t already have a ton of users. Honestly, I think just hosting a single node executable on a VPS or a container runner is extremely low maintenance compared to anything you can hack together in the AWS ecosystem.
Doesn’t DO offer DDOS protection, or is that not available for their droplets/whatever you used for the VPS? Naturally any and all protection sounds good lol
Honestly, for side projects, you can have the 2 CPU 2 GB of RAM and never worry again about DOS, just put a firewall on the OS. Now DDoS is a different story, and i honestly don't think the attacker will continue for much longer. Just services will be offline for a little while, but since they are side projects shouldn't matter much. I can hardly phantom how you have Node and potentially other things running with 1 GB of RAM and not run out of memory.
Dude, in an interview for a SWE the guy asked me if i'd use aws in my starup that im running. I said no cuz its too expensive. He looked at me like im crazy. Then he asked me if i had a lot of users would i switch to aws? I said it depends: users dont mean customers. A lot of users means a lot of requests means a lot of cost. As a founder you have to manage your finances and these interviewers dismissed me for saying what i said. I did work with aws in the past, but the organization was huge with many millions in revenue, not a startup 😅
that is the same issue as AWS, just at least 5 times more expensive (free tier is a auto-upgrade if you hit the limits, you still owe money even if no card is linked)
Babe wake up the daily Web Dev Cody DDOS video just dropped
😂😅
Oh god I hope this doesn’t become a daily thing, I will have to start up an onlyfans 😅
Switching to a VPS with Cloudflare for DOS protection sounds like a smart move to avoid hefty charges. Your step-by-step guide makes it much easier for others to follow suit. Appreciate the insights!
Chatgpt ahh comment
Next step: hosting everything on Raspberry PI 5 in your room.
Let’s go!
unironically yeah
you really only need to pay for a domain name.
@@tanko.reactions176 And static IP address.
Self hosting is the way
Digital ocean DDOSed you because of your "Why I'd never host my apps on a VPS" video.
probably 🤣
isnt aws vps stuf
Makes sense it's their style
Just get a ddos protected VPS from OVH, Path you can find providers easily. (Ex. Vibegames path) Which will basically make the server not be able to be hit on L4 and also better specs then Digital Ocean.
@@AndrieMC if you use AWS for VPS (ec2 as they call it) alone, you probably shouldn't be using AWS.
I don't know why anyone would waste time DDOSing your system. You're just a nice guy posting fun educational videos. I am probably to lazy to come up with a reason.
sometimes a DDoS attack is just random; someone finds an open machine after scanning ip addresses and attacks it; but yes this seems targeted 🤣
@@WebDevCodyye maybe it's just random but it feels targeted from your point of view. It does increase the potential revenue of amazon or cloudflare which might benefit the attacker. Don't know if you can just change the IP..
Dude I feel the attacker wants to DDos protect their app, so wants a tutorial from Cody for it 😂
@@rahultech77 that’s probably it 😆
Hackers and script kiddes (especially) loves attention
If its just for side projects, its a lot easier having your service go down and just rebooting it all back up rather than paying a hefty bill. Cloud is strictly for high traffic businesses in my opinion. Plus you learn so much more setting up your own VPS and securing it yourself.
True. I think it's great knowing how to run a node/go/whatever app and setup nginx or caddy to proxy to it. You realize how much you can do and what problems those managed services actually solve for you.
Also in some enterprise cases you cannot just deploy to whatever cloud service and must deploy on premises or are potentially only allowed into VMs so having this knowledge is beneficial.
If you are using a VPS you should set it up to reject all connections except HTTPS coming specifically from Cloudflare's IP ranges (and ssh traffic if you don't have another console available).
thanks for the suggestion, I ended up adding that today as well
This is starting to be a series, But this content is very real and educational
This is wild, thank you for sharing these videos with us. Happy to see you got things resolved!
Great content, your DDOS protection series are basically showing a process how human being is learning from it's own mistakes :D Hopefully it will save some money for others too!
One tip from me, you can move this push-image script to a github action, that will build and push image to ECR automatically on every push to master(or only when you manually trigger it). This way you will have kind of automated CD pipeline for your project. GH actions are also free up to 2k run minutes per month making it a decent solution for hobby projects
I had some hobby projects on AWS, and is scary that any error or DDOS can give you a 2000$ bill.
