Difference between revisions of "Project servers configuration"

From VCMI Project Wiki
Jump to: navigation, search
(Created page with "This page dedicated to explain specific configurations of our servers for anyone who might need to improve it in future. Check project infrastructure page for services and...")
 
(Move droplet information here)
Line 1: Line 1:
 
This page dedicated to explain specific configurations of our servers for anyone who might need to improve it in future. Check [[project infrastructure]] page for services and accounts overview.
 
This page dedicated to explain specific configurations of our servers for anyone who might need to improve it in future. Check [[project infrastructure]] page for services and accounts overview.
 +
 +
== Droplet configuration ==
 +
 +
=== Droplet and hosted services ===
 +
 +
Currently we using two droplets:
 +
 +
* First one serve all of our web services:
 +
** [https://forum.vcmi.eu/ Forum]
 +
** [https://bugs.vcmi.eu/ Bug tracker]
 +
** [https://wiki.vcmi.eu/ Wiki]
 +
** [https://slack.vcmi.eu/ Slack invite page]
 +
* Second serve downloads:
 +
** [http://download.vcmi.eu/ Legacy download page]
 +
** [https://builds.vcmi.download/ Build download page]
 +
 +
To keep everything secure we should always keep binary downloads separate from any web services.
 +
 +
=== Rules to stick to ===
 +
 +
* SSH authentication by public key only.
 +
* Incoming connections to all ports except SSH (22) must be blocked.
 +
* Exception for HTTP(S) connection on ports 80 / 443 from [https://www.cloudflare.com/ips/ CloudFlare IP Ranges].
 +
* No one except core developers should ever know real server IPs.
 +
* Droplet hostname should never be valid host. Otherwise it's exposed in [https://en.wikipedia.org/wiki/Reverse_DNS reverse DNS].
 +
* If some non-web service need to listen for external connections then read below.
 +
 +
=== Our publicly-facing server ===
 +
We only expose floating IP that can be detached from droplet in case of emergency using [https://cloud.digitalocean.com/networking/floating_ips DO control panel]. This also allow us to easily move public services to dedicated droplet in future.
 +
 +
* Address: beholder.vcmi.eu (67.207.75.182)
 +
* Port 22 serve SFTP for file uploads as well as CI artifacts uploads.
 +
 +
If new services added firewall rules can be adjusted in [https://cloud.digitalocean.com/networking/firewalls DO control panel].
 +
 +
== Services and accounts ==
 +
So far we using following services:

Revision as of 14:49, 9 September 2017

This page dedicated to explain specific configurations of our servers for anyone who might need to improve it in future. Check project infrastructure page for services and accounts overview.

Droplet configuration

Droplet and hosted services

Currently we using two droplets:

To keep everything secure we should always keep binary downloads separate from any web services.

Rules to stick to

  • SSH authentication by public key only.
  • Incoming connections to all ports except SSH (22) must be blocked.
  • Exception for HTTP(S) connection on ports 80 / 443 from CloudFlare IP Ranges.
  • No one except core developers should ever know real server IPs.
  • Droplet hostname should never be valid host. Otherwise it's exposed in reverse DNS.
  • If some non-web service need to listen for external connections then read below.

Our publicly-facing server

We only expose floating IP that can be detached from droplet in case of emergency using DO control panel. This also allow us to easily move public services to dedicated droplet in future.

  • Address: beholder.vcmi.eu (67.207.75.182)
  • Port 22 serve SFTP for file uploads as well as CI artifacts uploads.

If new services added firewall rules can be adjusted in DO control panel.

Services and accounts

So far we using following services: