28
Wombat
72d

My first times today:
First time a droplet on Digital Ocean.
First time Nginx.
First time trying to separate mail and website servers.
First time using UFW firewall.
First time Ubuntu webserver.
First try all alone configuration of my webserver.
First time installing all the stuff I need on my own, like MySQL, PHP and so on.
First time only SSH access from the beginning.
First time deployment from bitbucket.

Do you have any advise what I should think about. Or what software I will need. Or what I should think about.

Comments
  • 3
  • 13
    Protection 😉
  • 1
    Addon: I am deploying a Laravel application and would like use Laravel Horizon with Redis. But I've never done this. Any suggestions?

    Also, what are the steps I have to think about when deploying a Laravel application?
  • 4
    Fail2ban? Or maybee even securify360?

    Plus you could take a look at docker, to be able to swap out stuff.
  • 2
    @Wack I always wanted to learn docker. But every time I start it seems so complicated to me.
  • 5
  • 2
    And ask away if you need help!
  • 2
    Also, i personally prefer csf over ufw :)
  • 8
    Backup... Make a cronjob to backup your DB (and send it somewhere of course, don't just keep the backup on the same server :)) )
  • 5
    For backups, what I once looked at, but never implemented, would be: https://backuppc.github.io/backuppc...

    Advantage, you can ssh into your app server and pull data to your backup server. If anyone hacks your app server, they don't have a way to get to your backup server...
  • 4
    Port knocking so that your ssh port is always blocked until you explicitly request it unblocked

    Also go with docker, on my end I have gitlab that deploys to my server, next on my list auto create that docker container have all my scripts ready just need a way to trigger it on my server after deployment is complete. Anyone knows? I'm planning of using file watcher and watch a specific directory for changes
  • 3
    @Wack All you need to backup is your DB. Use container images for the rest, and you're done.
  • 2
    Also for backup try xtrabackup
    And I would also recommend XtraDB just for the sake of creating a three node cluster and experience how it's setup and how it works
  • 2
    @linuxxx what's the difference between csf and ufw?
  • 4
    @Wombat They're 'interfaces' for the underlying firewall (iptables) :)
  • 2
    @linuxxx do I still need fail2ban if I have ssh and ufw firewall? 😊
  • 2
    @linuxxx when I go for a lemp stack what exactly do I have to install from the PHP stuff to get Laravel framework working? Is php-fpm and php-mysql enough?
  • 2
    @Wombat If you are going to deploy Laravel regularly and want to alleviate some headaches check Envoyer, Forge, combine it with a CI/CD... Not free, but worth it for commercial projects.
  • 2
    @bittersweet good suggestion, but as a german therapist I must say I am too poor for this.
  • 2
    @Wombat CSF is a replacement for fail2ban!

    I'd go for nginx/php-fpm/mysql-client/mysql-server/all php packages you might need 😄
  • 6
    Personally I'd put the web server on a completely different server from the mail server if at all possible. Also I tend to prefer native iptables over ufw, because ufw's interface is quite limited in its operation. Don't get me wrong, it can do basic firewalls! But there's a lot of stuff in iptables that ufw hasn't abstracted. And ufw being rather Ubuntu-centric, you might not always have that available on e.g. CentOS or RHEL or Arch or whatever.. so it's definitely worth learning iptables. Other than that, looks good. Oh, and regarding SSH.. I tend to hide that behind an OpenVPN server.. port knocking could work too, but I haven't had much luck with that. Lastly, be sure to enforce the use of keys!
  • 3
    I was in the same boat a few months ago.

    1. Digital ocean has some great documentation and guides on how to deploy many applications to many environments.

    2. If you are on Mac or Linux locally, I found it a bit easier to connect to remote servers since SSH is built in.

    3. You will eventually have to setup SSL or rather TLS. Understand how it works on a fundamental level, than realize that learning how a technology works in a class or course will always be different than implementing it on your own for the first time.

    I used Let’s Encrypt.

    Welcome to this new level!
  • 4
    @Wombat I manage a setup similar to yours (except with load balancers, multiple database clusters, a dozen webservers, and a million active users), so feel free to tag me in future rants if you run into problems. I'm not that great at devops though.

    Horizon & redis is pretty nice for queue workers btw, although I do still find it a bitch to properly monitor. Debugging failed jobs and getting a good overview on job performance can be difficult.

