Just get a ddos protected VPS from OVH, Path you can find providers easily. (Ex. Vibegames path) Which will basically make the server not be able to be hit on L4 and also better specs then Digital Ocean.
Switching to a VPS with Cloudflare for DOS protection sounds like a smart move to avoid hefty charges. Your step-by-step guide makes it much easier for others to follow suit. Appreciate the insights!
I don't know why anyone would waste time DDOSing your system. You're just a nice guy posting fun educational videos. I am probably to lazy to come up with a reason.
@@WebDevCodyye maybe it's just random but it feels targeted from your point of view. It does increase the potential revenue of amazon or cloudflare which might benefit the attacker. Don't know if you can just change the IP..
If you are using a VPS you should set it up to reject all connections except HTTPS coming specifically from Cloudflare's IP ranges (and ssh traffic if you don't have another console available).
If its just for side projects, its a lot easier having your service go down and just rebooting it all back up rather than paying a hefty bill. Cloud is strictly for high traffic businesses in my opinion. Plus you learn so much more setting up your own VPS and securing it yourself.
True. I think it's great knowing how to run a node/go/whatever app and setup nginx or caddy to proxy to it. You realize how much you can do and what problems those managed services actually solve for you. Also in some enterprise cases you cannot just deploy to whatever cloud service and must deploy on premises or are potentially only allowed into VMs so having this knowledge is beneficial.
Love how he learned and changed totally the argue that we should host everything on managed services like cloudfront, vercel, netlify etc instead of doing custom VPS setups. :)
I had some hobby projects on AWS, and is scary that any error or DDOS can give you a 2000$ bill. Paying 5$ dollar a month for a VPS for projects that make no money is better than being worry about that.
You definitely want to make sure to block all incoming traffic on port 443 and 80 except for cloudflare ips in a firewall like ufw on the backend server. If you dont do that, crawlers will be able to resolve your domain to your backend ip, leaking the ip, bypassing any cloudflare protection.
If you proxy to your website using CloudFlare DNS, how do you know those IPs? Are they listed somewhere, is there documentation that lists all those IPs?
@@groff8657 There are websites & tools to scan pretty much the entire web, if you render your pages on ips too, or have any correlations to your domain, they will be able to link the ip back to the domain
Great content, your DDOS protection series are basically showing a process how human being is learning from it's own mistakes :D Hopefully it will save some money for others too! One tip from me, you can move this push-image script to a github action, that will build and push image to ECR automatically on every push to master(or only when you manually trigger it). This way you will have kind of automated CD pipeline for your project. GH actions are also free up to 2k run minutes per month making it a decent solution for hobby projects
Thanks for sharing how you are working through this situation. I'm though really sorry about the AWS charges. That just sucks. I'm hoping their understanding and helpful about a credit or refund.
Maybe I'm just too new to the web dev world but this seems entirely convoluted! Just to stop a DDOS you have to apparently run and use like 8 build tools and different services and providers?!? What the hell has the Internet become?
Thank you for sharing all these videos, been insightful especially as I am looking to move from Vercel to AWS and some of these issues I never thought of.
Great vid!! I wonder if this would help too: SST is moving to Ion apparently next week and making it so you can setup cloudflare as well as AWS resources, so you can mix and match cloud providers in your infrastructure as code. Would love to see you do the move to Ion and deploy your next.js site to cloudflare
Hi, thanks for what u've done so far. Yours is probably top youtube channel out there. I have some questions if u don't mind: - Take example you are using docker-compose to serve traffic & app. What if u need to horizontal scale. What kind of infra u'll choose in this case? K8s or sth?, or maybe docker-swarm I guess? - What is different between nginx and caddle u r using, what is the pros/cons of it
Can't wait for SST ion to have all of this ready :) I don't want to use docker stuff, that hustle annoys me a lot. Way to much effort. Preferably with SolidStart (and Protection enabled)
Such good content. this could be a 5 hour paid tutorial with a next.js/VPS hosting stack. sst, docker compose, caddy, TLS, cloudflare etc. would love to know the performance loss with cloudflare in front.
You can configure a cloudflare tunnel which runs on your droplet, and avoid configuring ssl in both places but also you can avoid exposing your droplet
Thanks for the video, that was very helpful, but I have a few questions, first is why are you using AWS for docker containers? Can I just put my container straight to the DigitalOcean? Second, is there some throwbacks for deploying nextjs to somewhere else instead of Vercel? And maybe there is some frameworks, that are more "deploy where you want" friendly? And I'm mostly talking about Nextjs as full-stack? Or do I need to split my backend and front end as different applications? P.S. I'm just starting to learn more about other frameworks and I'm considering switching from Nextjs (cause I'm stuck at Vercel)
Is the cloudflare's origin cert files will be place at ur docker private folder permanently? Or i have to like regenerate and replace those files every 90days?
Not sure if this is a stupid question, the bulk of the AWS bill comes from Cloudfront HTTP requests. Can you just change from using cloudfront as CDN to cloudflare? Instead of moving out of AWS completely?
You don't need to use Cloudflare's origin cert if you already have a valid cert. I also use Caddy and just let it do its default Let's Encrypt or ZeroSSL behind Cloudflare, reducing the amount of manual setup and configuration needed. The origin cert or another trusted cert is what you need for the "Full (strict)" option instead of just "Full".
There we go! Lol I remember you yelling us to 'watch our dev ops privilege' or something like that when we called these cloud services out. You were junior and a cloud fanboy, I think this was last year 😂 It's really interesting to watch you grow man
@@lukasberk9303 at least you’re all learning together? 🥴 lol unless yall are just here to stare at his face for minutes on end which I guess is cool too 🫠
@@WebDevCodyto be fair you could have (and still can) contact aws support. They would give credit to cover the full cost and help you protect in the future most likely. You also can get $1000-100000 based on being a startup, that could also help. It’s a shame you decided to fully make up your mind so soon.
what people gain from making this type of attacks? also if you use vercel the price will be i think 10 times how do you protect if you use vercel. thanks in advance😊😊
As bad as it may sound now, I think it's good that you got ddos'd. That's how you and we learn. Thank you for your amazing content. And too bad for the 700$.
Really awesome to see how youve done it. Interested to know why you didnt go down the using of apps in digitalocean, you can literally just throw a docker container into it so you never need to ssh in etc. Though i definitely see some pros and cons to both approaches
THANKS CODY I LOVE YOU. I'm actually dogshit at Docker. Always have setup my garbage apps just manually. Always have just used Docker for spinning up DBs, not for containerizing the whole deployment. This was interesting. More Docker vids would be cool!
I am a bit new to tgese concepts. Can you explain why you shifted to a vps? Couldn't you have connected cloudflare to your cloud formation distribution?
They can be nice and forgive you the charge, but it will definitely break your free tier and scale your charges like crazy, a lot more expensive than AWS for sure
Hey one question, why did you choose to move to digital ocean, was it an option to just add cloudflare in front of aws setup? Tnx, great video like always! 😊
Since this video I’m actually using railway now. Honestly I just wanted a service that has automatic billing limits which will kill my services if I spend too much money. Not many services provide this. Some have primitives I could use to build a kill switch from scratch, but I don’t have time to waste on that
While I have some hands on experience with dockerizing our apps, I’m new to other stuffs discussed. Can you please make a short video on how to have this set up from scratch to deployment ❤
Doesn’t DO offer DDOS protection, or is that not available for their droplets/whatever you used for the VPS? Naturally any and all protection sounds good lol
I don't remember the steps, but you can set your VPS to not accept connections that are not on the internal network and not from Cloudflare. Just remember to allow ssh over a custom port.
I've always used a VPS for personal projects for this very reason! Companies I worked for all use AWS and the bills in dev environments alone put me off of using it...
Am a frontend developer and would love to transition to fullstack and master these deploment stuff, do you have a course on this or one you recommend ?
@@WebDevCody Most of the internet still use IPv4 so most of the devices participating in a DDoS attack are presssmably using IPv4. If your VPS blocks IPv4 altogether, there will be one way to ping your server - that is through Cloudflare. Now someone can scan the ports of AWS to find the servers that have port 80/433 open and send an HTTP request to your server. However, if you don't use catch all block in Caddyfile: it sends something like 422 to deny requests. That's good but still it receives the HTTP request. Setting up IPv6 with AAAA record will future-proof your server as well. Also, users with IPv6 enjoy faster performance.
A much easier way is to use Digital Ocean Apps pull your Docker Image from AWS ECR - it's web UI is very easy to setup, and the HTTPS certs are all automatically done for you (no need for Caddy and custom CF Origin TLS certs).
Why don't you use cloudflare + aws (sst)? Is there a way for it? I really like sst and aws deployment and would like to use cloudflare in front.. What made you go vps instead of this setup (if exists)
Honestly, I’m kind of just tired of serverless and lambda at work we use lambda and I can’t even count how many hours I’ve wasted trying to get binaries to run on lambda ran into lambda size limits, run into API Gateway timeout issues run into having debug permissions over and over again Execution roles having to deal with cold starts that make the application. Just feel slow when you don’t already have a ton of users. Honestly, I think just hosting a single node executable on a VPS or a container runner is extremely low maintenance compared to anything you can hack together in the AWS ecosystem.
I don't see it in the video, so I would assume that you don't apply that. I would recommend you set up your firewall to only accept connections from Cloudflare. In case someone gets the IP address, Cloudflare sometimes leaks the host address...
Hey, great videos! Learned a lot. I have a question: if you host it on the VPS, would you still get a higher bill if you get DDoSed without Cloudflare? Or do you only pay for the instance and it would just get laggy or go down?
your instance would crash; therefore, there is no extra bandwidth you'd get charged for. It's just a trade off, would you rather have 100% uptime (you probably want serverless), or reduce your chance of getting a $600 in one hour.
It would be fun if you could got a AWS engineer who helps you to secure you instances and let you make an interview about it to educate people who like us who are watching your channel. I mean it would also benefit them because your and other people with small side projects are more onto their products.
Wouldn't Cloudflare block these requests too before they reach your cloudfront instance? I wanna keep using SST but if cloudflare or AWS doesn't stop these attacks i may have to follow in the VPS ways 😩
I hope he do a video about it, but sadly mix resources isn't available on SST yet, what you can do is fully deploy on Cloudflare or AWS, but use Cloudflare CDN with AWS resources isn't available with SST Ion @@teamvashmmo3218
How are you able to be consistent with learning and spending good amount of time in front of the screen learning new technology and basically working all the time with producing technical content as well, I have many things on the to do list and I've been getting burnt out a lot lately to the point where sometimes I don't wanna do anything or that I can get high motivation for a day then it goes down drastically, how can I improve this situation from your experience? Thank you
I find learning new things fun. When I start to get bored of doing the same thing every day at work, I reach for making RUclips videos or learning new stuff
yesterday we were talking in your discord about this issue, it's good you bring this type of content but at the same time is bad, there's a lot of people looking for "targets" and this type of videos bring a lot of attention.
that is the same issue as AWS, just at least 5 times more expensive (free tier is a auto-upgrade if you hit the limits, you still owe money even if no card is linked)
@@WebDevCodyNo need to worry you are fine now unless you are charged for your AWS servers running in the backend per request you're fine. I would recommend not using AWS at all it's overpriced and trash IMO.
The only downside with cloudflare is that it cant cache dynamic content, and with a big enough attack they can still overwhelm the backend server. Ive also had to configure some additional firewall rules on cloudflare to stop an attack because people will use thousands of cloud servers to attack, forcing me to block entire ASNs.
What’s an example of this? Why would you cache dynamic content if it’s dynamic? I’m guessing you’d still need rate limiting rules for dynamic content or api endpoints
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
Digital ocean DDOSed you because of your "Why I'd never host my apps on a VPS" video.
probably 🤣
isnt aws vps stuf
Makes sense it's their style
Just get a ddos protected VPS from OVH, Path you can find providers easily. (Ex. Vibegames path) Which will basically make the server not be able to be hit on L4 and also better specs then Digital Ocean.
@@AndrieMC if you use AWS for VPS (ec2 as they call it) alone, you probably shouldn't be using AWS.
