Difference between revisions of "Generic website infrastructure setup"

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
Line 9: Line 9:
 
=Domain, Domain name server (DNS) and DynDNS=
 
=Domain, Domain name server (DNS) and DynDNS=
 
Wikipedia[https://fr.wikipedia.org/wiki/Domain_Name_System]:
 
Wikipedia[https://fr.wikipedia.org/wiki/Domain_Name_System]:
A DNS is important when you want to reach your server from internet because you don't want to learn your IP by heart, you'd rather buy a domain like mycompany.org and use it to reach your server.
+
A DNS is important when you want to reach your server from internet because you don't want to learn your IP by heart, you'd rather buy a domain like mycompany.org and use it to reach your server. When you type "www.mydomain.com" in a browser, your computer will call the default DNS; if this DNS doesn't know the IP attached to mycompany.org it will check with other DNS until it gets the answer, sometime www.mycompany.org can refers to another domain like datacenter1.mycompany.org, if it the case the DNS will look for the IP attached to datacenter1.mycompany.org. 
 +
 
 +
When you own a domain, you also own all the sub-domain like www.mycompany.org, erp.mycompany.org, yyy.xxx.mycompany.org ...; you can map this domain and its sub.domain to either an IP or another domain usually with the company that sold you the domain, here the main type that you will have to configure on the domain vendor portal:
 +
# "CNAME" record: used to map to another domain
 +
# "A" record: use to map an IP v4
 +
# "AAAA" record: use to map an IP v6
 +
# In case you don't own a fixed IP you can use a  Dynamic DNS[https://en.wikipedia.org/wiki/Dynamic_DNS] service: there is a daemon runing on your network that will keep updating your IP in the DNS (usually the internet modem/gateway have this funciton). Often you will have to configure a dynamic DNS username and password on your domain vendor portal.
 +
 
 +
Here the example for OVH: https://docs.ovh.com/gb/en/domains/web_hosting_how_to_edit_my_dns_zone/
  
# When you own a domain, you also own all the sub-domain like www.mycompany.org, erp.mycompany.org, yyy.xxx.mycompany.org ...; you can map this domain and its sub.domain to either an IP or another domain usually with the company that sold you the domain (there is other type of DNS record but we won't mention them here).
 
# In order to link you domain to an IP, you'll need an A DNS record for a IPv4 address or an AAA DNS record for a IPv6 address; in case you don't own a fixed IP you can use a  Dynamic DNS[https://en.wikipedia.org/wiki/Dynamic_DNS] service: there is a daemon runing on your network that will keep updating your IP in the DNS (usually the internet modem/gateway have this funciton).
 
# In order to link your domain to another domain, you will need to setup a NAME DNS record (e.g. to the domain with an A record).
 
  
 
=Port Forwarding, DMZ and Reverse Proxy=
 
=Port Forwarding, DMZ and Reverse Proxy=
Once your Domain refers to your IP address, Internet requests will arrive to your internet gateway but you'll need to setup port forwarding[https://en.wikipedia.org/wiki/Port_forwarding] in order to forward those requests toward your web server.
+
Once your Domain/subdomain refers to your IP address, Internet requests will arrive to your internet gateway but you'll need to setup port forwarding[https://en.wikipedia.org/wiki/Port_forwarding] in order to forward those requests toward your web server.
  
The default internet port are 80 for http and 443 for https, once the PF is configured it'll affect all the traffics coming on this port. If you have multiple web servers you may have to forward your traffic to a reverse proxy[https://en.wikipedia.org/wiki/Reverse_proxy] that will be able to redirect the traffic based on the url.  
+
The default internet port are 80 for http and 443 for https, once the portforwarding is configured for those port (80 & 443) it'll affect all the web traffics coming on this port. A simple port forwarding will work if you have a single web server (could host serveral websites) but if you have multiple web servers you may have to forward your traffic to a reverse proxy[https://en.wikipedia.org/wiki/Reverse_proxy] that will be able to redirect the traffic based on the domain/subdomain or/and url.  
  
If you want to avoid having internet traffic on your network (LAN), you can place the reverse proxy in a DMZ[https://en.wikipedia.org/wiki/DMZ_(computing)] with firewall rule that allow only the traffic from internet to the reverse proxy and from the reverse proxy to the local LAN (ie. your servers). For such setup there is an open source called pfSense solution that is able to do the firewall and the reverse proxy (with the module called HAProxy).
+
If you want to be sure that internet traffic can reach the other device on your network (LAN), you can place the reverse proxy in a DMZ[https://en.wikipedia.org/wiki/DMZ_(computing)] with firewall rule that allow only the traffic from internet to the reverse proxy and from the reverse proxy to the local LAN (ie. your servers) but the firewall will block all other traffic coming from internet. For such setup there is an open source security appliance called pfSense that is able to do the firewall and the reverse proxy (with the module called HAProxy), pfSense can be installed on an old Pc or deployed on a virtual machine
  
