Personally I have used GitHub pages and cloudflare pages for hosting static sites and have been very happy with them considering the zero cost involved.
I don't think there is much difference between paying nearlyfreespeech (which I have done in the past) Vs using GitHub or cloudflare - you are still reliant on a third party for actual hosting. I don't really see any value in self-hosting myself - apart from nerdy satisfaction etc, I don't see the need.
The important part in my mind is the fact that I am manually controlling the assets - the HTML the images etc. Simple files on disk.
The git integration with GitHub and cloudflare though is obviously a huge boon though as now I have an off-site backup, and publishing is even more seamless than the old FTP/sftp days - just push to master from within vscode where you are editing the files anyway and it'll be live in 30 seconds (as well as backed up).
A huge advantage of GH / CF is that your site has a strong chance of outliving you, if that's something you care about.
If you're self hosting, either at home or on a VPS, you have to worry about domains expiring and credit cards being cancelled, which is inevitably going to happen if you don't have a succession plan in place. You could probably solve it with a bunch of lawyering, but that's expensive.
Free services don't have this problem. They can still go away, it's not a 100% guarantee, but it's a "might" versus a "definitely will"
With a free service it's given because they have to monetize end of the day. For paid services different businesses will have different strategies. Some have a solid business model and are content with it, some want to differentiate themselves using privacy, some simply don't want to take the reputation risk that comes with moves like this. Will there be some sleazy bastards who take your money and your data (cough cough gith*)? Sure, but they will get found out eventually and astute people will be able to steer away.
That’s where being open-source is the hedge. I’m paying for your service and you still fuck me over, I have the option to self host. You start open-source and then start making the product worse? I’m forking and maintaining the old version.
So never bother with anything, am I right? Anything could be bad. Why eat the burger instead of the cyanide pill when there could be cyanide in the burger?
Clearly nobody thinks “paid = never selling data” and I have a hard time believing you actually think their argument is that simple and singular.
If something is paid + open source then you have a good starting point incentive wise for the provider but also if they mess with things under the hood someone will inevitably call it out and you can act accordingly. You also now have more options - you can fork it yourself, someone else may fork it and you can jump ship, etc.
Not really, not for 1¢/day. Most massive platforms that I use for free (Google Workspace, Cloudflare Pages, even Oracle Cloud always free tier) have outlived many low cost solutions I tried.
Nearlyfreespeech is a great service though not a 100% independent as your still relying on them. I think the closest you can get to 100% independent without running your own internet infrastructure is either port forwarding from your home (if allowed) or hosting a website through TOR which isn't too hard. You just have to download the browser and edit a config file (torrc) with the port you want on the network. Not ideal of course though because anyone who wants to visit your website will need the tor browser and explaining to people that your website is on the "dark web" is a little hard to do.
I am a little surprised that doing so isn't more popular on in the indie web scene though as you do it on hardware you own, from your home, and the tor network protects people from knowing your servers ip address if that's something you care about. You could even go to your domain provider and have one of your domains redirect to your .onion address so people don't need to memorize it.
There also used to be the beaker browser which let you create and host your own website directly from the browser but that project got shut down. Hopefully something similar will show up at some point. Maybe a website creating plugin for tor would be enough to make it more popular.
Note: you don’t need to “download the browser” to use Tor. Tor is a service, not a browser. The “Tor Browser” bundles a privacy-friendly browser with the Tor service, for your convenience. You can run a Tor site on your headless server without installing any browser at all.
A source repo link often gets more traction here than a link to what might turn out to be a closed, probably subscription based, service. The repo's main readme likely links direct to the product/ service/other main location [if the forge isn't being used as that] or demo location [if a public demo instance exists] should that be where I want to go immediately.
Though maybe posting both the repo link and a "live" link would be better still.
I just happen to not self-host my own code base. But your acting like I paid a penny for that, and self hosting git isn't possible, and we aren't on a forum which exists on the commercial internet.
Why did you still not post an onion link? It's as if you feel people don't like onion links. Which is true, and it's why people don't post onion links.
Does it not demonstrate the trivialness of it which was the case I'm making?
I simply do not want to announce my address here, it's ancillary to the discussion...you shed a layer of security by deciding to make your address public, non of which would benefit the whole point of any of the services I linked.
Circling back to the main discussion of indie web, tor is a great alternative if your circle of visitors is of reasonable size and you want a place outside of the commercialized internet. It's available to anyone.
Paying the penny will certainly give you robustness and reliability...but honestly that's part of the fun of indie web.
>you shed a layer of security by deciding to make your address public, non of which would benefit the whole point
It's possible to host something with no intention of making it internet-public. I also have services like that, that I only use myself or with friends. GP argument is that they don't want to share the onion link to their website, because (bluntly) we are not invited. Onion domains are actually relatively private (i mean unguessable - unlike clearnet domains), so it's possible to host private websites without any additional authorization.
Having said that, onion links carry a implicit baggage, so while I think they're great for sharing things with (technical) friends or a private VPN, they're probably not the best way to host services intended for public.
> You could even go to your domain provider and have one of your domains redirect to your .onion address so people don't need to memorize it.
Apparently [1] there are also ways that Tor Browser supports, for directing visitors to the onion address via the “normal” internet:
- Onion-Location
> The Onion-Location method was introduced on Tor Browser 9.5 as a way for service operators announce their Onion Services in their regular HTTPS sites. It's specified under tor-browser-spec's Proposal 100 - "Onion redirects using Onion-Location HTTP header".
- Alt-Svc
> Similar to Onion-Location, the Alt-Svc method also uses an HTTP Header (the Alt-Svc Header, specified by RFC 7838), which means that the user first need to access the regular site before their browser discovers the alternate Onion Service address.
> But contrary to Onion-Location, the Alt-Svc method:
> - Does not support an HTML tag, as it relies entirely in the Alt-Svc Header.
> - Is fully transparent: all the discovery and upgrade happens automatically, without user intervention.
- Additionally, they also speak of future possibilities for DNS or DNSSEC-based Onion Association.
Perfect is enemy of the good. Like you said, the only way to be truly independent if people ran their own infrastructure, and if all the hardware was as 100% FOSS.
Of all the compromises we have to do (relying on Telco providers, equipment manufacurers, etc), using Nearlyfreespeech is the less risky one. They have no history of abusing the trust users have placed on them, and service costs virtually nothing.
The internet isn't even capable of handling 8 billion people each with their own infrastructure. Even if everyone got IPv6 and their own PI address block, most DFZ routers can't handle that many routing table entries. Pooling resources is mandatory for the internet to work. However, there needs to be (and are) plenty of choices of who to pool with, so that you can find a trustworthy one.
i host myself with 2 fixed IPs from telekom germany business, its not as expensive as one might expect, under 90€ for a fiber and vdsl line, so next to hosting your own auth ns servers and mail you get failover at home which is nice.
Deutsche Telekom is well known as one of the worst ISPs due to their peering policy. Basically all traffic in or out of DT to/from another ISP is either paid by that ISP at extortionate rates, or takes circuitous routes to avoid paying extortionate rates. For this reason I believe they should be boycotted.
This is a common pattern for ex-national carriers in many countries btw - they believe they should be paid by both sides for all traffic that traverses their network, not just by one side, because they feel like they are God of the Internet in that country.
Indeed. I also depend on my power company, the entire global supply chain to provide me with computers to purchase, copper mines for the networking cables I use, oil fields all over the globe for the plastic, etc etc etc.
This is a pretty weird article/movement.
The greatest hurdle is almost definitely a domain name, which if you want to own the content you have to get. Which even the cheapest would cost you around 6$ a year. (I'm ignoring the "tk" tld, which is kind of a honeypot)
And you can host for a static site for free in a million places. CDNs free tiers are enough for individuals.
I don't get the preoccupation with hosting your own server, what matters is that you own your own identifier (in this case a domain name) whatever it points is vastly less important.
> The field of software engineering is dominated by the smart people that do something not because they have to but out of curiosity.
Emphasis mine.
We wish. I think the state of tech pretty conclusively demonstrates those people aren’t the ones who dominate. Money and power hungry tech bros do, which is why everything is shit and exploitative.
They’re both. There are finance tech bros “idea guys” whose aim is to be at the top of the company, and other tech bros who got into programming for the high salary and clout of being able to say they work at or are ex-employees of Facebook, or Google, or whatever.
This will get worse with new generations. They grow up on tables and phones where file system is a completely foreign concept. You need an app for everything.
I encountered juniors straight out of school who don’t know what tar is, or rsync, or what a symlink is.
It’s all learnable and everyone starts somewhere. But you’d think natural curiosity would kick in and they’d have picked up some of this on their own by the time they have a job.
I didn't even know about tar or rsync until I started to use Linux, and I don't really see how else one get to the point where you need to know about them. And even symlinks are still in my mind as 'shortcuts but [...]' (even though the other way around is probably more accurate). Even as a dev, it's very possible to go through life without touching Linux.
If you've built any open source software ever, it's pretty hard not to know of tar, even if you don't know exactly what it is. I think it's reasonable to expect anyone interested in computers would be familiar with common compression tools, let alone a CS major.
> I think it's reasonable to expect anyone interested in computers would be familiar with common compression tools
So 7zip and Winrar?
I joke, but only halfway. If you're only normal Windows user, you'd never hear of anything else (unless you want to go back to Winzip, which does still exist, but I've never heard of anyone using it any more).
If they were Windows game developers, they wouldn’t have to touch any of that. I guess it depends on where their interests lie and what platform they developed on.
For what it’s worth, I recently retired from a 30 year career as a developer and while I’m aware of all three of those things, I’ve never used any of them in or out of work.
And I’ve hosted my own web server these last 20 years.
But here’s one I heard literally two days ago: we counted three engineers (out of many) who knew that physical memory was not actually a giant flat space of contiguous addresses, and that there were multiple layers of address-mapping and region-joining glue logic between a program and the hardware, including in os libraries, and even inside the hardware.
Maybe knowing such information is archaic or useless for most engineers. But the good ones (or at least a certain flavor of the good ones) ask questions that lead them there.
You seem to be under the impression that any part of the average contemporary identity-and-behavioral-development stack encourages asking questions. Babysitting/teach-to-the-test schools don't, authoritarian parents and community authorities and corporate overseers don't, consensus-manufacturing politicians and media don't. (Heck, even our national soccer team doesn't.)(That was a joke.)
Worse, people who find it within themselves to ask questions anyway frequently face silence or a smackdown. The Internet's Own Boy remains no longer with us.
I wrote x86 assembly back when we were switching from real mode to protected mode, and I still have a feeling that I would not have been able to answer whatever question you asked there in a way that would satisfy you.
I also could no longer tell you how to balance a binary tree or implement Quicksort.
How could it be? For example, each memory stick doesn't know beforehand what other memory sticks it will be used with, so the "physical" addressing of the memory on each stick has to be independent of the others, i.e. a local address, that gets mapped to a virtual one.
This guy is right. Physical memory isn't flat. Every system with more than a few cores is NUMA. There are caches and cache lines. Memory channel interleaving. Ranks and banks and rows. Each DRAM chip keeps the last selected row and can access addresses within that row more quickly even if other accesses to other chips occur in the middle, unless a refresh cycle occurs.
It's all a layer below even OS programming. It's configured at the BIOS level and then performed in hardware. But that's the point, isn't it? Virtual memory is below the application programmer, too, but here we're chastising him for not understanding it. If we do that, shouldn't we equally chastise people for not understanding physical memory? Or speculative execution? Or head seeking and servo tracks? Or Ethernet line coding?
But that's not relevant? What would be relevant if, depending on where your bits are stored, acces time is significantly slower. If, regardless of where my data goes, my access time is constant then I do not care as a dev?
That's the abstraction I'm working with when coding. Which is necessary because in most cases this should be an implementation detail.
I've got a friend, I'll call him Bob, mostly because Bob is nowhere near his real name and I'm about to say some not very flattering things about him. He is my friend and not my job colleague or anything, so there's certain objectivity to this, in fact I appreciate Bob and I wish nothing but the best for him.
Bob has been programming for a bit more than a decade. He is, barring the people I know from other countries, the best paid programmer I know, and I know well over a dozen.
Bob has no interest whatsoever in any programming language that is not what he has been using his whole career, nor does he have any interest or curiosity in dipping his toes in other related fields, web development, tinkering with arduinos, home servers... Nothing. Bob has not built a computer, ever, doesn't know how to do it, nor what each part in that object does, beyond the hard drive because he did plug an extra one once or twice.
More anecdotally I played some Factorio and Satisfactory with Bob, now I know these are not excellent representations, but I expected a degree of order, planning and foresight, I was very much surprised when facing the reality of none of that being present, and I very much did not expect to see the same thing the few times I've looked at his code, but I did see that same thing.
I promise you Bob doesn't make up for all of this in social skills.
Now, is Bob a good engineer? I really, really don't think so. Is he a curious person? A bit, not much, I get the feel he just ended in CS with no particular interest for it, but I'll say it again: He is the best paid programmer I know.
Is that frightening? Well yeah, in a way. It's also endearing in a "Well damn if this guy can do it then surely I can too" sort of way. Money is not everything of course, but it's as good of a proxy as any.
> Considering many people doesn't know what a file is, keeping the spirit alive is important, I think.
Files aren’t sacred. It’s actually troubling that many technical people never consider alternatives. Most of the worlds data today is probably not stored in filesystems, rather in databases and object stores that use custom storage backends.
After the nth time of my Android Chrome app silently corrupting and auto-deleting my browsing history (all of it; it's not a bug, it's the intended behavior!), would love to hear about a file alternative that's modular enough to resist that kind of catastrophic failure and interoperable enough to inspect/repair if anything ever happens.
how would any alternative design prevent intended behavior?
But the most obvious alternative to a filesystem would be formatting a whole hard drive as an sqlite database. Obviously it would be a radical rethink in OS design.
There are also "single-level stores" from the last millennium - designs where there is no separation between volatile and nonvolatile storage. All memory in these systems is treated as nonvolatile. A Word document, for example, would be something like a suspended Word process. A directory is a process that only manages pointers to other files and directories. Obviously processes must be extremely lightweight in such a system. KeyKOS is an example of this and you can read papers about it and its Unix emulation layer. This is one of the many things humanity explored before settling on the hierarchical filesystem as the base layer of storage.
I agree that files aren't sacred, they are just another abstraction at the end of the day, but what the other user (I think) is referring to is the trend in which, as smartphone use becomes ubiquitous, users lose sight of the technical side of things.
It's not that the average user is ignorant of the many ways in which data can be stored and retrieved. It's that they are becoming ignorant of such abstractions existing altogether. It's hard to start thinking about how images are stored if all the user knows is "they are in the gallery".
We are a long removed from when putting something in your public_html folder would instantly give you a personal web site. Not that I am saying people should still hand write html or anything but it was a very quick and natural way to participate back in the day. (A unix account usually gave you automatic p2p chat too using finger to see if your buddy was online and talk/ytalk to talk to them.) This was little less than magic at the time even when your friend was sitting on the terminal right next to you.
It's sad that we need this new concept of "IndieWeb", as the whole Internet evolved into a monstrosity hosted and guardrailed by a handful of megacorporations. Hosting files became a privilege, when it should've been a (human) right all along.
edit: The tech to host yourself is obviously still there, but the _mindset_ changed to cloud only.
Perhaps useful for those training developers mentioned in some posts here who need the TIL experience with unix based systems. Free shell account on a netbsd unix, and I recollect that a small one-off donation provides access to Web space and other enhancements. Choose the login name wisely as that becomes the subdomain for the Web space.
1. Learn how you can get HTML generated from a human-readable and writer-friendly format, say, Markdown (plain-text). This can be Pandoc, a macOS/Win wrapper desktop UI over Pandoc, and many other tools that do this.
2. Learn the process (and the tools) to upload, or sync to a service that hosts the HTML (CSS+JS).
3. Learn the simple steps of owning of a domain, and updating the DNS to point to the right services, such as Github Pages, CloudFlare Pages, etc.
As you are not dependent on a particular tool/service/platform/company, you can walk out and host your files (the website content) elsewhere.
The post-processing of the raw (Markdown) articles/posts to HTML can be then automated with Static Site Generator if someone is willing to learn a little more on top of the above steps.
Of course, it is a fun and good thing to know HTML but that should be optional to the target of “Run your own website 100% independently.” With Github and Cloudfalre, you can hve it for $0 monthly. If they go kaput or stops free, someone will come up - walk out and walk in elsewhere.
> When your posts are individual HTML files (not Markdown files or database entries), they can finally be seen as the individual web pages that they truly are. And that means that you can really lean into making all of your posts unique! They don’t all have to be cookie-cutter paper-doll clones of one another; that’s just a bi-product of modern web publishing tools and the cultural influence that they have on our concept of a “blog”. You can now go ahead and make every blog post as special and individual as you’d like. Each post can have its own personality, baked right into its HTML. Individual style, individual appearance, even individual layout. Literally everything is possible with this approach.
HTML is human-readable and writer friendly. Humans - not even all of them CS students - were reading HTML,JS and CSS on websites and writing it all by hand in text editors for years before the "proper tooling" came along. It really isn't that difficult, especially if you're just dealing with simple websites, doubly so if you're on HN, you probably work with more complex languages on a regular basis.
If you really want to "learn and own a process" and be "100% independent" you should at least be able to understand and work with web languages natively.
Static site generators are nice (I use Nikola) and tools make things easier but but it's still dependency on third party tools if you don't understand or can't otherwise work with the output.
Recently, I had to make a website for an event, so domain was needed, but what's cool with that is that the domain provider (Infomaniak, with which I am not affiliated btw), also provided 10 MB of storage which is large enough for a lot of things.
So for something like 5€ per year (still more than 1c per day...), you can get the domain and the website, which is not too bad
Github Pages is free hosting with domains and ssl, no bills, and has good longevity and prospects. I don't want to worry or think about a static site, and big players like Github and Cloudflare seem to fit that best.
I appreciate the sentiment but can't quite tell who the author is targeting. Is it people who don't even know what HTML is, or those who are technical enough to have considered tradeoffs between web hosting options?
For complete beginners, I made https://weejur.com , which is designed to make it easy for even a complete beginner to paste in HTML and get it hosted on GitHub Pages for free. (And is also hosted itself on GitHub for free!)
I write technical blog posts with visualizations and live demos. That usually means embedding a bit of custom javascript in the page for the demo. Or shipping custom wasm to enable extreme semantic model compression.
I do this by pushing content from my machine to github pages which is wired up to my subdomain.
If github pages stops being a good, free option for this, I will find another. Not sure I would call this "hardcore" really.
this would work if we had free DNS. solving DNS to be trully decentralized and free is something for years I wish I had more time to work on and build
key properties:
1. everyone can be a registar. your localhost too
2. blockchain proof of ownership and discovery (certs, not proof-of-work, fast and cheap ledger)
3. everyone can be a CA (self-signed certs pinned in blockchain)
4. no fixation on static IPs (inspired by Cloudflare Tunnels, Tailscale). IPs are ephemeral.
