Skip to content

Instantly share code, notes, and snippets.

@szepeviktor

szepeviktor/Onboarding-fast-lane.md

Last active February 5, 2021 14:01
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save szepeviktor/17fb715af101a1a83ad98f49b2497c3e to your computer and use it in GitHub Desktop.
Save szepeviktor/17fb715af101a1a83ad98f49b2497c3e to your computer and use it in GitHub Desktop.
Download ZIP
Fast lane! ๐Ÿ’บ Fasten your seatbelts.
Raw
Onboarding-fast-lane.md

Infrastructure and application setup for new clients

Welcome to the process of setting up your infrastructure and your application!

Requirements

  1. One person able to consider things, decide and act
  2. If moving: access to accounts at all providers below
  3. Company details (registered name, registration number, address)
  4. Access to company email account
  5. Access to company bank card including CVC and 3-D Secure device
  6. Access to company phone
  7. Installed 2FA mobile or desktop app

Specialized infrastructure providers

Choose one per category.

  1. Domain registrar: Gandi ๐Ÿ‡ช๐Ÿ‡บ, AWS, Name.com by Donuts, Hexonet by CentralNic, Rackhost/.hu ๐Ÿ‡ช๐Ÿ‡บ
  2. DNS provider with DNSSEC: AWS, HE, Google, Cloudflare, Exoscale ๐Ÿ‡ช๐Ÿ‡บ, Gandi ๐Ÿ‡ช๐Ÿ‡บ
  3. Server provider: UpCloud ๐Ÿ‡ช๐Ÿ‡บ
  4. SSL certificate provider for HTTPS: Cheapsslsecurity.com, SSLMate, DigiCert, Certum ๐Ÿ‡ช๐Ÿ‡บ, Buypass ๐Ÿ‡ช๐Ÿ‡บ
  5. CDN provider: AWS, KeyCDN ๐Ÿ‡ช๐Ÿ‡บ, Akamai from Selectel
  6. Transactional email provider: AWS, SparkPost, SparkPost EU ๐Ÿ‡ช๐Ÿ‡บ
  7. Storage provider: AWS, Backblaze B2, Selectel, Oktawave ๐Ÿ‡ช๐Ÿ‡บ

UpCloud registration

  • Referral URL
  • My Account / Billing / MANUAL
  • My Account / Billing / AUTOMATED / Credit Card drop-down
  • Servers / Deploy a server
  • Check IP reputation (Security Trails, Project Honey Pot, HE BGP Toolkit, AbuseIPDB)
  • Servers / Server listing / (server name) / IP ADDRESSES / REVERSE DNS NAME Public IPv4 + IPv6
  • Log out (prevent session hijacking)
  • Have support enable SMTP for the account
  • Document server IP and password

Amazon Web Services registration

  • https://aws.amazon.com/
  • Account type: Professional
  • Verification phone call: dial numbers
  • Support Plan: Basic
  • Billing preferences / Disable Free Tier Usage Alerts + Enable Billing Alerts
  • CloudWatch / Select Region us-east-1 / Alarms / Create Alarm for EstimatedCharges
  • Route53 / Domain + DNS
  • CloudFront / CDN
  • SES / Domain + SMTP credentials + Move Out of the Sandbox + Bounce notification
  • S3 / Server backup bucket
  • IAM / Route53 API user + CloudFront API user + S3 API user
  • Log out (prevent session hijacking)
  • Document credentials

Cheapsslsecurity.com registration

RapidSSL DV

  • Buy Multiple Years: 2 Year
  • Billing Address, Payment Method

Dashboard

  • Generate Cert Now
  • (1) New or Renewal
  • (2) Switching from Another SSL Brand: No
  • (3) DNS Based Authentication
  • (4) Generate CSR: cert-update-req-install.sh DOMAIN
  • (5) Webserver: Other
  • (6) SHA-2

Verify your URL

  • Check domain name
  • Set TXT record in DNS
  • Wait for issuance

๐Ÿ’ก Only ASCII characters in name and address.

Dashboard / Manage Renewal Email Preferences

  • Select Admin/Technical contact: [ ] [ ]

Email delivery

Infrastructure setup

  • Gain access to providers (web based sub-account or API)
  • Manage migrations (WeTransfer.com)
  • PTR/IPv4, PTR/IPv6 records
  • Domain locking and autorenew
  • DNS records (check, clean up, monitor)

Application setup

  • Development providers, e.g. hosted git, issue tracker (document, gain access, set up)
  • Git repository, branch usage (git flow)
  • 3rd party providers (document, gain access, set up)
  • Environments: development, staging, production

Collaboration

  • No emails if it is possible
  • Issues/ticketing: Clubhouse or Trello
  • Chat: Slack

Onboarding for developers

  • We run Debian GNU/Linux on an UpCloud cloud instance
  • All services run in UTC timezone
  • MariaDB or Percona Server + Apache with HTTP/2 and event MPM + PHP-FPM 7 + Redis (full feature list)
  • Every web application (and website) runs as a separate Linux user
  • There are no passwords for Linux users, only SSH keys
  • All non-production servers are accessible through SSH: terminal, MySQL tunnel, file upload, code deploy etc.
  • Production servers are not accessible for humans (except through HTTPS)
  • TCP ports for web and SSH are heavily protected (maxretry=3) with Fail2ban
  • Source code is kept in git (version-control system)
  • PHP OPcache's file timestamp validation is off, thus PHP files are read once at first access, we use cachetool to reset OPcache after code change
  • There are standard directories for sessions, upload and tmp
  • .htaccess files are disabled, Apache rules should be in vhost configuration (it is faster)
  • File versioning is not in query string but turned into file names like filename.002.ext in URL-s, an Apache rule reverts them
  • Your web application is protected by a WAF
  • Blacklisted things: FTP/S protocol, web-based administration tools (cPanel, phpMyAdmin), POP3/S protocol
  • How to design and implement CI and CD
  • Running a Laravel application
  • Installing WordPress
  • Interesting read on web applications
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment