Skip to content

Latest commit

 

History

History
270 lines (220 loc) · 12 KB

Onboarding.md

File metadata and controls

270 lines (220 loc) · 12 KB
Raw

Infrastructure and application setup for new clients

Welcome to the process of setting up your infrastructure and your application!

Page HTML load time

Details about running your web application

Requirements

  1. 2-4 hours of time
  2. One person able to consider things, decide and act at every provider
    1. Finances
    2. User management
    3. Managing services
    4. Contacting support
    5. Reacting to notifications
  3. If moving: access to accounts at all providers below
  4. Company details (registered name, registration number, address)
  5. Access to company email account
  6. Access to company bank card including CVC and 3-D Secure device
  7. Access to company phone
  8. Installed 2FA mobile or desktop app

Specialized infrastructure providers

One per category.

  1. Domain registrar: Gandi 🇪🇺, AWS, Name.com by Donuts, Hexonet by CentralNic, Rackhost/.hu 🇪🇺
  2. DNS provider with DNSSEC: AWS, HE, Google, Exoscale 🇪🇺, Gandi 🇪🇺
  3. Server provider: UpCloud 🇪🇺
  4. SSL certificate vendor for HTTPS: Cheapsslsecurity.com, SSLMate, DigiCert, Certum 🇪🇺, Buypass 🇪🇺
  5. CDN provider: AWS, KeyCDN 🇪🇺, Akamai from Selectel
  6. Transactional email provider: AWS, SparkPost, SparkPost EU 🇪🇺
  7. Storage provider: AWS, UpCloud 🇪🇺, Backblaze B2, Selectel, Oktawave 🇪🇺

.hu domain regisztrátorok

Google Cloud Platform Premium Support for $100/mo

AWS Europe invoicing

AWS certificates for internal usage only

AWS CloudFront supports TLS 1.3

Policy for user accounts at service providers

  • Who is the legal owner of the account?
  • Who has access to this account?
  • Do we share account passwords?
  • Do main accounts have 2FA?
  • What other non-relevant services are under this account?
  • Accounts for domain registration and DNS services must use an email address with a different domain name.
  • Is the email account/phone number/bank card of this account in daily use?
  • Use a virtual bank card with a sub account instead of a physical bank card tied to the main bank account!

Secure browser in an ephemeral cloud instance

This section contains preparations for secure registration.

  • Deploy Windows Server 2016 Standard instance
  • Finish installation on the console: set language
  • Log in as Administrator with RDP on Windows or RDP on Mac
  • Download Palemoon browser
  • Create UpCloud shortcut on the Desktop: palemoon.exe "https://www.upcloud.com/register/?promo=U29Q8S"
  • Create AWS shortcut: "https://portal.aws.amazon.com/gp/aws/developer/registration/index.html"
  • Download user.js to %APPDATA%\Moonchild Productions\Basilisk\Profiles\
  • Open On-Screen Keyboard for entering passwords
  • Use the browser
  • Delete the instance

UpCloud registration

  • Referral URL
  • KeePass is an open source password manager
  • Enable 2FA (Google Authenticator)
  • My Account / Billing / MANUAL
  • My Account / Billing / AUTOMATED / Credit Card drop-down
  • Servers / Deploy a server / Add SSH public key
  • Check IP reputation (Security Trails, Project Honey Pot, HE BGP Toolkit, AbuseIPDB)
  • Servers / Server listing / (server name) / IP ADDRESSES / REVERSE DNS NAME Public IPv4 + IPv6
  • Log out (prevent session hijacking)
  • Have support enable SMTP for the account
  • Document server IP

Amazon Web Services registration

  • https://aws.amazon.com/
  • KeePass is an open source password manager
  • Account type: Business
  • Verification phone call: dial numbers
  • Support Plan: Basic
  • Enable 2FA (Google Authenticator)
  • Billing preferences / Disable Free Tier Usage Alerts + Enable Billing Alerts
  • CloudWatch / Select Region us-east-1 / Alarms / Create Alarm for EstimatedCharges
  • Route53 / Domain + DNS
  • CloudFront / CDN
  • SES / Domain + SMTP credentials + Move Out of the Sandbox + Bounce notification
  • S3 / Server backup bucket
  • IAM / Route53 API user + CloudFront API user + S3 API user
  • Log out (prevent session hijacking)
  • Document credentials

Cheapsslsecurity.com registration

RapidSSL DV

  • Buy Multiple Years: 2 Year
  • Billing Address, Payment Method

Dashboard

Generate Cert Now

  • (1) Select Your Order Type: select New or Renewal
  • (2) Input CSR: paste code block
  • (3) Prove control over your domain: select DNS TXT
  • (4) Choose domain validation level: select base domain
  • (5) Contact Information: enter your contact info
  • (6) Additional Certificate Options: Server Platform: select Other
  • (7) Certificate Services Agreement: tick both checkboxes [x] [x]

Verify your URL

  • Check domain name
  • Set TXT record in DNS
  • Wait for issuance

💡 Only ASCII characters in name and address.