5. blockchain/P2P discovery of domains
but it is all fantasy without real browsers support (Chrome, Safari). 99.999% of traffic is locked there, and both controlled by monopolies Google / Apple. and you cannot even build your own browser (Apple App Store will not allow it). Maybe alternative stores and some proxies / translation layer from normal web to this web would help.
Zooko's Triangle says you can't build a name resolution system that's secure, human readable, and decentralised.
DNS is secure (in Zooko's terms - means you can be certain a domain only has one correct resolution) and human readable.
.onion is secure and decentralised.
Petnames (as in I2P) or /etc/hosts are human readable and decentralised.
Also any centralised secure system will quickly have all the names squatted if they are free. It's bad enough at current prices. For instance every dictionary word under .com is already taken. If they cost nothing it would be every pronounceable sequence of up to 12 letters.
Nothing is actually stopping you running "weird DNS" on your home network if you implement the DNS protocol towards clients. I suggest you get familiar with the program Unbound. It's very common for networks to use alternative DNS if only to address the devices on the network.
Also IPs weren't originally meant to be ephemeral. You can get an address block registered to you (v6 only of course, there's no more v4) for a pretty reasonable nominal fee.
You can’t build your own engine outside of the EU, but you can still build on top of the existing Safari engine. What you’re describing is technically possible.
However, why would a company build something just for a handful of people?
I guess if you are Epic games, and you do not want to be blocked or controlled by App Stores, or pay 30% paycut. maybe you would build and support independent (from google/apple monopoly) interenet stack.
or if you are EU/China and do not want google DNS and networkign layer owning entire EU/China
in all cases they would still want centralized control by each state/company.
how to align incentives of someone who can actually pull this off and still keep it decentralized is a big question.
so the only way to make this happen is independent SWEs build their own browser. AND significant portion of users will start use it exclusively AND it survives and crashes competition from OS controlled browsers (Chrome/Safari) AND OS does not block/remove them from OS controlled app stores (which they can and regularly do, just look at "Hey" or "Brave").
you got to go full own hardware stack. now only China can reallistically pull this off.
China has own hardward stack. (actually entirety of all hardware stacks. it is all build there).
China has own playstores or higly regulated versions of Apple/Google play stores.
China has mini-apps ecosystem which is more resilient to App Store whims.
and pretty much China is only place that can reallistically negotiate and push back to Google/Apple.
nobody else can stand a chance.
so free web is only possible in China pretty much. and future of free web is there.
if it was up to corporate monopolies (MSFT, Google, Apple) they would shut down whole web and remove other browsers from OS they control, and be gatekeepers of entire internet unless govenrment threaten them break them up or block them.. oh wait.
oh yeah, how my opinion changing:
- in schools I used HTML+CSS to make my own site during homework
- after that I understand that no one truly create sites this way. You need JS, framework, database, etc, etc
- now I returned back - I really need only my text editor and HTML+CSS
I don't get it. I've been doing this for over 20 years exactly the same way. I even ran a business. The server I rent is $2/month. I read nothing new in anything in that article.
To me this "knowledge" seems to be a crutch. Real knowledge would show how to do it on their own as thousands of us have done for decades and still do today.
I self host my site [1] on an old Mac mini in a Swift backend and sqlite database. Only thing I rely upon someone for is Cloudflare tunnels for free. I could replace that with port forwarding but so far, this way is pretty good.
Yup, I have a similar setup where I use a Wireguard VPN to tunnel traffic to a tiny public facing Caddy server, which proxies the traffic to the server under my own roof. No Cloudflare!
I have something similar. I use Cloudflare tunnels too but also their CDN which is free (for now).
That's the only thing I haven't really been able to figure out how to do on my own. Back in the day, hosting a static site from my crappy DSL connection was basically no problem and most people who were accessing my site were probably in my timezone. Now with how big the web is and how many bots there are, I worry about the quality of self hosting without a CDN.
Bots are over-fearmongered. Yes, you get a lot of bot traffic to any website. No, it isn't a ddos unless you make it a ddos by making your server do 10 seconds of computation on every page load. Just keep an eye on server load so you know when a solution is actually needed, and you'll be fine. Install Anubis if you want to, but there are even simpler checks, like requiring an image or CSS file to be loaded or setting a cookie or putting a simple redirect in JavaScript or meta-refresh.
Cloudflare tunnels are pretty cool. Do you segregate your server from your home domain too? Little weird having cloudflared on my home network. It make things a little more annoying but I haven’t bothered to fix it since I dev on the same production server.
> Cloudflare tunnels for free. I could replace that with port forwarding
You could replace it with something better, like pangolin, either their cloud or even self host it too, and that way you can tunnel to other stuff like if you have a media server where you can watch your movies from anywhere in the world.
They can also take action if they decide you're wasting their bandwidth or (especially) cache space. It's not allowed to host video files on any free cloudflare plan due to cache space.
Well this is great, even going further and hosting the site itself and serve it instead of webhosts, but, now we have domains issue, a domain registrar hijacking your domain, which is your life work, email, etc., so there’s a need to have a free tld that’s uncontrollable by any entity, .onion isn’t practical obviously.
There's no such thing as a TLD that's uncontrollable by any entity. How would you imagine such a thing working? Whatever you imagine: how does it stand up to me editing the hosts file, or the browser's source code?
>There's no such thing as a TLD that's uncontrollable by any entity.
Think .crypto but without the ability to upgrade the smart contract to censor domains. The registry is spread out across a whole decentralized network of computers of which has another decentralized network of computers that proxy requests exists.
>how does it stand up to me editing the hosts file, or the browser's source code?
No one can force you to resolve domains YOU don't want to. You can of course blow up your computer and then you definitely can't resolve the domain. What people mean is that the user is free to still resolve it if they want.
> The registry is spread out across a whole decentralized network of computers of which has another decentralized network of computers that proxy requests exists.
Ultimately, someone has to be in control of who is or is not part of that decentralized network that is the registry. (Or, alternatively phrased, how are you preventing me from saying "I'm part of the .crypto registry, totes.")
Aside from that, the root nameservers is still an entity that is controlled (by ICANN, specifically).
Blockchains have complicated permission systems which isn't the same as having no permission systems. Remember when Vitalik reversed a DAO smart contract transaction he disagreed with? It leaves a cloud of mistrust over Ethereum to this day. There's no reason to think it couldn't happen again.