Switching to a VPS with Cloudflare for DOS protection sounds like a smart move to avoid hefty charges. Your step-by-step guide makes it much easier for others to follow suit. Appreciate the insights!
Chatgpt ahh comment
Babe wake up the daily Web Dev Cody DDOS video just dropped
😂😅
Oh god I hope this doesn’t become a daily thing, I will have to start up an onlyfans 😅
Next step: hosting everything on Raspberry PI 5 in your room.
Let’s go!
unironically yeah
you really only need to pay for a domain name.
@@tanko.reactions176 And static IP address.
Self hosting is the way
I don't know why anyone would waste time DDOSing your system. You're just a nice guy posting fun educational videos. I am probably to lazy to come up with a reason.
sometimes a DDoS attack is just random; someone finds an open machine after scanning ip addresses and attacks it; but yes this seems targeted 🤣
@@WebDevCodyye maybe it's just random but it feels targeted from your point of view. It does increase the potential revenue of amazon or cloudflare which might benefit the attacker. Don't know if you can just change the IP..
Dude I feel the attacker wants to DDos protect their app, so wants a tutorial from Cody for it 😂
@@rahultech77 that’s probably it 😆
Hackers and script kiddes (especially) loves attention
If you are using a VPS you should set it up to reject all connections except HTTPS coming specifically from Cloudflare's IP ranges (and ssh traffic if you don't have another console available).
thanks for the suggestion, I ended up adding that today as well
This is starting to be a series, But this content is very real and educational
This is wild, thank you for sharing these videos with us. Happy to see you got things resolved!
If its just for side projects, its a lot easier having your service go down and just rebooting it all back up rather than paying a hefty bill. Cloud is strictly for high traffic businesses in my opinion. Plus you learn so much more setting up your own VPS and securing it yourself.
True. I think it's great knowing how to run a node/go/whatever app and setup nginx or caddy to proxy to it. You realize how much you can do and what problems those managed services actually solve for you.
Also in some enterprise cases you cannot just deploy to whatever cloud service and must deploy on premises or are potentially only allowed into VMs so having this knowledge is beneficial.
Love how he learned and changed totally the argue that we should host everything on managed services like cloudfront, vercel, netlify etc instead of doing custom VPS setups. :)
😆 a $1,500 bill created in a few hours will do that to a dev
Thank you for sharing this! These couple of videos have been really useful. Great content
I had some hobby projects on AWS, and is scary that any error or DDOS can give you a 2000$ bill.
Paying 5$ dollar a month for a VPS for projects that make no money is better than being worry about that.
You definitely want to make sure to block all incoming traffic on port 443 and 80 except for cloudflare ips in a firewall like ufw on the backend server. If you dont do that, crawlers will be able to resolve your domain to your backend ip, leaking the ip, bypassing any cloudflare protection.
If you proxy to your website using CloudFlare DNS, how do you know those IPs? Are they listed somewhere, is there documentation that lists all those IPs?
@@groff8657 There are websites & tools to scan pretty much the entire web, if you render your pages on ips too, or have any correlations to your domain, they will be able to link the ip back to the domain
@@groff8657there are 255^4 ips in the world. Its not so hard to crawl all of em
@@groff8657 Yes there is, just type cloudflare ips in any search engine
@@groff8657 It's in cloudflare docs. You can google and you'll find it.
Great content, your DDOS protection series are basically showing a process how human being is learning from it's own mistakes :D Hopefully it will save some money for others too!
One tip from me, you can move this push-image script to a github action, that will build and push image to ECR automatically on every push to master(or only when you manually trigger it). This way you will have kind of automated CD pipeline for your project. GH actions are also free up to 2k run minutes per month making it a decent solution for hobby projects
Thanks for sharing how you are working through this situation. I'm though really sorry about the AWS charges. That just sucks. I'm hoping their understanding and helpful about a credit or refund.
VPS, Caddy, Digital Ocean, docker-compose...
Let's go, Cody! This is the way!
Love ya! ❤ you’re doing a great job
thanks sexy!
Maybe I'm just too new to the web dev world but this seems entirely convoluted! Just to stop a DDOS you have to apparently run and use like 8 build tools and different services and providers?!? What the hell has the Internet become?
This is a great video - got VPS red pilled by Levels' on the Lex show. Thanks for uploading!
Thank you for sharing all these videos, been insightful especially as I am looking to move from Vercel to AWS and some of these issues I never thought of.
Is if feasible to set up cloudflare ddos protection in front of an aws app to combine the serverless benefits with the protection?
Nice to follow your journey. Thanks for sharing.
Great vid!! I wonder if this would help too: SST is moving to Ion apparently next week and making it so you can setup cloudflare as well as AWS resources, so you can mix and match cloud providers in your infrastructure as code. Would love to see you do the move to Ion and deploy your next.js site to cloudflare
Hi, thanks for what u've done so far. Yours is probably top youtube channel out there.
I have some questions if u don't mind:
- Take example you are using docker-compose to serve traffic & app. What if u need to horizontal scale. What kind of infra u'll choose in this case? K8s or sth?, or maybe docker-swarm I guess?
- What is different between nginx and caddle u r using, what is the pros/cons of it
Idk I plan to just scale up vertically as much as possible and see how far it’ll take me. Caddy seems simplier, nginx is probably feature rich
Can't wait for SST ion to have all of this ready :) I don't want to use docker stuff, that hustle annoys me a lot. Way to much effort.
Preferably with SolidStart (and Protection enabled)
GREAT technical video, looking to see more content in your channel on Deployment solutions and options. Great work man
Such good content. this could be a 5 hour paid tutorial with a next.js/VPS hosting stack. sst, docker compose, caddy, TLS, cloudflare etc.
would love to know the performance loss with cloudflare in front.
You can configure a cloudflare tunnel which runs on your droplet, and avoid configuring ssl in both places but also you can avoid exposing your droplet
I’ll check that out, sounds easier
But why would someone DDOS you ?? You're the chillest dude on web dev yt
Because there is a lot of room in hell and someone is reserving their slot
@@WebDevCodyI’m stealing this answer 😂
Thanks for sharing these situations with the rest of us. Helps everyone!
Thankyou for giving us this precious information
Coolify or dokploy seem viable alternatives to deploying on vps?
yeah both of those are good
You could also integrate cloudflare with aws loadbalancer, unless they attack you with cloudflare bypass; then maybe you still get charged.
Thanks for the video, that was very helpful, but I have a few questions, first is why are you using AWS for docker containers?
Can I just put my container straight to the DigitalOcean?
Second, is there some throwbacks for deploying nextjs to somewhere else instead of Vercel? And maybe there is some frameworks, that are more "deploy where you want" friendly? And I'm mostly talking about Nextjs as full-stack? Or do I need to split my backend and front end as different applications?
P.S. I'm just starting to learn more about other frameworks and I'm considering switching from Nextjs (cause I'm stuck at Vercel)
You can deploy next anywhere. It should have the same feature except edge computing. I was nit deploying containers on aws; I was using serverless
You've came a long way from 9 month ago, was mad at you at the time but i see you have found the way my child.
Is the cloudflare's origin cert files will be place at ur docker private folder permanently? Or i have to like regenerate and replace those files every 90days?
Not sure if this is a stupid question, the bulk of the AWS bill comes from Cloudfront HTTP requests.
Can you just change from using cloudfront as CDN to cloudflare? Instead of moving out of AWS completely?
cloudfront has a bunch of path rules that know how to invoke lambdas on requests. It wouldn't be an easy refactor
I hope you make a detailed video on how to deploy next.js on VPS windows server .
You don't need to use Cloudflare's origin cert if you already have a valid cert. I also use Caddy and just let it do its default Let's Encrypt or ZeroSSL behind Cloudflare, reducing the amount of manual setup and configuration needed. The origin cert or another trusted cert is what you need for the "Full (strict)" option instead of just "Full".
Ahh ok good info!
Cody at 6:28 if you're using Cloudflare generated cert then you can safely turn on the full (strict) option in SSL
awesome, I'll turn that on
Are the certs free to generate? I'm currently using Let's Encrypt cert on my VPS and thinking of adding cloudflare for extra protection.
yes those are absolutely free and even you can select the term like 3months, 1years or even 15 years@@EIsenah
There we go!
