Generic website infrastructure setup

Return to developer
documentation index

This pages aims to provide links toward other reliable sources, to understand the different topics it's important to understand the principle that internet use.

1. Internet is an IP network, meaning that to reach every server an IP is required

2. When a name is used to reach a server, this name need to be translated to an IP by a Domain name server (DNS)

3. Your network use a private range of IP address therefore can't be reached from internet without a specific configuration

Domain, Domain name server (DNS) and DynDNS

Wikipedia[1]: A DNS is important when you want to reach your server from internet because you don't want to learn your IP by heart, you'd rather buy a domain like mycompany.org and use it to reach your server. When you type "www.mydomain.com" in a browser, your computer will call the default DNS; if this DNS doesn't know the IP attached to mycompany.org it will check with other DNS until it gets the answer, sometime www.mycompany.org can refers to another domain like datacenter1.mycompany.org. In this the case, the DNS will look for the IP attached to datacenter1.mycompany.org.

When you own a domain, you also own all the sub-domain like www.mycompany.org, erp.mycompany.org, yyy.xxx.mycompany.org ...; you can map this domain and its sub.domain to either an IP or another domain, usually with the company that sold you the domain. Here the main type that you will have to configure on the domain vendor portal:

1. "CNAME" record: used to map to another domain
2. "A" record: use to map an IP v4
3. "AAAA" record: use to map an IP v6
4. In case you don't own a fixed IP, you can use a Dynamic DNS[2] service: there is a daemon running on your network that will keep updating your IP in the DNS (usually the internet modem/gateway have this function). Often you will have to configure a dynamic DNS username and password on your domain vendor portal.

Here the example for OVH: https://docs.ovh.com/gb/en/domains/web_hosting_how_to_edit_my_dns_zone/

Port Forwarding, DMZ and Reverse Proxy

Once your Domain/subdomain refers to your IP address, Internet requests will arrive to your internet gateway, but you'll need to setup port forwarding[3] in order to forward those requests toward your web server.

The default internet port are 80 for http and 443 for https, once the portforwarding is configured for those port (80 & 443), it'll affect all the web traffics coming on this port. A simple port forwarding will work if you have a single web server (could host several websites) but if you have multiple web servers you may have to forward your traffic to a reverse proxy[4] that will be able to redirect the traffic based on the domain/subdomain or/and url.

If you want to be sure that internet traffic can't reach the other device on your network (LAN), you can place the reverse proxy in a DMZ[5] with firewall rules that allow only the traffic from internet to the reverse proxy and from the reverse proxy to specific IP on your local LAN (ie. your servers) but the firewall will block all other traffic coming from internet. For such setup there is an open source security appliance called pfSense that is able to do the firewall and the reverse proxy (with the module called HAProxy), pfSense can be installed on an old PC or deployed on a virtual machine.

Virtual host

Virtual host [6] is a method which aims to define with a configuration file of the web server (e.g Apache) a domain/Url called by the user's browser to access to your application; for example a virtual host configuration can be setup for:

1. www.mycompnay.org, the configuration file will define where to look for the pages like /usr/share/mangento/myshop ;
2. cloud.mycompany.org, the configuration file can define a reverse proxy to redirect the traffic to http://localhost:8888 in order to show the nextcloud pages;
3. dolibarr.mycompany.og, the configuration file could be the one to access your Dolibarr [7].

SSL encryption

The SSL encryption enable the encrypt the traffic between the user web browser and the server so even if someone is able to intercept the traffic he won't be able to see you passwords, website content ... the SSL encryption is configured at the virtual host level

1. Certificat generation with Openssl (selfsigned)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650

You can also add -nodes if you don't want to protect your private key with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (3650) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults.

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain)

Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a trusted CA like let's encrypt (free), globalsign, Norton ...

1. Certificat generation with Let's encrypt

As mentionned above self signed certificate will generate an error on browser unless the the certificate in "imported" on the computer, if not done by the systeml admin it gives an unprofessional experience for the user ( most browser message will say something like site dangerous/unsecure)

Let's encrypt is a free trusted certificate authority (aka CA) for most of the browsers meaning if let's encrypt says that your certificates are valide then most of the browser will trust your certicifacts and instead of a warning they will show a green lock on the address bar = the website is secure.

1. Configuration of the virtual host
2. Let's encrypt certificate renewal

Advanced setup

1. virtualisation
2. LXC container
3. Docker
4. pfSense