Dashboard / Manage Renewal Email Preferences

  • Select Admin/Technical contact: untick both checkboxes [ ] [ ]
Renew a certificate

Dashboard

  • (select the certificate)
  • RENEW

Email delivery

  • There is no guaranteed email delivery on the Internet
  • 👨 📨 👨‍💼 ESP for One-to-One emails including inbound messages: Google Workspace, Protonmail 🇪🇺, Почта Mail.Ru, DomainFactory 🇪🇺
  • File sharing, large file sending: WeTransfer 🇪🇺, pCloud 🇪🇺, Smash 🇪🇺
  • 🤖 📨 👩‍💼 Transactional emails and notification emails for alerts, log excerpts: see providers above
  • 👨 📨 👨‍💼👴👩‍🔧 Bulk email for newsletter: customer relations with Intercom
  • Bounce messages for all three email types
  • Sender fraud protection and content integrity for all three: SPF, DKIM, DMARC
  • Auto-configuration for Outlook and Thunderbird
  • My email address: webmaster@
  • Outbound spam protection: MailChannels
  • Teamwork in one Gmail inbox: Drag

Infrastructure setup

  • Document in hosting.yml and server.yml (Skype, Ugyfelek.yml, KeePass)
  • Gain access to providers (web based sub-account or API)
  • Manage migrations (magic-wormhole, WeTransfer.com)
  • PTR/IPv4, PTR/IPv6 records
  • Domain locking and autorenew
  • DNS records (check, clean up, monitor)
  • Incoming ESP and bounce notification
  • Whitelisted IP-s (office)

Application setup

  • Development providers/accounts, e.g. hosted git, issue tracker (document, gain access, set up), mail trap
  • Git repository, branch usage (git flow)
  • 3rd party providers (document, gain access, set up)
  • Environments: development, staging, production
  • User names and SSH keys
  • Purchased plugins and libraries (updates, gain access, support)
  • Application environment definition
  • Set up CI
  • Write deploy script
  • Notifications (email, chat, SMS)
  • Revenue tracking
  • Error tracking
  • Development: development in production?, who has access, where to develop, how to deploy
  • Editorial duties: who has time and competence

Backup

  • Data on servers is automatically backed up daily with 7 days rotation
  • External resources (S3 bucket)
  • Email accounts (local, IMAP)
  • Issues (Clubhouse, Trello, GitHub, GitLab)
  • Code repositories (GitLab, GitHub)

Cyber security

  • Please see https://www.privacytools.io/
  • Notify on account breach: search email address https://haveibeenpwned.com/
  • Notify on account breach: search password https://haveibeenpwned.com/Passwords
  • Notify on account breach: search all details https://sec.hpi.uni-potsdam.de/ilc/search
  • Enable OS account security (fingerprint, face ID, hardware key, password)
  • All participants should stop using their browsers to store form data and passwords
  • Password authentication workflow
    1. Open the login page in a new browser tab
    2. Instruct your password manager to enter credentials and 2FA token
    3. Operate, do not leave your computer/device
    4. After finishing log out
    5. Click lock icon / Delete cookie in the address bar
    6. Close current browser tab
  • Data breach prevention in the application: automated attacks, paid hacker
  • Protection against malware and phishing attacks (credential stealing)
  • Against key loggers
  • Against mobile malware
  • Ransomware mitigation
  • Spam filtering
  • Incident response plan (outage, security incident)
  • Yearly security check

Collaboration

  • No emails if it is possible
  • Issues/ticketing: Clubhouse or Trello
  • Chat: Slack

Onboarding for developers

  • We run Debian GNU/Linux on an UpCloud cloud instance
  • All services run in UTC timezone
  • MariaDB or Percona Server + Apache with HTTP/2 and event MPM + PHP-FPM 7 + Redis (full feature list)
  • Every web application (and website) runs as a separate Linux user
  • There are no passwords for Linux users, only SSH keys
  • All non-production servers are accessible through SSH: terminal, MySQL tunnel, file upload, code deploy etc.
  • Production servers are not accessible for humans (except through HTTPS)
  • TCP ports for web and SSH are heavily protected (maxretry=3) with Fail2ban
  • Source code is kept in git (version-control system)
  • PHP OPcache's file timestamp validation is off, thus PHP files are read once at first access, we use cachetool to reset OPcache after code change
  • There are standard directories for sessions, upload and tmp
  • .htaccess files are disabled, Apache rules should be in vhost configuration (it is faster)
  • File versioning is not in query string but turned into file names like filename.002.ext in URL-s, an Apache rule reverts them
  • Your web application is protected by a WAF
  • Blacklisted things: FTP/S protocol, web-based administration (import, export, backup, cPanel, phpMyAdmin), POP3/S protocol
  • How to design and implement CI and CD
  • Running a Laravel application
  • WordPress lifecycle
  • Interesting read on web applications