What does "the user is free to still resolve it if they want" mean in a world where people do not control, or even understand, the software running on their computers? (Because I can tell you, I certainly don't.) This abstraction is a nice idea, but it's unrealistic as part of a serious threat model. Does Joe Q. Public know about the hosts file, or how the Windows network stack selectively overrides its entries, or how some of the Linux userspace uses systemd-resolved, or the things that I don't even know to write here? I'M not the one resolving domains: the software running on MY computer is.
And even if I'm a super genius who's written my own full-stack operating system on my souped-up speccy, I'm still bound by the laws of information theory. If you need information that you don't have, you're necessarily requesting it from a source (here, a computer) external to you (here, outside your control). A complicated network protocol doesn't make that fact go away, and doesn't allow you to ignore it. (It might mitigate various censorship or spoofing approaches, but you only know that if you check: the abstraction won't save you merely by virtue of being an abstraction.)
Note that most ISPs don't allow it on residential plans, but also won't stop you unless you actually create some kind of problem (no ISP actively polices it). If you're rich you can pay more for a business plan (at your home) which would explicitly allow it.
It's fine to host something for friends on a residential ISP. They don't care. If you want to make it a public website it's more uncertain. Still don't worry though, because they won't just ban you from the internet. Worst you'd get is a phone call telling you to stop it.
It's good advice, but one need not even include the "upload it to a web server" these days now that home connections are so fast. Install some static webserver on your desktop computer (nginx, caddy, whatever), forward the port 80 at your router to it's lanip:80, and just save .html and files to the web directory using your normal desktop interface. It doesn't matter if you shut off the computer sometimes. Uptime doesn't matter. Optionally file transfer (rsync, etc) this local copy to a VPS or something like the author suggests.
Indieweb receiving of webmention only requires the ability to log HTTP POSTs to some url endpoint. Or you can use one of third party services servers to receive that interact with your website via with 3rd party javascript applications you include on your webpage. Sending webmention can be done with cURL, even HTML forms, or again, 3rd party JS includes.
However, it'll also bring all the bots and "wild west" of the internet to your house when you run your web server from home, and for anyone who has a couple of spare dollars, it's a much wiser choice to run a small VPS elsewhere to weather the storm.
[Internet facing router with up to date firmware] --> HTTPS --> [separate VLAN DMZ] --> [my hardcore IndieWeb VM/k8s/bare-metal whatever] --> [x No outbound access / paranoid local firewall inside the VM x]
[My home computer] --> SSH --> [my hardcore IndieWeb local cloud]
In 20 years of managing server fleets, I always had the pleasure of watching bots taking a dig at my server(s) the moment I give their public IPs and enable their interfaces.
For someone who knows what they are doing, it's more like mosquito noise, a mere nuisance, but even then, using a rock solid system with all updates installed carries the risk of having a zero-day.
If your server is networked to the rest of the house, and if somebody manages to get in, then it's all fun(!).
For 20 years this was not really an issue. From 2010 to 2020 there wasn't a single nginx cve that applied to my simple static setup. There were literally only a handful of remote CVE at all. With the advent of LLM AI exploit finding there have been 2 CVE this year that I had to look in to. Neither actually applied to me, but it is a different world out there.
That said, the practice of running a modern corporate web browser that auto-executes all programs sent to it from arbitrary unknown third parties is a way, way, way bigger and more common and likely attack surface than a simple static webserver serving files in directories.
You need a static IP address for this to work is the downside, and depending on where you live and who your provider it it can be difficult and/or expensive.
You can programmatically update DNS whenever your dynamic IP changes. One issue though is that some residential ISPs prohibit webhosting in their terms.
you can go ipv6 only, any good isp will give you a static /56 for free. practically none of your users have ipv4 only devices when every major os has been dual stack by default for like 15 years. if your isp cant give you one its time to switch as soon as you can.
Ehh my ISP at home is still ipv4 only. The amount of ipv6 capable connections only just passed 50% worldwide a few months ago.
I don't think ipv6 only is feasible yet unless your audience is exclusively in Asia where ipv6 uptake is much higher due to them running out of ipv4 years ago
You can get a Hurricane Electric free static v6 tunnel.
They have poor reputations and are blocked from streaming sites and so on. But when you're the server, that doesn't affect you.
Note that you need a static v4 and DMZ because the tunnel protocol is a very simple one - presumably because they run it on giant routers. It just puts a v4 header in front of the v6 header. No TCP or UDP.
In practice, I found cloudflare necessary to deter bots/crawlers. It is indeed fairly cheap, but you're still dependent upon three entities you don't really control: the DNS, the host, and Cloudflare.
Fixed IP would be a way to go. Some people pick dynamic dns server so they can periodically update if their IP changes. But IMO it's just too complicated. I don't think there's a good way to go around ISP restrictions, especially in USA.
I host my site on my own home server, but I do have a proxy ec2 server to tunnel public traffic via wireguard back to my home server. This keeps things a bit more protected and my router/home network not directly exposed. I'm also not locked into AWS, I just use them for convenience, but could get any other cheap proxy to run wireguard. No dependency on tailscale either, it's just nicer interface to wireguard. Wireguard config is like 5 lines btw.
I don't think there is much difference between paying nearlyfreespeech (which I have done in the past) Vs using GitHub or cloudflare - you are still reliant on a third party for actual hosting. I don't really see any value in self-hosting myself - apart from nerdy satisfaction etc, I don't see the need.
The important part in my mind is the fact that I am manually controlling the assets - the HTML the images etc. Simple files on disk.
The git integration with GitHub and cloudflare though is obviously a huge boon though as now I have an off-site backup, and publishing is even more seamless than the old FTP/sftp days - just push to master from within vscode where you are editing the files anyway and it'll be live in 30 seconds (as well as backed up).
If you're self hosting, either at home or on a VPS, you have to worry about domains expiring and credit cards being cancelled, which is inevitably going to happen if you don't have a succession plan in place. You could probably solve it with a bunch of lawyering, but that's expensive.
Free services don't have this problem. They can still go away, it's not a 100% guarantee, but it's a "might" versus a "definitely will"
If something is paid + open source then you have a good starting point incentive wise for the provider but also if they mess with things under the hood someone will inevitably call it out and you can act accordingly. You also now have more options - you can fork it yourself, someone else may fork it and you can jump ship, etc.
Now you just get fscked twice.
[1] https://gigatexal.blog
I am a little surprised that doing so isn't more popular on in the indie web scene though as you do it on hardware you own, from your home, and the tor network protects people from knowing your servers ip address if that's something you care about. You could even go to your domain provider and have one of your domains redirect to your .onion address so people don't need to memorize it.
There also used to be the beaker browser which let you create and host your own website directly from the browser but that project got shut down. Hopefully something similar will show up at some point. Maybe a website creating plugin for tor would be enough to make it more popular.
I've made a few easy to spin up services. Heck, you can even run it off your phone.
Nanogram https://gitlab.com/here_forawhile/nanogram
Spreadsheet Server https://gitlab.com/here_forawhile/spreadsheet
Library Server https://gitlab.com/here_forawhile/libraryserver
Torum (HN Clone) https://gitlab.com/here_forawhile/torum
A source repo link often gets more traction here than a link to what might turn out to be a closed, probably subscription based, service. The repo's main readme likely links direct to the product/ service/other main location [if the forge isn't being used as that] or demo location [if a public demo instance exists] should that be where I want to go immediately.
Though maybe posting both the repo link and a "live" link would be better still.
If you want to make the point that self-hosting is trivial, then show a site that you are hosting with your setup instead of just pointing to gitlab.
https://nonogra.ph/running-a-website-inside-a-website-07-15-...
I don't feel the need or want to share my services with the world to demonstrate that.
I simply do not want to announce my address here, it's ancillary to the discussion...you shed a layer of security by deciding to make your address public, non of which would benefit the whole point of any of the services I linked.
Circling back to the main discussion of indie web, tor is a great alternative if your circle of visitors is of reasonable size and you want a place outside of the commercialized internet. It's available to anyone.
Paying the penny will certainly give you robustness and reliability...but honestly that's part of the fun of indie web.
>you shed a layer of security by deciding to make your address public, non of which would benefit the whole point
It's possible to host something with no intention of making it internet-public. I also have services like that, that I only use myself or with friends. GP argument is that they don't want to share the onion link to their website, because (bluntly) we are not invited. Onion domains are actually relatively private (i mean unguessable - unlike clearnet domains), so it's possible to host private websites without any additional authorization.
Having said that, onion links carry a implicit baggage, so while I think they're great for sharing things with (technical) friends or a private VPN, they're probably not the best way to host services intended for public.
Apparently [1] there are also ways that Tor Browser supports, for directing visitors to the onion address via the “normal” internet:
- Onion-Location
> The Onion-Location method was introduced on Tor Browser 9.5 as a way for service operators announce their Onion Services in their regular HTTPS sites. It's specified under tor-browser-spec's Proposal 100 - "Onion redirects using Onion-Location HTTP header".
- Alt-Svc
> Similar to Onion-Location, the Alt-Svc method also uses an HTTP Header (the Alt-Svc Header, specified by RFC 7838), which means that the user first need to access the regular site before their browser discovers the alternate Onion Service address.
> But contrary to Onion-Location, the Alt-Svc method:
> - Does not support an HTML tag, as it relies entirely in the Alt-Svc Header.
> - Is fully transparent: all the discovery and upgrade happens automatically, without user intervention.
- Additionally, they also speak of future possibilities for DNS or DNSSEC-based Onion Association.
[1]: https://onionservices.torproject.org/research/proposals/usab...
Of all the compromises we have to do (relying on Telco providers, equipment manufacurers, etc), using Nearlyfreespeech is the less risky one. They have no history of abusing the trust users have placed on them, and service costs virtually nothing.
This is a common pattern for ex-national carriers in many countries btw - they believe they should be paid by both sides for all traffic that traverses their network, not just by one side, because they feel like they are God of the Internet in that country.
Not 100% independent then. You still depend on your isp.
And you can host for a static site for free in a million places. CDNs free tiers are enough for individuals.
I don't get the preoccupation with hosting your own server, what matters is that you own your own identifier (in this case a domain name) whatever it points is vastly less important.
The field of software engineering is dominated by the smart people that do something not because they have to but out of curiosity.
I've hired a bunch of people and I was always looking for curiosity and drive most of all. A degree doesn't help you if you don't care.
Emphasis mine.
We wish. I think the state of tech pretty conclusively demonstrates those people aren’t the ones who dominate. Money and power hungry tech bros do, which is why everything is shit and exploitative.
The shit and exploitation don’t build themselves.
It’s all learnable and everyone starts somewhere. But you’d think natural curiosity would kick in and they’d have picked up some of this on their own by the time they have a job.
So 7zip and Winrar?
I joke, but only halfway. If you're only normal Windows user, you'd never hear of anything else (unless you want to go back to Winzip, which does still exist, but I've never heard of anyone using it any more).
And I’ve hosted my own web server these last 20 years.
But here’s one I heard literally two days ago: we counted three engineers (out of many) who knew that physical memory was not actually a giant flat space of contiguous addresses, and that there were multiple layers of address-mapping and region-joining glue logic between a program and the hardware, including in os libraries, and even inside the hardware.
Maybe knowing such information is archaic or useless for most engineers. But the good ones (or at least a certain flavor of the good ones) ask questions that lead them there.
Worse, people who find it within themselves to ask questions anyway frequently face silence or a smackdown. The Internet's Own Boy remains no longer with us.
I also could no longer tell you how to balance a binary tree or implement Quicksort.
It's all a layer below even OS programming. It's configured at the BIOS level and then performed in hardware. But that's the point, isn't it? Virtual memory is below the application programmer, too, but here we're chastising him for not understanding it. If we do that, shouldn't we equally chastise people for not understanding physical memory? Or speculative execution? Or head seeking and servo tracks? Or Ethernet line coding?
That's the abstraction I'm working with when coding. Which is necessary because in most cases this should be an implementation detail.
You spelled "frightening" wrong.
I've got a friend, I'll call him Bob, mostly because Bob is nowhere near his real name and I'm about to say some not very flattering things about him. He is my friend and not my job colleague or anything, so there's certain objectivity to this, in fact I appreciate Bob and I wish nothing but the best for him.
Bob has been programming for a bit more than a decade. He is, barring the people I know from other countries, the best paid programmer I know, and I know well over a dozen.
Bob has no interest whatsoever in any programming language that is not what he has been using his whole career, nor does he have any interest or curiosity in dipping his toes in other related fields, web development, tinkering with arduinos, home servers... Nothing. Bob has not built a computer, ever, doesn't know how to do it, nor what each part in that object does, beyond the hard drive because he did plug an extra one once or twice.
More anecdotally I played some Factorio and Satisfactory with Bob, now I know these are not excellent representations, but I expected a degree of order, planning and foresight, I was very much surprised when facing the reality of none of that being present, and I very much did not expect to see the same thing the few times I've looked at his code, but I did see that same thing.