 
=Virtual host=
 
=Virtual host=
your public IP can  
+
Virtual host [https://en.wikipedia.org/wiki/Virtual_hosting] is a configuration file that aim to define a configuration of the web server (e.g Apache) based on the domain/Url called by the user's browser; for instance a virtual host configuration can be setup for
 +
# www.mycompnay.org, the configuration file will define where to look for the pages like /usr/share/mangento/myshop
 +
# cloud.mycompany.org, the configuration file can define a reverse proxy to redirect the traffic to http://localhost:8888 in order to show the nextcloud pages
 +
# dolibarr.mycompny.og, the configuration file could be the one of Dolibarr [https://github.com/Dolibarr/dolibarr/blob/develop/build/debian/apache/dolibarr.conf]
  
 
=SSL encryption=
 
=SSL encryption=
=Let's encrypt / ACME=
+
The SSL encryption enable the encrypt the traffic between the user web browser and the server so even if someone is able to intercept the traffic he won't be able to see you passwords, website content ... the SSL encryption is configured at the virtual host level
=DMZ and port forwarding=
+
# Certificat generation with Openssl (selfsigned)
=Reverse proxy and SSL offloading=
+
# Certificat generation with Let's encrypt
 +
# Configuration of the virtual host
 +
# Let's encrypt certificate renewal
 +
 
 +
 
 +
=Advanced setup=
 +
# virtualisation
 +
# LXC container
 +
# Docker
 +
# pfSense

Revision as of 20:45, 9 October 2018

This pages aims to provide links toward other reliable sources, to understand the different topics it's important to understand the principle that internet use.

1. Internet is an IP network, meaning that to reach every server an IP is required

2. When a name is used to reach a server, this name need to be translated to an IP by a Domain name server (DNS)

3. Your network use a private range of IP address therefore can't be reached from internet without a specific configuration

Domain, Domain name server (DNS) and DynDNS

Wikipedia[1]: A DNS is important when you want to reach your server from internet because you don't want to learn your IP by heart, you'd rather buy a domain like mycompany.org and use it to reach your server. When you type "www.mydomain.com" in a browser, your computer will call the default DNS; if this DNS doesn't know the IP attached to mycompany.org it will check with other DNS until it gets the answer, sometime www.mycompany.org can refers to another domain like datacenter1.mycompany.org, if it the case the DNS will look for the IP attached to datacenter1.mycompany.org.

When you own a domain, you also own all the sub-domain like www.mycompany.org, erp.mycompany.org, yyy.xxx.mycompany.org ...; you can map this domain and its sub.domain to either an IP or another domain usually with the company that sold you the domain, here the main type that you will have to configure on the domain vendor portal:

  1. "CNAME" record: used to map to another domain
  2. "A" record: use to map an IP v4
  3. "AAAA" record: use to map an IP v6
  4. In case you don't own a fixed IP you can use a Dynamic DNS[2] service: there is a daemon runing on your network that will keep updating your IP in the DNS (usually the internet modem/gateway have this funciton). Often you will have to configure a dynamic DNS username and password on your domain vendor portal.

Here the example for OVH: https://docs.ovh.com/gb/en/domains/web_hosting_how_to_edit_my_dns_zone/


Port Forwarding, DMZ and Reverse Proxy

Once your Domain/subdomain refers to your IP address, Internet requests will arrive to your internet gateway but you'll need to setup port forwarding[3] in order to forward those requests toward your web server.

The default internet port are 80 for http and 443 for https, once the portforwarding is configured for those port (80 & 443) it'll affect all the web traffics coming on this port. A simple port forwarding will work if you have a single web server (could host serveral websites) but if you have multiple web servers you may have to forward your traffic to a reverse proxy[4] that will be able to redirect the traffic based on the domain/subdomain or/and url.

If you want to be sure that internet traffic can reach the other device on your network (LAN), you can place the reverse proxy in a DMZ[5] with firewall rule that allow only the traffic from internet to the reverse proxy and from the reverse proxy to the local LAN (ie. your servers) but the firewall will block all other traffic coming from internet. For such setup there is an open source security appliance called pfSense that is able to do the firewall and the reverse proxy (with the module called HAProxy), pfSense can be installed on an old Pc or deployed on a virtual machine

Virtual host

Virtual host [6] is a configuration file that aim to define a configuration of the web server (e.g Apache) based on the domain/Url called by the user's browser; for instance a virtual host configuration can be setup for

  1. www.mycompnay.org, the configuration file will define where to look for the pages like /usr/share/mangento/myshop
  2. cloud.mycompany.org, the configuration file can define a reverse proxy to redirect the traffic to http://localhost:8888 in order to show the nextcloud pages
  3. dolibarr.mycompny.og, the configuration file could be the one of Dolibarr [7]

SSL encryption

The SSL encryption enable the encrypt the traffic between the user web browser and the server so even if someone is able to intercept the traffic he won't be able to see you passwords, website content ... the SSL encryption is configured at the virtual host level

  1. Certificat generation with Openssl (selfsigned)
  2. Certificat generation with Let's encrypt
  3. Configuration of the virtual host
  4. Let's encrypt certificate renewal


Advanced setup

  1. virtualisation
  2. LXC container
  3. Docker
  4. pfSense