Welcome to the process of setting up your infrastructure and your application!
- One person able to consider things, decide and act
- If moving: access to accounts at all providers below
- Company details (registered name, registration number, address)
- Access to company email account
- Access to company bank card including CVC and 3-D Secure device
- Access to company phone
- Installed 2FA mobile or desktop app
Choose one per category.
- Domain registrar: Gandi ๐ช๐บ, AWS, Name.com by Donuts, Hexonet by CentralNic, Rackhost/.hu ๐ช๐บ
- DNS provider with DNSSEC: AWS, HE, Google, Cloudflare, Exoscale ๐ช๐บ, Gandi ๐ช๐บ
- Server provider: UpCloud ๐ช๐บ
- SSL certificate provider for HTTPS: Cheapsslsecurity.com, SSLMate, DigiCert, Certum ๐ช๐บ, Buypass ๐ช๐บ
- CDN provider: AWS, KeyCDN ๐ช๐บ, Akamai from Selectel
- Transactional email provider: AWS, SparkPost, SparkPost EU ๐ช๐บ
- Storage provider: AWS, Backblaze B2, Selectel, Oktawave ๐ช๐บ
- Referral URL
- My Account / Billing / MANUAL
- My Account / Billing / AUTOMATED / Credit Card drop-down
- Servers / Deploy a server
- Check IP reputation (Security Trails, Project Honey Pot, HE BGP Toolkit, AbuseIPDB)
- Servers / Server listing / (server name) / IP ADDRESSES / REVERSE DNS NAME Public IPv4 + IPv6
- Log out (prevent session hijacking)
- Have support enable SMTP for the account
- Document server IP and password
- https://aws.amazon.com/
- Account type: Professional
- Verification phone call: dial numbers
- Support Plan: Basic
- Billing preferences / Disable Free Tier Usage Alerts + Enable Billing Alerts
- CloudWatch / Select Region
us-east-1
/ Alarms / Create Alarm for EstimatedCharges - Route53 / Domain + DNS
- CloudFront / CDN
- SES / Domain + SMTP credentials + Move Out of the Sandbox + Bounce notification
- S3 / Server backup bucket
- IAM / Route53 API user + CloudFront API user + S3 API user
- Log out (prevent session hijacking)
- Document credentials
- Buy Multiple Years: 2 Year
- Billing Address, Payment Method
- Generate Cert Now
- (1) New or Renewal
- (2) Switching from Another SSL Brand: No
- (3) DNS Based Authentication
- (4) Generate CSR:
cert-update-req-install.sh DOMAIN
- (5) Webserver: Other
- (6) SHA-2
Verify your URL
- Check domain name
- Set TXT record in DNS
- Wait for issuance
๐ก Only ASCII characters in name and address.
Dashboard / Manage Renewal Email Preferences
- Select Admin/Technical contact:
[ ]
[ ]
- ESP for One-to-One emails including inbound messages: G Suite, Protonmail ๐ช๐บ, DomainFactory ๐ช๐บ, ะะพััะฐ Mail.Ru
- Transactional emails and notification emails for alerts, log excerpts: see providers above
- Bulk email for newsletter: see providers above
- Bounce messages for all three email types
- Sender fraud protection and content integrity for all three: SPF, DKIM, DMARC
- Gain access to providers (web based sub-account or API)
- Manage migrations (WeTransfer.com)
- PTR/IPv4, PTR/IPv6 records
- Domain locking and autorenew
- DNS records (check, clean up, monitor)
- Development providers, e.g. hosted git, issue tracker (document, gain access, set up)
- Git repository, branch usage (git flow)
- 3rd party providers (document, gain access, set up)
- Environments: development, staging, production
- No emails if it is possible
- Issues/ticketing: Clubhouse or Trello
- Chat: Slack
- We run Debian GNU/Linux on an UpCloud cloud instance
- All services run in UTC timezone
- MariaDB or Percona Server + Apache with HTTP/2 and event MPM + PHP-FPM 7 + Redis (full feature list)
- Every web application (and website) runs as a separate Linux user
- There are no passwords for Linux users, only SSH keys
- All non-production servers are accessible through SSH: terminal, MySQL tunnel, file upload, code deploy etc.
- Production servers are not accessible for humans (except through HTTPS)
- TCP ports for web and SSH are heavily protected (maxretry=3) with Fail2ban
- Source code is kept in git (version-control system)
- PHP OPcache's file timestamp validation is off, thus PHP files are read once at first access, we use cachetool to reset OPcache after code change
- There are standard directories for sessions, upload and tmp
.htaccess
files are disabled, Apache rules should be in vhost configuration (it is faster)- File versioning is not in query string but turned into file names like
filename.002.ext
in URL-s, an Apache rule reverts them - Your web application is protected by a WAF
- Blacklisted things: FTP/S protocol, web-based administration tools (cPanel, phpMyAdmin), POP3/S protocol
- How to design and implement CI and CD
- Running a Laravel application
- Installing WordPress
- Interesting read on web applications