Paying 5$ dollar a month for a VPS for projects that make no money is better than being worry about that.
Love how he learned and changed totally the argue that we should host everything on managed services like cloudfront, vercel, netlify etc instead of doing custom VPS setups. :)
😆 a $1,500 bill created in a few hours will do that to a dev
Thank you for sharing this! These couple of videos have been really useful. Great content
Thanks for sharing how you are working through this situation. I'm though really sorry about the AWS charges. That just sucks. I'm hoping their understanding and helpful about a credit or refund.
You definitely want to make sure to block all incoming traffic on port 443 and 80 except for cloudflare ips in a firewall like ufw on the backend server. If you dont do that, crawlers will be able to resolve your domain to your backend ip, leaking the ip, bypassing any cloudflare protection.
If you proxy to your website using CloudFlare DNS, how do you know those IPs? Are they listed somewhere, is there documentation that lists all those IPs?
@@groff8657 There are websites & tools to scan pretty much the entire web, if you render your pages on ips too, or have any correlations to your domain, they will be able to link the ip back to the domain
@@groff8657there are 255^4 ips in the world. Its not so hard to crawl all of em
@@groff8657 Yes there is, just type cloudflare ips in any search engine
@@groff8657 It's in cloudflare docs. You can google and you'll find it.
VPS, Caddy, Digital Ocean, docker-compose...
Let's go, Cody! This is the way!
Can't wait for SST ion to have all of this ready :) I don't want to use docker stuff, that hustle annoys me a lot. Way to much effort.
Preferably with SolidStart (and Protection enabled)
But why would someone DDOS you ?? You're the chillest dude on web dev yt
Because there is a lot of room in hell and someone is reserving their slot
@@WebDevCodyI’m stealing this answer 😂
Thank you for sharing all these videos, been insightful especially as I am looking to move from Vercel to AWS and some of these issues I never thought of.
This is a great video - got VPS red pilled by Levels' on the Lex show. Thanks for uploading!
Hi, thanks for what u've done so far. Yours is probably top youtube channel out there.
I have some questions if u don't mind:
- Take example you are using docker-compose to serve traffic & app. What if u need to horizontal scale. What kind of infra u'll choose in this case? K8s or sth?, or maybe docker-swarm I guess?
- What is different between nginx and caddle u r using, what is the pros/cons of it
Idk I plan to just scale up vertically as much as possible and see how far it’ll take me. Caddy seems simplier, nginx is probably feature rich
As bad as it may sound now, I think it's good that you got ddos'd. That's how you and we learn. Thank you for your amazing content. And too bad for the 700$.
Maybe I'm just too new to the web dev world but this seems entirely convoluted! Just to stop a DDOS you have to apparently run and use like 8 build tools and different services and providers?!? What the hell has the Internet become?
Love ya! ❤ you’re doing a great job
thanks sexy!
Great vid!! I wonder if this would help too: SST is moving to Ion apparently next week and making it so you can setup cloudflare as well as AWS resources, so you can mix and match cloud providers in your infrastructure as code. Would love to see you do the move to Ion and deploy your next.js site to cloudflare
GREAT technical video, looking to see more content in your channel on Deployment solutions and options. Great work man
Is if feasible to set up cloudflare ddos protection in front of an aws app to combine the serverless benefits with the protection?
You can configure a cloudflare tunnel which runs on your droplet, and avoid configuring ssl in both places but also you can avoid exposing your droplet
I’ll check that out, sounds easier
There we go!
Lol I remember you yelling us to 'watch our dev ops privilege' or something like that when we called these cloud services out. You were junior and a cloud fanboy, I think this was last year 😂
It's really interesting to watch you grow man
lol you’re probably part of the crew doing it huh?
Next video "Why should you should host simple projects on a VPS instead of AWS" ...............
@@lukasberk9303 at least you’re all learning together? 🥴 lol unless yall are just here to stare at his face for minutes on end which I guess is cool too 🫠
all it took was a DDoS attack and an AWS linked to my credit card to change my thought process 🫠
@@WebDevCodyto be fair you could have (and still can) contact aws support. They would give credit to cover the full cost and help you protect in the future most likely. You also can get $1000-100000 based on being a startup, that could also help. It’s a shame you decided to fully make up your mind so soon.
