I currently own a small VPS server hosted at OVH. It serves as a home to a few experiments with Linux, some files that I needed to share and a clown fiesta of security issues and running web services that I setup months ago and eventually forgot.
Although I'm still learning how to work with Linux and how to secure a server, I've learned from my mistakes and developed a new and improved plan.
The old plan
Two years ago, I was amazed by sysadmins and how they managed to setup their servers. Inspired by them and hoping I could enforce some security, I wrote down some key points:
- Only ports 80 (HTTP), 443 (HTTPS) and 22 (SSH) are open
- Every service has a specific Linux account
- Every service listens on localhost
- nginx exposes those services via reverse proxies
- nginx routes traffic to services using sub domains
- Let's Encrypt certificates for every sub domain
Everything looked great and I was excited, but as time went by, this plan quickly stabbed me in the back.
Old plan flaws
-
Permissions became a pain in the butt
A few things didn't work because the working directory of a service wasn't created with the right account and
sudoneeded to be used every time I wanted to publish a temporary file; needless to say, there are some files and directories with permissions set to 777. -
Services' working directory weren't centralized
Shared files lived on
/var/www/static, a Node.js app ran on~/dev/nodejs/app, ... -
nginx's config file had lots of repeated blocks
Since every service/sub domain had two blocks - HTTPS reverse proxy and HTTP to redirect to HTTPS - a lot of blocks were identical due to the logic being the same for all the services.
-
Certificates for every sub domain
At the time, Let's Encrypt didn't support wildcard certificates; thereby, the certificate had to be updated every time I wanted to deploy a new service. It wasn't that bad, just something that can now be avoided.
-
Unused/broken services
Services stopped being used, things broke, memory leaks happened and I didn't even notice. This definitely needs to be improved.
The master plan
- Use Docker to isolate, control and centralize services; this also allows me to test new shiny
JS frameworksservices without polluting the whole system with unwanted packages - Figure how to generate a nginx config file from a simplified config file
- Upgrade to Let's Encrypt's wildcard certificates
- Move infrequently accessed files to some external cold storage solution
- Create a nice personal page with details about me
- Host a MySQL/MariaDB database with semi-automated account creation and deletion
- Develop a web app to manage shared files
What do you think about this new plan? Would you do something in a different way? Suggestions are appreciated!
Top comments (4)
It's not a bad plan. If you want to and practice some sysadmin stuff, you could, for example, yeah, use Docker, but using Docker Compose (or if you can afford getting two more VMs, Docker Swarm).
For example you could define all your services in a single compose file, and set up the different overlay networks. Use traefik instead of nginx, and make use of Let's Encrypt autoconfiguration.
You may also set up monitoring with a Grafana+Prometheus stack.
Going further, you could read up on the 12 factor methodology which touches a bit on the scalability aspect. Here: 12factor.net/
If you set out to build something like this, feel free to reach out if you need help!
Docker Compose is definitely on my bucket list. I didn't write about it but I was actually planning to use it. I love the way you can easily configure everything with a single file, so convenient!
I've heard about traefik some time ago but eventually forgot about it, thanks for reminding me! I did some research and even found with has a web admin interface and learned a bit about the config structure... loving it!
Grafana and Prometheus scare me a little bit, I've used netdata in the past because it is so easy. I'll try to research about it and even try to add Docker data to Grafana.
Thank you very much for your suggestions, they were very helpful!
Some comments may only be visible to logged-in visitors. Sign in to view all comments.