Welcome to the process of setting up your infrastructure and your application!
Details about infrastructure and source code management
Choose one per category.
- Domain registrar: AWS, Gandi 🇪🇺, Cloudflare, noip, dyn, Rackhost/.hu 🇪🇺
- DNS provider: AWS, HE, Google, Cloudflare, Exoscale 🇪🇺, Gandi 🇪🇺
- Server provider: UpCloud 🇪🇺
- SSL certificate provider for HTTPS: Cheapsslsecurity.com, SSLMate, DigiCert, Certum 🇪🇺, Buypass 🇪🇺
- CDN provider: AWS, KeyCDN 🇪🇺
- Transactional email provider: AWS, SparkPost, SparkPost EU 🇪🇺
- Storage provider: AWS, Backblaze B2, Selectel, Oktawave 🇪🇺
Google Cloud Platform Premium Support for $100/mo
AWS certificates for internal usage only
- Deploy Windows Server 2016 Standard instance
- Finish installation on the console: set language
- Log in as
Administratorwith RDP on Windows or RDP on Mac - Download Basilisk browser
- Create UpCloud shortcut on the Desktop:
basilisk.exe "https://www.upcloud.com/register/?promo=U29Q8S" - Create AWS shortcut:
"https://portal.aws.amazon.com/gp/aws/developer/registration/index.html" - Download
user.jsto%APPDATA%\Moonchild Productions\Basilisk\Profiles\ - Open On-Screen Keyboard for entering passwords
- Use the browser
- Delete the instance
- Search email address https://haveibeenpwned.com/
- Search password https://haveibeenpwned.com/Passwords
- Referral URL
- KeePass is an open source password manager
- Enable 2FA (Google Authenticator)
- Use a virtual bank card with a sub account
- My Account / Billing / MANUAL
- My Account / Billing / AUTOMATED / Credit Card drop-down
- Servers / Deploy a server
- Check IP reputation (Security Trails, Project Honey Pot, HE BGP Toolkit, AbuseIPDB)
- Servers / Server listing / (server name) / IP ADDRESSES / REVERSE DNS NAME Public IPv4 + IPv6
- Log out (prevent session hijacking)
- Document server IP + password
- https://aws.amazon.com/
- KeePass is an open source password manager
- Account type: Professional
- Use a virtual bank card with a sub account
- Verification phone call: dial numbers
- Support Plan: Basic
- Enable 2FA (Google Authenticator)
- Billing / Disable Free Tier Usage Alerts
- CloudWatch / Create Alarm for EstimatedCharges
- Route53 / Domain + DNS
- CloudFront / CDN
- SES / Domain + SMTP credentials + Move Out of the Sandbox + Bounce notification
- S3 / Server backup bucket
- IAM / Route53 API user + CloudFront API user + S3 API user
- Log out (prevent session hijacking)
- Document credentials
- Document in hosting.yml and server.yml (Skype, Google Contacts, KeePass, link-torzs)
- Gain access to providers (web based sub-account or API)
- Manage migrations (WeTransfer.com)
- PTR/IPv4, PTR/IPv6 records
- Domain locking and autorenew
- DNS records (check, clean up, monitor)
- Incoming ESP and bounce notification
- Whitelisted IP-s (office)
- 3rd parties (document, gain access, set up)
- User names and SSH keys
- Git repository, branch usage (git flow)
- Issue tracker
- Paid plugins, libraries (updates, gain access, support)
- Application environment definition
- Set up CI
- Write deploy script
- Notifications (email, chat, SMS)
- Revenue tracking
- Error tracking
- Development: development in production?, who has access, where to develop, how to deploy
- Editorial duties: who has time and competence
- There is no guaranteed email delivery on the Internet
- ESP for One-to-One emails including inbound messages: G Suite, Protonmail 🇪🇺, Почта Mail.Ru
- File sharing, large file sending: WeTransfer, Firefox Send, pCloud 🇪🇺, Smash
- Transactional emails and notification emails for alerts, log excerpts: see providers above
- Bulk email for newsletter: see providers above
- Bounce messages for all three email types
- Sender fraud protection and content integrity for all three: SPF, DKIM, DMARC
- My email address:
webmaster@ - Shared inbox for teams: HelpScout, Front
- Data on servers is automatically backed up daily with 7 days rotation
- External resources (S3 bucket)
- Email accounts (local, IMAP)
- Issues (Trello, GitLab)
- Code repositories (GitLab, GitHub)
- All participants should stop using their browsers to store form data and passwords
- Spam filtering
- Protection against malware and phishing attacks (credential stealing)
- Against key loggers
- Against mobile malware
- Ransomware mitigation
- Data breach prevention (in the application)
- Incident response plan (outage, security incident)
- No emails if it is possible
- Issues/ticketing: Trello cards
- Chat: Slack
- We run Debian GNU/Linux on an UpCloud cloud instance
- MariaDB or Percona Server + Apache with HTTP/2 and event MPM + PHP-FPM 7 + Redis (full feature list)
- Every web application (and website) runs as a separate Linux user
- There are no passwords for Linux users, only SSH keys
- All non-production servers are accessible through SSH: terminal, MySQL tunnel, file upload, code deploy etc.
- Production servers are not accessible for humans (except through HTTPS)
- TCP ports for web and SSH are heavily protected (maxretry=3) with Fail2ban
- Source code is kept in git (version-control system)
- PHP OPcache's file timestamp validation is off, thus PHP files are read once at first access, we use cachetool to reset OPcache after code change
- There are standard directories for sessions, upload and tmp
.htaccessfiles are disabled, Apache rules should be in vhost configuration (it is faster)- File versioning is not in query string but turned into file names like
filename.002.extin URL-s, an Apache rule reverts them - Your web application is protected by a WAF
- Blacklisted things: FTP/S protocol, web-based administration tools (cPanel, phpMyAdmin), POP3/S protocol
- How to design and implement CI and CD
- Running a Laravel application
- Installing WordPress
- Interesting read on web applications