Such good content. this could be a 5 hour paid tutorial with a next.js/VPS hosting stack. sst, docker compose, caddy, TLS, cloudflare etc.
would love to know the performance loss with cloudflare in front.
THANKS CODY I LOVE YOU. I'm actually dogshit at Docker. Always have setup my garbage apps just manually. Always have just used Docker for spinning up DBs, not for containerizing the whole deployment. This was interesting. More Docker vids would be cool!
Can you also do a vid setting up coolify on a VPS next? Everyone's been going wild with it.
Nice to follow your journey. Thanks for sharing.
I watched your video about why you shouldn’t use a VPS from a year ago. I’m glad you came around 😂
You could also integrate cloudflare with aws loadbalancer, unless they attack you with cloudflare bypass; then maybe you still get charged.
Thankyou for giving us this precious information
I've always used a VPS for personal projects for this very reason! Companies I worked for all use AWS and the bills in dev environments alone put me off of using it...
Thanks for the video, that was very helpful, but I have a few questions, first is why are you using AWS for docker containers?
Can I just put my container straight to the DigitalOcean?
Second, is there some throwbacks for deploying nextjs to somewhere else instead of Vercel? And maybe there is some frameworks, that are more "deploy where you want" friendly? And I'm mostly talking about Nextjs as full-stack? Or do I need to split my backend and front end as different applications?
P.S. I'm just starting to learn more about other frameworks and I'm considering switching from Nextjs (cause I'm stuck at Vercel)
You can deploy next anywhere. It should have the same feature except edge computing. I was nit deploying containers on aws; I was using serverless
Coolify or dokploy seem viable alternatives to deploying on vps?
yeah both of those are good
You've came a long way from 9 month ago, was mad at you at the time but i see you have found the way my child.
Great video, i will try to replicate this setup. I dont want to go homeless
Nice walkthrough. If you still get into the same issue, perform those extra dance I posted in your last video. Good luck!
could you explain why AAAA would help out? if it's behind cloudflare, why would it make any difference?
@@WebDevCody Most of the internet still use IPv4 so most of the devices participating in a DDoS attack are presssmably using IPv4. If your VPS blocks IPv4 altogether, there will be one way to ping your server - that is through Cloudflare. Now someone can scan the ports of AWS to find the servers that have port 80/433 open and send an HTTP request to your server. However, if you don't use catch all block in Caddyfile: it sends something like 422 to deny requests. That's good but still it receives the HTTP request. Setting up IPv6 with AAAA record will future-proof your server as well. Also, users with IPv6 enjoy faster performance.
@@WebDevCody I wrote a long reply but it's not showing up here. Joining your Discord if we can have chat there.
Thanks for sharing these situations with the rest of us. Helps everyone!
I never search for cyber security so much like in the last night haha, I guess I learned your lesson too
You don't need to use Cloudflare's origin cert if you already have a valid cert. I also use Caddy and just let it do its default Let's Encrypt or ZeroSSL behind Cloudflare, reducing the amount of manual setup and configuration needed. The origin cert or another trusted cert is what you need for the "Full (strict)" option instead of just "Full".
Ahh ok good info!
A much easier way is to use Digital Ocean Apps pull your Docker Image from AWS ECR - it's web UI is very easy to setup, and the HTTPS certs are all automatically done for you (no need for Caddy and custom CF Origin TLS certs).
me looking at your bill: I'd be back to eating instant ramen for meals if that happens to me
I hope you make a detailed video on how to deploy next.js on VPS windows server .
Not sure if this is a stupid question, the bulk of the AWS bill comes from Cloudfront HTTP requests.
Can you just change from using cloudfront as CDN to cloudflare? Instead of moving out of AWS completely?
cloudfront has a bunch of path rules that know how to invoke lambdas on requests. It wouldn't be an easy refactor
can we use github repository to store docker image
yesterday we were talking in your discord about this issue, it's good you bring this type of content but at the same time is bad, there's a lot of people looking for "targets" and this type of videos bring a lot of attention.
DigitalOcean also has a container repository service, any particular reason to keep it on AWS ?
