Plans for my web server
#devops
João

João @joaopms

About: Studying Computer Engineering at IPLeiria

Location:
Portugal
Joined:
Mar 5, 2017

Plans for my web server

Publish Date: Feb 27 '19
9 4

I currently own a small VPS server hosted at OVH. It serves as a home to a few experiments with Linux, some files that I needed to share and a clown fiesta of security issues and running web services that I setup months ago and eventually forgot.

Although I'm still learning how to work with Linux and how to secure a server, I've learned from my mistakes and developed a new and improved plan.

The old plan

Two years ago, I was amazed by sysadmins and how they managed to setup their servers. Inspired by them and hoping I could enforce some security, I wrote down some key points:

  • Only ports 80 (HTTP), 443 (HTTPS) and 22 (SSH) are open
  • Every service has a specific Linux account
  • Every service listens on localhost
  • nginx exposes those services via reverse proxies
  • nginx routes traffic to services using sub domains
  • Let's Encrypt certificates for every sub domain

Everything looked great and I was excited, but as time went by, this plan quickly stabbed me in the back.

Old plan flaws

  • Permissions became a pain in the butt

    A few things didn't work because the working directory of a service wasn't created with the right account and sudo needed to be used every time I wanted to publish a temporary file; needless to say, there are some files and directories with permissions set to 777.

  • Services' working directory weren't centralized

    Shared files lived on /var/www/static, a Node.js app ran on ~/dev/nodejs/app, ...

  • nginx's config file had lots of repeated blocks

    Since every service/sub domain had two blocks - HTTPS reverse proxy and HTTP to redirect to HTTPS - a lot of blocks were identical due to the logic being the same for all the services.

  • Certificates for every sub domain

    At the time, Let's Encrypt didn't support wildcard certificates; thereby, the certificate had to be updated every time I wanted to deploy a new service. It wasn't that bad, just something that can now be avoided.

  • Unused/broken services

    Services stopped being used, things broke, memory leaks happened and I didn't even notice. This definitely needs to be improved.

The master plan

  • Use Docker to isolate, control and centralize services; this also allows me to test new shiny JS frameworks services without polluting the whole system with unwanted packages
  • Figure how to generate a nginx config file from a simplified config file
  • Upgrade to Let's Encrypt's wildcard certificates
  • Move infrequently accessed files to some external cold storage solution
  • Create a nice personal page with details about me
  • Host a MySQL/MariaDB database with semi-automated account creation and deletion
  • Develop a web app to manage shared files

What do you think about this new plan? Would you do something in a different way? Suggestions are appreciated!

Comments 4 total

  • Nico
    NicoFeb 27, 2019

    It's not a bad plan. If you want to and practice some sysadmin stuff, you could, for example, yeah, use Docker, but using Docker Compose (or if you can afford getting two more VMs, Docker Swarm).
    For example you could define all your services in a single compose file, and set up the different overlay networks. Use traefik instead of nginx, and make use of Let's Encrypt autoconfiguration.
    You may also set up monitoring with a Grafana+Prometheus stack.
    Going further, you could read up on the 12 factor methodology which touches a bit on the scalability aspect. Here: 12factor.net/
    If you set out to build something like this, feel free to reach out if you need help!

    • João
      JoãoFeb 27, 2019

      Docker Compose is definitely on my bucket list. I didn't write about it but I was actually planning to use it. I love the way you can easily configure everything with a single file, so convenient!

      I've heard about traefik some time ago but eventually forgot about it, thanks for reminding me! I did some research and even found with has a web admin interface and learned a bit about the config structure... loving it!

      Grafana and Prometheus scare me a little bit, I've used netdata in the past because it is so easy. I'll try to research about it and even try to add Docker data to Grafana.

      Thank you very much for your suggestions, they were very helpful!

  • Allen Miller
    Allen MillerSep 1, 2020

    It will be way easier with simple virtual machines, in my case there is a home server, used, second hand, 2,000USD, split to VMs (600$ new disks)

    The work is happening inside the VMs, nothing else is installed on the main server, VMs can be reset, recreated, etc.

    • João
      JoãoSep 1, 2020

      I wish I had a home server like that! I currently have some old computer that is running my Home Assistant instance and it can barely handle that. I can't really afford a new computer right now, even second hand; and electricity is also not cheap...

      I ended up doing something like you've done but with Docker containers, it's lightweight (compared to VMs) and does the job. Thank you for your suggestion!

      What are you running on those VMs?

Add comment