I promise you Bob doesn't make up for all of this in social skills.
Now, is Bob a good engineer? I really, really don't think so. Is he a curious person? A bit, not much, I get the feel he just ended in CS with no particular interest for it, but I'll say it again: He is the best paid programmer I know.
Is that frightening? Well yeah, in a way. It's also endearing in a "Well damn if this guy can do it then surely I can too" sort of way. Money is not everything of course, but it's as good of a proxy as any.
Files aren’t sacred. It’s actually troubling that many technical people never consider alternatives. Most of the worlds data today is probably not stored in filesystems, rather in databases and object stores that use custom storage backends.
But the most obvious alternative to a filesystem would be formatting a whole hard drive as an sqlite database. Obviously it would be a radical rethink in OS design.
There are also "single-level stores" from the last millennium - designs where there is no separation between volatile and nonvolatile storage. All memory in these systems is treated as nonvolatile. A Word document, for example, would be something like a suspended Word process. A directory is a process that only manages pointers to other files and directories. Obviously processes must be extremely lightweight in such a system. KeyKOS is an example of this and you can read papers about it and its Unix emulation layer. This is one of the many things humanity explored before settling on the hierarchical filesystem as the base layer of storage.
It's not that the average user is ignorant of the many ways in which data can be stored and retrieved. It's that they are becoming ignorant of such abstractions existing altogether. It's hard to start thinking about how images are stored if all the user knows is "they are in the gallery".
It's sad that we need this new concept of "IndieWeb", as the whole Internet evolved into a monstrosity hosted and guardrailed by a handful of megacorporations. Hosting files became a privilege, when it should've been a (human) right all along.
edit: The tech to host yourself is obviously still there, but the _mindset_ changed to cloud only.
Sadly with CGNAT, port blocks, hosting any server being a terms of service violation...
> For just $0.01/day, you can run a static website at NearlyFreeSpeech.net
I respect the spotlight on hosting your own websites, but it's not much different from the usual Vercel/Netlify/GitHub/Cloudflare static hosting.
What if I want a database, feedback form, social media previews, good SEO? Article says nothing about it. Perhaps that's what makes a website "indie"?
Perhaps useful for those training developers mentioned in some posts here who need the TIL experience with unix based systems. Free shell account on a netbsd unix, and I recollect that a small one-off donation provides access to Web space and other enhancements. Choose the login name wisely as that becomes the subdomain for the Web space.
I built a comment js plugin which hosts all data inside a git repo. https://github.com/est/req4cmt (as long as your git service accept http)
It runs a Cloudflare Worker for free. The data backup/migration is basically git clone & push
There's another twitter-replacement, also based on git. https://github.com/est/gitweets
Demo https://f.est.im/ it supports comments via git notes :D
$0.01/day ? They are all completely free thanks to Cloudflare Workers / Github Pages.
1. Learn how you can get HTML generated from a human-readable and writer-friendly format, say, Markdown (plain-text). This can be Pandoc, a macOS/Win wrapper desktop UI over Pandoc, and many other tools that do this.
2. Learn the process (and the tools) to upload, or sync to a service that hosts the HTML (CSS+JS).
3. Learn the simple steps of owning of a domain, and updating the DNS to point to the right services, such as Github Pages, CloudFlare Pages, etc.
As you are not dependent on a particular tool/service/platform/company, you can walk out and host your files (the website content) elsewhere.
The post-processing of the raw (Markdown) articles/posts to HTML can be then automated with Static Site Generator if someone is willing to learn a little more on top of the above steps.
Of course, it is a fun and good thing to know HTML but that should be optional to the target of “Run your own website 100% independently.” With Github and Cloudfalre, you can hve it for $0 monthly. If they go kaput or stops free, someone will come up - walk out and walk in elsewhere.
> When your posts are individual HTML files (not Markdown files or database entries), they can finally be seen as the individual web pages that they truly are. And that means that you can really lean into making all of your posts unique! They don’t all have to be cookie-cutter paper-doll clones of one another; that’s just a bi-product of modern web publishing tools and the cultural influence that they have on our concept of a “blog”. You can now go ahead and make every blog post as special and individual as you’d like. Each post can have its own personality, baked right into its HTML. Individual style, individual appearance, even individual layout. Literally everything is possible with this approach.
HTML is human-readable and writer friendly. Humans - not even all of them CS students - were reading HTML,JS and CSS on websites and writing it all by hand in text editors for years before the "proper tooling" came along. It really isn't that difficult, especially if you're just dealing with simple websites, doubly so if you're on HN, you probably work with more complex languages on a regular basis.
If you really want to "learn and own a process" and be "100% independent" you should at least be able to understand and work with web languages natively.
Static site generators are nice (I use Nikola) and tools make things easier but but it's still dependency on third party tools if you don't understand or can't otherwise work with the output.
I also “preach” GitHub pages a lot but I’ve also written about hosting on a Raspberry Pi in my bedroom.
https://joeldare.com/private-analytics-and-my-raspberry-pi-4...
Small tech is fine. Self hosting is fine. VPSes are fine. Don't use "clouds" - they're big tech, and overpriced.
Make sure it's something you pay for, so that you are the customer, instead of the product.
Astro is a framework that uses no JavaScript by default. I also use just HTML and CSS, so no bloated additional frameworks or styling libraries.
All blog content is written as Markdown or .mdx files, so it's easy to write and move to any other tool if you wish to do so.
You can host it for free using any major provider since it's just a static website (e.g., GitHub Pages, Cloudflare, etc.).
Making it similar to my own website which is on: https://bryanhogan.com/
(Repo: https://github.com/BryanHogan/bryanhogan )
For complete beginners, I made https://weejur.com , which is designed to make it easy for even a complete beginner to paste in HTML and get it hosted on GitHub Pages for free. (And is also hosted itself on GitHub for free!)
I write technical blog posts with visualizations and live demos. That usually means embedding a bit of custom javascript in the page for the demo. Or shipping custom wasm to enable extreme semantic model compression.
I do this by pushing content from my machine to github pages which is wired up to my subdomain.
If github pages stops being a good, free option for this, I will find another. Not sure I would call this "hardcore" really.
key properties:
1. everyone can be a registar. your localhost too
2. blockchain proof of ownership and discovery (certs, not proof-of-work, fast and cheap ledger)
3. everyone can be a CA (self-signed certs pinned in blockchain)
4. no fixation on static IPs (inspired by Cloudflare Tunnels, Tailscale). IPs are ephemeral.
5. blockchain/P2P discovery of domains
but it is all fantasy without real browsers support (Chrome, Safari). 99.999% of traffic is locked there, and both controlled by monopolies Google / Apple. and you cannot even build your own browser (Apple App Store will not allow it). Maybe alternative stores and some proxies / translation layer from normal web to this web would help.
DNS is secure (in Zooko's terms - means you can be certain a domain only has one correct resolution) and human readable.
.onion is secure and decentralised.
Petnames (as in I2P) or /etc/hosts are human readable and decentralised.
Also any centralised secure system will quickly have all the names squatted if they are free. It's bad enough at current prices. For instance every dictionary word under .com is already taken. If they cost nothing it would be every pronounceable sequence of up to 12 letters.
Nothing is actually stopping you running "weird DNS" on your home network if you implement the DNS protocol towards clients. I suggest you get familiar with the program Unbound. It's very common for networks to use alternative DNS if only to address the devices on the network.
Also IPs weren't originally meant to be ephemeral. You can get an address block registered to you (v6 only of course, there's no more v4) for a pretty reasonable nominal fee.
However, why would a company build something just for a handful of people?
or if you are EU/China and do not want google DNS and networkign layer owning entire EU/China
in all cases they would still want centralized control by each state/company.
how to align incentives of someone who can actually pull this off and still keep it decentralized is a big question.
you got to go full own hardware stack. now only China can reallistically pull this off.
China has own hardward stack. (actually entirety of all hardware stacks. it is all build there). China has own playstores or higly regulated versions of Apple/Google play stores.
China has mini-apps ecosystem which is more resilient to App Store whims.
and pretty much China is only place that can reallistically negotiate and push back to Google/Apple.
nobody else can stand a chance.
so free web is only possible in China pretty much. and future of free web is there.
Holy, I love this simplicity
Payment methods are inherently discriminatory.
Although calling it hardcore makes it sound like porn. Too bad they had to add that term for something painfully not hardcore.
I don't get it.
Sftp is still very useful even in 2026
[1] https://limereader.com/
That's the only thing I haven't really been able to figure out how to do on my own. Back in the day, hosting a static site from my crappy DSL connection was basically no problem and most people who were accessing my site were probably in my timezone. Now with how big the web is and how many bots there are, I worry about the quality of self hosting without a CDN.
You could replace it with something better, like pangolin, either their cloud or even self host it too, and that way you can tunnel to other stuff like if you have a media server where you can watch your movies from anywhere in the world.
https://neat.joeldare.com
You’ll also find a free email course where I walk you through how I create a site using it. Link on that page.
No. That's the method.
Think .crypto but without the ability to upgrade the smart contract to censor domains. The registry is spread out across a whole decentralized network of computers of which has another decentralized network of computers that proxy requests exists.
>how does it stand up to me editing the hosts file, or the browser's source code?
No one can force you to resolve domains YOU don't want to. You can of course blow up your computer and then you definitely can't resolve the domain. What people mean is that the user is free to still resolve it if they want.
Ultimately, someone has to be in control of who is or is not part of that decentralized network that is the registry. (Or, alternatively phrased, how are you preventing me from saying "I'm part of the .crypto registry, totes.")
Aside from that, the root nameservers is still an entity that is controlled (by ICANN, specifically).
Ethereum is an unpermissioned network. Anyone is free to join or leave at anytime.
>how are you preventing me from saying "I'm part of the .crypto registry, totes.")
The registry would be a smart contract. There doesn't fundamentally need to be an owner.
>how are you preventing me from saying "I'm part of the .crypto registry, totes.")
Name resolving doesn't have to be done by ICANN's domain name system. You can have alternates that do not depend on centralized servers.
And even if I'm a super genius who's written my own full-stack operating system on my souped-up speccy, I'm still bound by the laws of information theory. If you need information that you don't have, you're necessarily requesting it from a source (here, a computer) external to you (here, outside your control). A complicated network protocol doesn't make that fact go away, and doesn't allow you to ignore it. (It might mitigate various censorship or spoofing approaches, but you only know that if you check: the abstraction won't save you merely by virtue of being an abstraction.)
Like, I have fiber and a static IP. Never much thought about hosting a website from my house because it didn't seem all that special. Maybe I should?
It's fine to host something for friends on a residential ISP. They don't care. If you want to make it a public website it's more uncertain. Still don't worry though, because they won't just ban you from the internet. Worst you'd get is a phone call telling you to stop it.
Indieweb receiving of webmention only requires the ability to log HTTP POSTs to some url endpoint. Or you can use one of third party services servers to receive that interact with your website via with 3rd party javascript applications you include on your webpage. Sending webmention can be done with cURL, even HTML forms, or again, 3rd party JS includes.
[My home computer] --> SSH --> [my hardcore IndieWeb local cloud]
That's about it. Safe enough.
In 25 years of hosting a dozen domain names on a server on my home connection, this problem has not surfaced for me.
For someone who knows what they are doing, it's more like mosquito noise, a mere nuisance, but even then, using a rock solid system with all updates installed carries the risk of having a zero-day.
If your server is networked to the rest of the house, and if somebody manages to get in, then it's all fun(!).
Especially if you host something like wordpress with plugins you really have to be on the ball with updates.
That said, the practice of running a modern corporate web browser that auto-executes all programs sent to it from arbitrary unknown third parties is a way, way, way bigger and more common and likely attack surface than a simple static webserver serving files in directories.
I don't think ipv6 only is feasible yet unless your audience is exclusively in Asia where ipv6 uptake is much higher due to them running out of ipv4 years ago
They have poor reputations and are blocked from streaming sites and so on. But when you're the server, that doesn't affect you.
Note that you need a static v4 and DMZ because the tunnel protocol is a very simple one - presumably because they run it on giant routers. It just puts a v4 header in front of the v6 header. No TCP or UDP.
https://rustyswarf.com, which runs on a very simple framework called Travail.
In practice, I found cloudflare necessary to deter bots/crawlers. It is indeed fairly cheap, but you're still dependent upon three entities you don't really control: the DNS, the host, and Cloudflare.
I host my site on my own home server, but I do have a proxy ec2 server to tunnel public traffic via wireguard back to my home server. This keeps things a bit more protected and my router/home network not directly exposed. I'm also not locked into AWS, I just use them for convenience, but could get any other cheap proxy to run wireguard. No dependency on tailscale either, it's just nicer interface to wireguard. Wireguard config is like 5 lines btw.
just use Cloudflare. get all this for free (except domain).