Really awesome to see how youve done it.
Interested to know why you didnt go down the using of apps in digitalocean, you can literally just throw a docker container into it so you never need to ssh in etc.
Though i definitely see some pros and cons to both approaches
Because I like wasting time 😂
Cody at 6:28 if you're using Cloudflare generated cert then you can safely turn on the full (strict) option in SSL
awesome, I'll turn that on
Are the certs free to generate? I'm currently using Let's Encrypt cert on my VPS and thinking of adding cloudflare for extra protection.
yes those are absolutely free and even you can select the term like 3months, 1years or even 15 years@@EIsenah
These videos are so helpful. Thanks so much man
Thank you for the great content as always. One question @WebDevCody. Deploying on vercel also doesn't save you from ddos?
They can be nice and forgive you the charge, but it will definitely break your free tier and scale your charges like crazy, a lot more expensive than AWS for sure
I am a bit new to tgese concepts. Can you explain why you shifted to a vps? Couldn't you have connected cloudflare to your cloud formation distribution?
"if not good luck" says a whole lot LOL. but thanks this is valuable.
6:06 CloudFlare can inspect all of your traffic in plain text.
(This might be obvious, but I think it's always good to at least point out.)
right, I guess you have to trust cloudflare doesn't sell your data or forward it to the NSA 🤣
@@WebDevCody I feel like they definitely do forward it to the NSA. We need end to end encryption on our applications starting on the client
It would be fun if you could got a AWS engineer who helps you to secure you instances and let you make an interview about it to educate people who like us who are watching your channel. I mean it would also benefit them because your and other people with small side projects are more onto their products.
Is bad solution to just use cheap vps with some proxy server like nginx and setup nginx for ddos protection?
Do you have to scp the certs to your vps everytime they expire or is there a way to automate that?
Could also host your own docker registry on the vps to store image?
I’ve never done that actually; but I’m sure it’s possible
Does cloudflare also have free DDoS protection for static websites and serverless functions that they host?
good to see people moving back to non-serverless stuff
when to use next js instead of react?
Hey, great videos! Learned a lot. I have a question: if you host it on the VPS, would you still get a higher bill if you get DDoSed without Cloudflare? Or do you only pay for the instance and it would just get laggy or go down?
your instance would crash; therefore, there is no extra bandwidth you'd get charged for. It's just a trade off, would you rather have 100% uptime (you probably want serverless), or reduce your chance of getting a $600 in one hour.
I thought you said we should avoid hosting on raw servers as much as possible. What makes this project a plausible use case for VPS hosting?
Hey one question, why did you choose to move to digital ocean, was it an option to just add cloudflare in front of aws setup? Tnx, great video like always! 😊
Since this video I’m actually using railway now. Honestly I just wanted a service that has automatic billing limits which will kill my services if I spend too much money. Not many services provide this. Some have primitives I could use to build a kill switch from scratch, but I don’t have time to waste on that
Tnx for the answer, yeah I guess kill switch is a great feature! Didn't use railway will look into it 😊
While I have some hands on experience with dockerizing our apps, I’m new to other stuffs discussed. Can you please make a short video on how to have this set up from scratch to deployment ❤
Thank you for sharing rare experience to the public.
so does cloudflare not work with lambdas?
Extremely useful video, cheers
I always knew vps hosting was the right way 😎
the complexity 🤯
how do you handle ci/cd when you push to one of those repo's?
I’d probably build the image in GitHub actions, publish it to a container registry, then ssh into the machine and rerun docker compose up
Am a frontend developer and would love to transition to fullstack and master these deploment stuff, do you have a course on this or one you recommend ?
Can't wait for the attacker to ddos test the new setup :D
if he does I'm quitting
@@WebDevCodyNo need to worry you are fine now unless you are charged for your AWS servers running in the backend per request you're fine. I would recommend not using AWS at all it's overpriced and trash IMO.
damn feel bad for u
🤷♂️ you live and you learn
Nice. I remember commenting on last video asking why you didn't use CF. I mean you could use CF with EC2 if you want.
Sorry to hear about AWS bill. But did you not have cloudflare setup already in front of AWS? Because you mention WAF. Did it not work properly?
He had cloudfront, which is AWS's CDN
what people gain from making this type of attacks? also if you use vercel the price will be i think 10 times how do you protect if you use vercel. thanks in advance😊😊
Thanks for sharing this with us!
I don't remember the steps, but you can set your VPS to not accept connections that are not on the internal network and not from Cloudflare. Just remember to allow ssh over a custom port.
I did that today, I setup a DO firewall rule and only allow inbound requests from cloudflare specific IP addresses.
Cheers for the insight my duuuude
Why don't you use cloudflare + aws (sst)? Is there a way for it? I really like sst and aws deployment and would like to use cloudflare in front.. What made you go vps instead of this setup (if exists)
Honestly, I’m kind of just tired of serverless and lambda at work we use lambda and I can’t even count how many hours I’ve wasted trying to get binaries to run on lambda ran into lambda size limits, run into API Gateway timeout issues run into having debug permissions over and over again Execution roles having to deal with cold starts that make the application. Just feel slow when you don’t already have a ton of users. Honestly, I think just hosting a single node executable on a VPS or a container runner is extremely low maintenance compared to anything you can hack together in the AWS ecosystem.
That's cool, but it doesn't have ci/cd, correct?
Correct, not yet. It’s not hard to ssh into a machine and run a single command to deploy new versions
digitalocean does seem to have CLI tools, with that and some other stuff like Ansible you might be able to get a CI/CD going.
Might be overkill but I'm using Gitlab with docker in the same server to build and deploy docker projects.
Why did you use a custom TLS cert with caddy when configured caddy to do it automatically?
You have to use the cloudflare cert or else you have to do a bunch of extra work
next: setup traefik on the VPS instead of caddy (Labels in composefile set up the config for Reverse Proxy)
Weren't you using Amazon Shield Standard with Cloudfront? It appears to be free and protect against DDOS.
yeah, but it obviously isn't blocking all the DDOS traffic
I feel bad for you that somebody out there is eager enough to DDOS you. But this video was very helpful, thanks!
How can you know that thing. How can you understand that what should i need to know so i can get it. Read the docs?
I have no clue what you just asked
@@WebDevCody I'm just amaze how can you learned that. Like choosing where to host and use other tech to secure your application
Out of curiosity, can’t you achieve the same thing with aws api gateway and EC2?
Same thing, meaning ddos protection or hosting your api?
@@WebDevCody Actually I just thought about it, api gateway, EC2 wouldn’t work against ddos protection but will work with API hosting.
Ah that would definitely hurt my wallet too. I was planning to use vercel and use cloudflare over it. Any chance you can make a tutorial for this?
Doesn’t DO offer DDOS protection, or is that not available for their droplets/whatever you used for the VPS? Naturally any and all protection sounds good lol
Honestly, for side projects, you can have the 2 CPU 2 GB of RAM and never worry again about DOS, just put a firewall on the OS. Now DDoS is a different story, and i honestly don't think the attacker will continue for much longer. Just services will be offline for a little while, but since they are side projects shouldn't matter much. I can hardly phantom how you have Node and potentially other things running with 1 GB of RAM and not run out of memory.
node can easily run without needing 1gb of memory; it isn't java, give node some credit
nice stuff, why not use aws vps with cloudflare?
Because if I want a vps, DO or railway has a much better ui for cheapee
Dude, in an interview for a SWE the guy asked me if i'd use aws in my starup that im running. I said no cuz its too expensive. He looked at me like im crazy.
Then he asked me if i had a lot of users would i switch to aws?
I said it depends: users dont mean customers. A lot of users means a lot of requests means a lot of cost.
As a founder you have to manage your finances and these interviewers dismissed me for saying what i said.
I did work with aws in the past, but the organization was huge with many millions in revenue, not a startup 😅
does it not make sense to just use cloudflare with your aws project. Or is it necessary to use a vps to prevent the DOS attack?
I'm sure it's possible, but I'm a bit tired of serverless
Digitalocean + Caprover
Just curious, why didn’t you deploy this NextJS app on Vercel’s free tier?
that is the same issue as AWS, just at least 5 times more expensive (free tier is a auto-upgrade if you hit the limits, you still owe money even if no card is linked)
Vercel free tier license states it can’t be used for commercial apps; my app getting ddos is making money