Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
The current version of Anubis was made as a quick "good enough" solution to an emergency. The article is very enthusiastic about explaining why it shouldn't work, but completely glosses over the fact that it has worked, at least to an extent where deploying it and maybe inconveniencing some users is preferable to having the entire web server choked out by a flood of indiscriminate scraper requests.
The purpose is to reduce the flood to a manageable level, not to block every single scraper request.
This post was originally written for ycombinator "Hacker" News which is vehemently against people hacking things together for greater good, and more importantly for free.
It's more of a corporate PR release site and if you aren't known by the "community", calling out solutions they can't profit off of brings all the tech-bros to the yard for engagement.
Exactly my thoughts too. Lots of theory about why it won't work, but not looking at the fact that if people use it, maybe it does work, and when it won't work, they will stop using it.
And it was/is for sure the lesser evil compared to what most others did: put the site behind Cloudflare.
I feel people that complain about Anubis have never had their server overheat and shut down on an almost daily basis because of AI scrapers 🤦
I still think captchas are a better solution.
In order to surpass them they have to run AI inference which is also comes with compute costs. But for legitimate users you don't run unauthorized intensive tasks on their hardware.
They are much worse for accessibility, and also take longer to solve and are more distruptive for the majority of users.
Anubis is worse for privacy. As you have to have JavaScript enabled. And worse for the environment as the cryptographic challenges with PoW are just a waste.
Also reCaptcha types are not really that disturbing most of the time.
As I said, the polite thing you just be giving users the options. Anubis PoW running directly just for entering a website is one of the most rudest piece of software I've seen lately. They should be more polite, and just give an option to the user, maybe the user could chose to solve a captcha or run Anubis PoW, or even just having Anubis but after a button the user could click.
I don't think is good practice to run that type of software just for entering a website. If that tendency were to grow browsers would need to adapt and straight up block that behavior. Like only allow access to some client resources after an user action.
Are you seriously complaining about an (entirely false) negative privacy aspect of Anubis and then suggest reCaptcha from Google is better?
Look, no one thinks Anubis is great, but often it is that or the website becoming entirely inaccessible because it is DDOSed to death by the AI scrapers.
First, I said reCaptcha types, meaning captchas of the style of reCaptcha. That could be implemented outside a google environment. Secondly, I never said that types were better for privacy. I just said Anubis is bad for privacy. Traditional captchas that work without JavaScript would be the privacy friendly way.
Third, it's not a false proposition. Disabling JavaScript can protect your privacy a great deal. A lot of tracking is done through JavaScript.
Last, that's just the Anubis PR slogan. Not the truth, as I said ddos mitigation could be implemented in other ways. More polite and/or environmental friendly.
Are you astrosurfing for anubis? Because I really cannot understand why something as simple as a landing page with a button "run PoW challenge" would be that bad
Anubis is not bad for privacy, but rather the opposite. Server admins explicitly chose it over commonly available alternatives to preserve the privacy of their visitors.
If you don't like random Javascript execution, just install an allow-list extension in your browser 🤷
And no, it is not a PR slogan, it is the live experience of thousands of server admins (me included) that have been fighting with this for month now and are very grateful that Anubis has provided some (likely only temporary) relief from that.
And I don't get what the point of an extra button would be when the result is exactly the same 🤷
Latest version of Anubis has a JavaScript-free verification system. It isn't as accurate, so I allow js-free visits only if the site isn't being hammered. Which, tbf, prior to Anubis no one was getting in, JS or no JS.
Yeah, I'm just wondering what's going to follow. I just hope everything isn't going to need to go behind an authwall.
The developer is working on upgrades and better tools. https://xeiaso.net/blog/2025/avoiding-becoming-peg-dependency/
I'll say the developer is also very responsive. They're (ambiguous 'they', not sure of pronouns) active in a libraries-fighting-bots slack channel I'm on. Libraries have been hit hard by the bots: we have hoards of tasty archives and we don't have money to throw resources at the problem.
The Anubis repo has an enbyware emblem fun fact :D
Yay! I won't edit my comment (so your comment will make sense) but I checked and they also list they/them on their github profile
Cool, thanks for posting! Also the reasoning for the image is cool.
Is there a reason other than avoiding infrastructure centralization not to put a web server behind cloudflare?
Yes, because Cloudflare routinely blocks entire IP ranges and puts people into endless captcha loops. And it snoops on all traffic and collects a lot of metadata about all your site visitors. And if you let them terminate TLS they will even analyse the passwords that people use to log into the services you run. It's basically a huge survelliance dragnet and probably a front for the NSA.
Cloudflare would need https keys so they could read all the content you worked so hard to encrypt. If I wanted to do bad shit I would apply at Cloudflare.
Maybe I'm misunderstanding what "behind cloudflare" means in this context, but I have a couple of my sites proxied through cloudflare, and they definitely don't have my keys.
I wouldn't think using a cloudflare captcha would require such a thing either.
That's because they just terminate TLS at their end. Your DNS record is "poisoned" by the orange cloud and their infrastructure answers for you. They happen to have a trusted root CA so they just present one of their own certificates with a SAN that matches your domain and your browser trusts it. Bingo, TLS termination at CF servers. They have it in cleartext then and just re-encrypt it with your origin server if you enforce TLS, but at that point it's meaningless.
Oh, I didn't think about the fact that they're a CA. That's a good point; thanks for the info.
Hmm, I should look up how that works.
Edit: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/#custom-ssltls
They don't need your keys because they have their own CA. No way I'd use them.
Edit 2: And with their own DNS they could easily route any address through their own servers if they wanted to, without anyone noticing. They are entirely too powerful. Is there some way to prevent this?
Unless you have a dirty heatsink, no amount of hammering would make the server overheat
Are you explaining my own server to me? 🙄
What CPU do you have made after 2004 that doesn't have automatic temperature control ?
I don't think there is any, unless you somehow managed to disable it ?
Even a raspberry pi without a heatsink won't overheat to shutdown
You are right, it is actually worse, it usually just overloads the CPU so badly that it starts to throttle and then I can't even access the server via SSH anymore. But sometimes it also crashes the server so that it reboots, and yes that can happen on modern CPUs as well.
You need to set you http serving process to a priority below the administrative processes (in the place where you are starting it, so assuming linux server that would be your init script or systemd service unit).
Actual crash causing reboot ? Do you have faulty ram maybe ? That's really not ever supposed to happen from anything happenning in userland. That's not AI, your stuff might be straight up broken.
Only thing that isn't broken that could reboot a server is a watchdog timer.
You server shouldn't crash, reboot or become unreachable from the admin interface even at 100% load and it shouldn't overheat either, temperatures should never exceed 80C no matter what you do, it's supposed to be impossible with thermal management, which all processors have had for decades.
Great that this is all theoretical 🤷 My server hardware might not be the newest but it is definitly not broken.
And besides, what good is that you can still barely access the server through ssh, when the cpu is constantly maxed out and site visitors only get a timeout when trying to access the services?
I don't even get what you are trying to argue here. That the AI scraper DDOS isn't so bad because in theory it shouldn't crash the server? Are you even reading what you are writing yourself? 🤡
Why the hell don't you limit the CPU usage of that service?
For any service that could hog resources so bad that they can block the entire system the normal thing to do is to limit their max resource usage. This is trivial to do using containers. I do it constantly for leaky software.
Obviously I did that, but that just means the site becomes inaccessible even sooner.
Even if your server is a cell phone from 2015, if it's operating correctly and the cpu is maxed out, that means it's fully utilized and services hundreds of megabits of information.
You've decided to let the entire world read from your server, that indiscriminatory policy is letting people you don't want getting your data, get your data and use your resources.
You want to correct that by making everyone that comes in solve a puzzle, therefore in some way degrading their access, it's not surprising that they're going to complain. The other day I had to wait over 30 second at an anubis puzzle page, when I know that the AI scrappers have no problem getting through, something on my computer, probably some anti-crypto mining protection is getting triggered by it and now I can't no-script the web either because of that thing and it can't even stop scrappers anyway !
So, anubis is going to be left behind, all the real users are, for years, going to be annoyed and have their entire internet degraded by it while the scrappers got that institutionally figured out in days.
If it's freely available public data then the solution isn't restricting access trying to play a futile arms race with the scrapper and throwing the real users to the dogs, it's to have standardized incremental efficient database dumps so the scrappers stop assuming every website is interoperability-hostile and scrape them. Let facebook and xitter fight the scrappers, let anyone trying to leverage public (and especially user contributed data) fight the scrappers.
Even if one would want to give them everything, they don't care. They just burn through their resources and recursively scrape every single link on your page. Providing standardized database dumps is absolutely not helping against your server being overloaded by scrapers of various companies with deep pockets.
Like anubis, that's not going to last, the point isn't to hammer the web servers off the net, it's to get the precious data. The more standardized and streamlined that's going to be made and only if there's no preferential treatment to certain players (open ai / google facebook) then the dumb scraper will burn themselves out.
One nice thing about anubis and nepenthes is that it's going to burn out those dumb scrapers faster and force them to become more sophisticated and stealth. That's should resolve the ddos problem on its own.
For the truly public data sources, I think coordinated database dumps is the way to go, for hostile carrier, like reddit and facebook, it's going to be scrapper arms race warfare like Cory Doctorow predicted.
Aha, an apologist for AI scraper DDOS, why didn't you say so directly instead of wasting my time?
The ddos is caused by the gatekeeping, there was no such issue before the 2023 API wars, fork over the goods and nobody gets hurt, it's not complicated, you want to publish information to the public, don't scrunch it up behind diseased trackers and ad infested pages which burn you cpu cycles. Or just put it in a big tarball torrent, the web is turning into a cesspool, how long until our browsers don't even query websites at all but self-hosted crawler and search like searxng, at least then I won't be catching cooties from your javascript cryptomining bots embed into the pages !
"fork over the goods and nobody gets hurt" mate you are not sounding like the good person here
The problem is that the purpose of Anubis was to make crawling more computationally expensive and that crawlers are apparently increasingly prepared to accept that additional cost. One option would be to pile some required cycles on top of what's currently asked, but it's a balancing act before it starts to really be an annoyance for the meat popsicle users.
That's why the developer is working on a better detection mechanism. https://xeiaso.net/blog/2025/avoiding-becoming-peg-dependency/