I’m deploying a nodejs-based website for someone. It will be low traffic, but I want to make sure I’ve got all my bases covered in terms of best practices for deployment and security. This is what I’ve got so far:

  • Code is hosted in private repo on private gitea instance
    • build into a docker image
  • Separate repo for all deployment code using ansible
    • secrets are saved in a vault and templated to the host
  • Runs on dedicated host with dedicated ipv4
  • host has fail2ban installed and firewalled to only allow ports 80/443 and shh
  • ssh hardened
    • non-standard port
    • public key auth only
  • images are run on docker
    • non-root user
    • one network for app+db, another for app+reverse proxy
    • only mapped ports are 80/443 on reverse proxy container
  • using swag for reverse proxy (includes fail2ban and letsencrypt)
    • php disabled
  • backups
    • database dumped nightly
    • everything synced to backblaze (wip)

What else should I be doing? The one thing I know I don’t have is any monitoring. I’m going to set up some kind of healthcheck, but not sure if there’s anything easy to set up wrt log monitoring…

Thanks!

  • DivideBackground7580@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It looks like you’ve covered a lot of important bases for deploying and securing your self-hosted website. Monitoring is indeed a crucial aspect to consider.

    As for my personal experience, I’ve found that Smart Proxy is a handy solution for managing proxies and IPs in a secure and efficient way. It’s user-friendly and has worked well for me in various projects. However, the choice of proxy service can vary depending on a specific needs, so make sure to do some research to find the best fit!