Lol I remember you yelling us to 'watch our dev ops privilege' or something like that when we called these cloud services out. You were junior and a cloud fanboy, I think this was last year 😂
It's really interesting to watch you grow man
lol you’re probably part of the crew doing it huh?
Next video "Why should you should host simple projects on a VPS instead of AWS" ...............
@@lukasberk9303 at least you’re all learning together? 🥴 lol unless yall are just here to stare at his face for minutes on end which I guess is cool too 🫠
all it took was a DDoS attack and an AWS linked to my credit card to change my thought process 🫠
@@WebDevCodyto be fair you could have (and still can) contact aws support. They would give credit to cover the full cost and help you protect in the future most likely. You also can get $1000-100000 based on being a startup, that could also help. It’s a shame you decided to fully make up your mind so soon.
what people gain from making this type of attacks? also if you use vercel the price will be i think 10 times how do you protect if you use vercel. thanks in advance😊😊
As bad as it may sound now, I think it's good that you got ddos'd. That's how you and we learn. Thank you for your amazing content. And too bad for the 700$.
Really awesome to see how youve done it.
Interested to know why you didnt go down the using of apps in digitalocean, you can literally just throw a docker container into it so you never need to ssh in etc.
Though i definitely see some pros and cons to both approaches
Because I like wasting time 😂
Is bad solution to just use cheap vps with some proxy server like nginx and setup nginx for ddos protection?
THANKS CODY I LOVE YOU. I'm actually dogshit at Docker. Always have setup my garbage apps just manually. Always have just used Docker for spinning up DBs, not for containerizing the whole deployment. This was interesting. More Docker vids would be cool!
Can you also do a vid setting up coolify on a VPS next? Everyone's been going wild with it.
I watched your video about why you shouldn’t use a VPS from a year ago. I’m glad you came around 😂
the complexity 🤯
These videos are so helpful. Thanks so much man
I am a bit new to tgese concepts. Can you explain why you shifted to a vps? Couldn't you have connected cloudflare to your cloud formation distribution?
Thank you for the great content as always. One question @WebDevCody. Deploying on vercel also doesn't save you from ddos?
They can be nice and forgive you the charge, but it will definitely break your free tier and scale your charges like crazy, a lot more expensive than AWS for sure
DigitalOcean also has a container repository service, any particular reason to keep it on AWS ?
Hey one question, why did you choose to move to digital ocean, was it an option to just add cloudflare in front of aws setup? Tnx, great video like always! 😊
Since this video I’m actually using railway now. Honestly I just wanted a service that has automatic billing limits which will kill my services if I spend too much money. Not many services provide this. Some have primitives I could use to build a kill switch from scratch, but I don’t have time to waste on that
Tnx for the answer, yeah I guess kill switch is a great feature! Didn't use railway will look into it 😊
Does cloudflare also have free DDoS protection for static websites and serverless functions that they host?
While I have some hands on experience with dockerizing our apps, I’m new to other stuffs discussed. Can you please make a short video on how to have this set up from scratch to deployment ❤
Doesn’t DO offer DDOS protection, or is that not available for their droplets/whatever you used for the VPS? Naturally any and all protection sounds good lol
Great video, i will try to replicate this setup. I dont want to go homeless
I don't remember the steps, but you can set your VPS to not accept connections that are not on the internal network and not from Cloudflare. Just remember to allow ssh over a custom port.
I did that today, I setup a DO firewall rule and only allow inbound requests from cloudflare specific IP addresses.
I've always used a VPS for personal projects for this very reason! Companies I worked for all use AWS and the bills in dev environments alone put me off of using it...
6:06 CloudFlare can inspect all of your traffic in plain text.
(This might be obvious, but I think it's always good to at least point out.)
right, I guess you have to trust cloudflare doesn't sell your data or forward it to the NSA 🤣
@@WebDevCody I feel like they definitely do forward it to the NSA. We need end to end encryption on our applications starting on the client
Am a frontend developer and would love to transition to fullstack and master these deploment stuff, do you have a course on this or one you recommend ?
Nice walkthrough. If you still get into the same issue, perform those extra dance I posted in your last video. Good luck!
could you explain why AAAA would help out? if it's behind cloudflare, why would it make any difference?
@@WebDevCody Most of the internet still use IPv4 so most of the devices participating in a DDoS attack are presssmably using IPv4. If your VPS blocks IPv4 altogether, there will be one way to ping your server - that is through Cloudflare. Now someone can scan the ports of AWS to find the servers that have port 80/433 open and send an HTTP request to your server. However, if you don't use catch all block in Caddyfile: it sends something like 422 to deny requests. That's good but still it receives the HTTP request. Setting up IPv6 with AAAA record will future-proof your server as well. Also, users with IPv6 enjoy faster performance.
@@WebDevCody I wrote a long reply but it's not showing up here. Joining your Discord if we can have chat there.
A much easier way is to use Digital Ocean Apps pull your Docker Image from AWS ECR - it's web UI is very easy to setup, and the HTTPS certs are all automatically done for you (no need for Caddy and custom CF Origin TLS certs).
Why don't you use cloudflare + aws (sst)? Is there a way for it? I really like sst and aws deployment and would like to use cloudflare in front.. What made you go vps instead of this setup (if exists)
Honestly, I’m kind of just tired of serverless and lambda at work we use lambda and I can’t even count how many hours I’ve wasted trying to get binaries to run on lambda ran into lambda size limits, run into API Gateway timeout issues run into having debug permissions over and over again Execution roles having to deal with cold starts that make the application. Just feel slow when you don’t already have a ton of users. Honestly, I think just hosting a single node executable on a VPS or a container runner is extremely low maintenance compared to anything you can hack together in the AWS ecosystem.
I thought you said we should avoid hosting on raw servers as much as possible. What makes this project a plausible use case for VPS hosting?
Do you have to scp the certs to your vps everytime they expire or is there a way to automate that?
can we use github repository to store docker image
Ah that would definitely hurt my wallet too. I was planning to use vercel and use cloudflare over it. Any chance you can make a tutorial for this?
Could also host your own docker registry on the vps to store image?
I’ve never done that actually; but I’m sure it’s possible
Extremely useful video, cheers
Thanks for sharing this with us!
That's cool, but it doesn't have ci/cd, correct?
Correct, not yet. It’s not hard to ssh into a machine and run a single command to deploy new versions
digitalocean does seem to have CLI tools, with that and some other stuff like Ansible you might be able to get a CI/CD going.
Might be overkill but I'm using Gitlab with docker in the same server to build and deploy docker projects.
I never search for cyber security so much like in the last night haha, I guess I learned your lesson too
when to use next js instead of react?
Weren't you using Amazon Shield Standard with Cloudfront? It appears to be free and protect against DDOS.
yeah, but it obviously isn't blocking all the DDOS traffic
Sorry to hear about AWS bill. But did you not have cloudflare setup already in front of AWS? Because you mention WAF. Did it not work properly?
He had cloudfront, which is AWS's CDN
how do you handle ci/cd when you push to one of those repo's?
I’d probably build the image in GitHub actions, publish it to a container registry, then ssh into the machine and rerun docker compose up
I don't see it in the video, so I would assume that you don't apply that. I would recommend you set up your firewall to only accept connections from Cloudflare. In case someone gets the IP address, Cloudflare sometimes leaks the host address...
Hey, great videos! Learned a lot. I have a question: if you host it on the VPS, would you still get a higher bill if you get DDoSed without Cloudflare? Or do you only pay for the instance and it would just get laggy or go down?
your instance would crash; therefore, there is no extra bandwidth you'd get charged for. It's just a trade off, would you rather have 100% uptime (you probably want serverless), or reduce your chance of getting a $600 in one hour.
It would be fun if you could got a AWS engineer who helps you to secure you instances and let you make an interview about it to educate people who like us who are watching your channel. I mean it would also benefit them because your and other people with small side projects are more onto their products.
me looking at your bill: I'd be back to eating instant ramen for meals if that happens to me
Thank you for sharing rare experience to the public.
