Main Server

This new server features new hardware and I've implemented more features. The way you connect to this server is not by being serviced by Apache2. In fact, Apache2 is on a differnt port entirely. You are actually being served by Nginx which is acting as a reverse proxy. One of the biggest issues with my previous server was that all of my websites were actually exposed to the internet. The reverse proxy ensures that only the ones I explicitly configure to be exposed to the internet are exposed and internal servers remain internal. This change alone already makes this server far more secure.

The images on the right shows off proof of work.

This server hosts this website you are on now. I had a previous version of this website but it had several issues. It was only running raw Apache2. This means there was no encryption. It was overall pretty barebones, with no notable features.

On the topic of security and as previously mentioned, the previous server was only running pure Apache2. This means it only ran HTTP. This protocol has no security at all, its completely plaintext. I provided a wireshark packet capture to demonstrate that you can just see the raw HTML inside the HTTP packet. Whats interesting, is that when you take a packet capture of the same thing but in HTTPS there is significantly more traffic. This means that an increase in security means an increase in processing power, which is of course a worthy trade off. By having HTTPS, I have reduced the attack surface on my server.

When it comes to uploading files on to here, I have opted for SambaShare. This uses the SMB protocol, which has its flaws but is great for my purposes. The other option was use FTP, but I choose not to because I like how well SMB can stream video. The flaws with SMB mainly stem from how insecure it is. Its fairly chatty, giving an ACK message after every received packet. This gives it quite a bit of overhead that becomes a major issue over the internet, but of course, this server runs on a small network so its not a very big deal. This chattiness does have some secuirty concerns though, so I have configured SambaShare to only allow certain hosts in order to reduce its attack surface.

The last technology I implemented on this server was DNS. This is by far my favorite feature. DNS gives me a way to access the server and any websites and resources via a domain name. I can create any internal website name. This is done by simply using Bind9 DNS. Of course, you as the user of this site do not use this service, you are using a public DNS. This implementation is purely internal.

To summarize all configured implementations:

HTTP implementation via Apache2
Reverse proxy implementation via Nginx
HTTPS implementation via certbot
SMB local implementation via Samba Share
DNS implementation via Bind9

Homelab network

One of the most important things for any aspiring network engineer or IT infrastructure engineer is to have a homelab. I have designed mine to be a small version of a 3 layer architecture. It has 2 switches and 2 routers. This is also the broader area where every single project on this page takes place.

At a glance:

Topology: Redundant 3‑tier (Access / Distribution / Core)
Hardware: Cisco 3560, Cisco ISR 4331
Routing: OSPF with ECMP
Redundancy: HSRP, EtherChannel
Services: DHCP, VLAN segmentation, NAT

The Cisco 3560v2 switch, the one on top, is the access layer switch. As the name suggests, it provides hosts such as desktops, phones, printers, etc. access to the network. The access layer provides security via 802.1x, VLAN segmentation, and it also provides some basic traffic management with the use of ACLs, and PoE for some devices. Overall, this layer is pretty light with all connections being layer 2. From a troubleshooting perspective, this is where issues such as misconfigured VLANs, authentication issues, and link failures commonly occur.

The second switch is the distribution layer. This is the Cisco 3750v2 switch, and it has some more complex functions. Its job is node-to-node communications. This is where L3 connections start, but there are still L2 connections as well. In my setup, I have tried to make it as homelab-friendly as possible. Currently, this switch serves as the DHCP server, which is actually pretty unusual in traditional three-tier architecture, because you would want a proper server to handle that function in an enterprise network, for management and security purposes.

In a traditional 3-tier architecture, this switch serves as the default gateway. In practice, this becomes the "thinking" layer because it manages the following: VLAN trunks, VTP, L2 node to L3 node communications, L3 node to L3 node communications, EtherChannel for distro to distro switches, the default gateway for hosts, OSPF load balancing, FHRP redundancy, and dynamic routing for L3 connections. This layer has the most intensive jobs of the network. From a troubleshooting perspective, this is where inter-VLAN issues, OSPF issues, load balancing issues, and gateway instability issues commonly occur.

The 2 routers are Cisco ISR 4331, and they make up the "dumbest" layer of the network. Their primary jobs are the following: Internet connection via NAT functionality, really fast L3 connections, OSPF areas/ dynamic routing to other networks/ inter-building communications if you're on a campus network, and traffic management via both standard and extended ACLs. This layer doesn't do much thinking, outside of dynamic routing. Two routers are used to ensure load balancing via OSPF’s ECMP load balancing algorithm. From a troubleshooting perspective, this is the point where many NOC tickets get escalated. Normal issues found here are NAT misconfiguration/ NAT gets full and drops a host's packets, routing adjacency failures, and is one of the first points to check why a connection to the internet is slow.

Powered in my personal homelab