A few months ago I decided to self-host everything for my software house instead of paying for cloud infrastructure. Here's what's running on a Raspberry Pi 4B (4GB) at home:
Astro static site + nginx Full mail stack (Postfix + Dovecot + Roundcube) in Docker MariaDB with automated backups GoAccess analytics with custom Python bot/human separation Dynamic IP blocklist generated at every deploy Certbot managed on a separate Orange Pi Zero 3 (HAProxy + SSL termination)
The Orange Pi Zero 3 as a dedicated HAProxy node was the best €25 I spent — SSL overhead completely offloaded from the Pi, all subdomains routed through one config, clean network separation between "what faces the internet" and "what runs the services." Storage: all boards boot from SSD via USB3. No SD cards in production. The ISP situation: Eolo wireless, 20Mbps down / 100Mbps upload. Yes, upload is 5x download. For a web server that's actually ideal. Real stress test — June 22, 2026 A post on r/italy hit 20k views in 24 hours. Numbers that day:
555 human visitors (vs ~180 daily average) 151 unique IPs 72.2% return rate 9.98 MB bandwidth 0 downtime 0 errors in the mail stack
PageSpeed from Google's infrastructure:
Desktop: Performance 100 / SEO 100 Mobile: Performance 97 / SEO 100
No CDN. No Cloudflare. No edge nodes. Just nginx on a Pi. The honest limitations:
Single point of failure — yes, if the Pi dies the site goes down Mail deliverability on residential ISP is hard (Brevo relay helps) No redundancy — we run backups, not replicas
All traffic data is live and public: stats.lake8.dev/geo.html Happy to answer questions on any part of the stack.
Aaah that's good to know. I've seen HAproxy mentioned before and this was the first time I looked at it.
I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.
I don't know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven't had the desire to use outside services like Anubis or Cloudflare.
I know someone out there with itchy fingers is ready to warn that obscurity isn't security and I wouldn't deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.
Caddy is a great choice for exactly that reason — it gets out of your way. HAProxy gives me more granular control but the config is definitely not for everyone. On the obscurity point: you're absolutely right, and I'd sign that statement. Obscurity alone is theater. Obscurity on top of solid security is a legitimate noise reducer. Watching bots drop to zero is genuinely satisfying — my public dashboard shows 6,400+ attack attempts in 17 days vs ~4,500 real humans. The bots are loud. The wildcard cert + uncommon port approach is underrated for small personal setups. The attack surface doesn't shrink, but the automated scanners move on and that's often enough. 😄