    If you're starting small, you can easily run workers on the webserver, and use your mysql to manage queues instead of redis. Pretty easy to migrate later.

    If you're going to work on that app yourself in terms of code, follow the Laravel News website. IDE Helper & Debugbar are essential packages in my opinion.

    Spatie (Belgian webdev company) poops out pure gold on a daily basis:
    https://spatie.be/open-source/...
    (API transformers, permission system, database localization, activity log, just too much useful stuff).
  • 2
    my first time today is first time doing backend (nodejs)
  • 2
    Welcome to the ocean 🤗

    https://digitalocean.com/community/...

    I used to manage my droplets on my own with the helps from DO tutorial and community. They have enough resources. So I mainly relied on them. Above is an example.

    Now I'm using server pilot together with DO since I have more projects than in past. I'm also using DO mainly for Laravel apps.

    Main advice would be just like everyone said, security. Since you have setup UFW, it's great. But there are extra steps you can take like, disabling login with password and stuff.

    I was also a long time bitbucket user. I set-up my own hacky deployment so my app on droplet can pull from BB repo master branch through my laravel app's dashboard. You can try stuff like that if you want.
  • 1
    @Wombat make sure you have openssl, curl, mbstring, pdo, tokenizer, xml, json enabled. And I'm sure you won't forget that Laravel 5.6 needs PHP 7.1 or above.
  • 0
  • 0
    @bittersweet spatie is awesome! I use a bunch of their packages already. I love their img manipulation package.
  • 1
    @linuxxx configuration of Nginx was so damn easy (way more easy than Apache). That's awesome. But I don't know how I can prevent user access to directorys without using .htaccess files. Can you explain that to me? 😄
  • 1
    @cursee I'm not using mammoth software. I only work with PHP 7.2.* 😉

    I restricted SSH access to my local machine and disabled password access. Also disabled root login.

    A few dump questions:
    Do I need to install git to git clone from bitbucket?
    Do I need to install node to install dependencies with npm? (Same for composer?)
  • 1
    @Wombat git is usually installed. You can git -v and check. If not installing is quite easy.

    Definitely need to install node and npm and composer. But installing all of them is easy. Same procedure as how you would normally install on Ubuntu from terminal. Let me know if you got any issue.
  • 2
  • 1
    @linuxxx thanks a lot.
  • 1
    @Wombat Np! You know where to find me ;)
  • 0
    @linuxxx one more question why can't I access /phpmyadmin? 😅
  • 1
    @Wombat I guess you installed it through apt-get?

    If yes, are you sure there is an nginx vhost for it?? :)

    Edit: you don't need a vhost, is a default nginx vhost in place?
  • 1
    @Wombat did you follow this tutorial or other ways?

    https://digitalocean.com/community/...
  • 2
    @linuxxx @cursee you guys are awesome. Didn't know theres a tut for that. Thanks 😁
  • 0
    @linuxxx I can't make any progress with the phpmyadmin installation. Since mcrypt is deprecated in php7.2 I cannot get access to /phpmyadmin Nginx is yelling at me 403. 😒
  • 1
    This might be the solution. The tutorial from do is totally missing this. 😔
  • 1
    @Wombat Never had that, try that one indeed but without access to the server I can't say of the top of my head 😅
  • 1
    I think you can still install mcrypt if it's the cause of it. I remember I got some mcrypt error on my phpmyadmin but after installing mcrypt 7.1 or regular mcrypt, it solved. Or I did something. Bad memory.

    But since I don't use nginx, I'm not very sure of the possible cause :3
  • 1
    @cursee mcrypt was dropped in php7.2 because it had vulnabilities. I kinda made it work without it.
  • 2
    Laravel forge uses ocean
    Laracasts.com documents it
    Askubuntu.com is actually pretty useful
    Wsl is underrated if you happen to be coming from windows
    Nginx is tricky, pay special attention to the docs. Feels like in wishing someone good luck on their way to a war.
  • 2
    @rant1ng whatever you change on whichever branch, you eventually have to pull first before merging/pushing anything to anywhere.

    And that pull part is the only important part you have to worry about.

    Anyone who has no idea what they are pulling shall not merge/push anything to prod.
  • 2
    @cursee lol thanks

    that was supposed to be my own rant... g onna delete it now, you answered my q
Your Job Suck?
Get a Better Job
Add Comment