"if not good luck" says a whole lot LOL. but thanks this is valuable.
With caddy you don't need to specify the `tls` field for having https working, by default caddy will create a tls certificate for you.
Right but for some reason I can’t get it working with cloudflare full mode. Maybe I’m doing something wrong
@@WebDevCodyAll of my websites use cloudflare full mode and caddy haven't had an issue yet... so idk
@@fredheladrienkissie1404 hmm I’ll look into this more soon
Nice. I remember commenting on last video asking why you didn't use CF. I mean you could use CF with EC2 if you want.
Why did you use a custom TLS cert with caddy when configured caddy to do it automatically?
You have to use the cloudflare cert or else you have to do a bunch of extra work
does it not make sense to just use cloudflare with your aws project. Or is it necessary to use a vps to prevent the DOS attack?
I'm sure it's possible, but I'm a bit tired of serverless
Cheers for the insight my duuuude
Wouldn't Cloudflare block these requests too before they reach your cloudfront instance? I wanna keep using SST but if cloudflare or AWS doesn't stop these attacks i may have to follow in the VPS ways 😩
This is exactly my question, because I don't know if I set Cloudflare in front Cloudfront will be a double CDN use and become a cache nightmare
honestly I'm not sure, reach out to the SST team they are smarter than myself
SST is making it so you can deploy your site to Cloudflare but keep using your other AWS resources too, it released today actually
Sadly the lability to mix resources from different providers still unavailable, but you can deploy full in cloudflare @@teamvashmmo3218
I hope he do a video about it, but sadly mix resources isn't available on SST yet, what you can do is fully deploy on Cloudflare or AWS, but use Cloudflare CDN with AWS resources isn't available with SST Ion @@teamvashmmo3218
How are you able to be consistent with learning and spending good amount of time in front of the screen learning new technology and basically working all the time with producing technical content as well, I have many things on the to do list and I've been getting burnt out a lot lately to the point where sometimes I don't wanna do anything or that I can get high motivation for a day then it goes down drastically, how can I improve this situation from your experience? Thank you
I find learning new things fun. When I start to get bored of doing the same thing every day at work, I reach for making RUclips videos or learning new stuff
so does cloudflare not work with lambdas?
How can you know that thing. How can you understand that what should i need to know so i can get it. Read the docs?
I have no clue what you just asked
@@WebDevCody I'm just amaze how can you learned that. Like choosing where to host and use other tech to secure your application
Out of curiosity, can’t you achieve the same thing with aws api gateway and EC2?
Same thing, meaning ddos protection or hosting your api?
@@WebDevCody Actually I just thought about it, api gateway, EC2 wouldn’t work against ddos protection but will work with API hosting.
yesterday we were talking in your discord about this issue, it's good you bring this type of content but at the same time is bad, there's a lot of people looking for "targets" and this type of videos bring a lot of attention.
Just curious, why didn’t you deploy this NextJS app on Vercel’s free tier?
that is the same issue as AWS, just at least 5 times more expensive (free tier is a auto-upgrade if you hit the limits, you still owe money even if no card is linked)
Vercel free tier license states it can’t be used for commercial apps; my app getting ddos is making money
nice stuff, why not use aws vps with cloudflare?
Because if I want a vps, DO or railway has a much better ui for cheapee
This is quality content
Can't wait for the attacker to ddos test the new setup :D
if he does I'm quitting
@@WebDevCodyNo need to worry you are fine now unless you are charged for your AWS servers running in the backend per request you're fine. I would recommend not using AWS at all it's overpriced and trash IMO.
How did you learn about all these things 🥺?
Aws... Cloudfare... Etc etc
The same way you learn anything, trying it.
work, forced to use all the AWS stuff at work
The only downside with cloudflare is that it cant cache dynamic content, and with a big enough attack they can still overwhelm the backend server. Ive also had to configure some additional firewall rules on cloudflare to stop an attack because people will use thousands of cloud servers to attack, forcing me to block entire ASNs.
What’s an example of this? Why would you cache dynamic content if it’s dynamic? I’m guessing you’d still need rate limiting rules for dynamic content or api endpoints