1
submitted 1 year ago by kayson@alien.top to c/main@selfhosted.forum

I'm deploying a nodejs-based website for someone. It will be low traffic, but I want to make sure I've got all my bases covered in terms of best practices for deployment and security. This is what I've got so far:

  • Code is hosted in private repo on private gitea instance
    • build into a docker image
  • Separate repo for all deployment code using ansible
    • secrets are saved in a vault and templated to the host
  • Runs on dedicated host with dedicated ipv4
  • host has fail2ban installed and firewalled to only allow ports 80/443 and shh
  • ssh hardened
    • non-standard port
    • public key auth only
  • images are run on docker
    • non-root user
    • one network for app+db, another for app+reverse proxy
    • only mapped ports are 80/443 on reverse proxy container
  • using swag for reverse proxy (includes fail2ban and letsencrypt)
    • php disabled
  • backups
    • database dumped nightly
    • everything synced to backblaze (wip)

What else should I be doing? The one thing I know I don't have is any monitoring. I'm going to set up some kind of healthcheck, but not sure if there's anything easy to set up wrt log monitoring...

Thanks!

top 3 comments
sorted by: hot top controversial new old
[-] DivideBackground7580@alien.top 1 points 1 year ago

It looks like you've covered a lot of important bases for deploying and securing your self-hosted website. Monitoring is indeed a crucial aspect to consider.

As for my personal experience, I've found that Smart Proxy is a handy solution for managing proxies and IPs in a secure and efficient way. It's user-friendly and has worked well for me in various projects. However, the choice of proxy service can vary depending on a specific needs, so make sure to do some research to find the best fit!

[-] OkShopping2034@alien.top 1 points 1 year ago

Don't forget about regular software updates and patch management. Keeping everything up to date is crucial for security. Also, consider setting up a Web Application Firewall (WAF) for added protection against web-based attacks.

[-] kayson@alien.top 1 points 1 year ago

Thanks! Any suggestions for WAF options? At the moment I just have nginx with fail2ban

this post was submitted on 13 Oct 2023
1 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS