Server Setup

Register Domain

In an attempt to do further web/app development, I needed to determine for myself how to register a domain and host the site. I started looking at a variety of sites for registering a domain and settled on gandi.net as they have been around for a while and offered to keep details private published to the whois database.

After a couple of days of waiting during the weekend, the domain was up. It is rather inexpensive.

Setup Server

Now it was time to setup a server using a dedicated hosting provider. I decided on Digital Ocean and their smallish droplets. Setting up the server was as normal. Attempt to lock down the server,

• restrict ssh only allowing public/private key exchange
• setup a normal user
• use sudo
• firewall setup

Once the system was accessible and functioning, the IP address of the server needed to be connected with the domain name. This was straightforward by setting up the external nameservers at gandi.net to point to those at the hosting provider, then setting the DNS records for ipv4 (A) so they associated the domain name with the running server instance. Also added was a redirect of the www host and setting the CAA record to letsencrypt.org. I created a ipv6 (AAAA) address, but then removed it. It will get added back later.

These changes take a while to propagate to the variety of DNS. I eventually found DNS Checker to see how far the changes had gotten.

Basic Webserver setup (http)

Using the webserver, nginx setup was rather straightforward. The configuration was somewhat daunting, but manageable. First I wanted to direct all insecure (http) to the secure (https) point::

    http {
      server {
        listen 80;
        # Domain names
        server_name restite.org www.restite.org;
        
        # redirect to https version of the site
        return 301 https://$server_name$request_uri;
      }
    }

Secure Webserver setup (https)

With all content directed towards the secure server, this needed two things

1. A secure certificate
2. Content

The certificate comes from letsencrypt.org and certbot. The documentation for setup and creation is rather straightforward. I ran into some issues by running this too eagerly before the DNS propagation had finished and encountered errors where the hostname was not resolvable. A bit of patience solved that issue. Once certbot put the certificates into place, we point the nginx configuration at them

  http {
    server {
      listen 443 ssl http2;
      server_name restite.org www.restite.org;

      # SSL settings
      ssl_certificate /path/to/certs/live/fullchain.pem;
      ssl_certificate_key /path/to/certs/live/privkey.pem;

      keepalive_timeout 70;
      ssl_session_timeout 10m;

      ssl_protocols   TLSv1.2 TLSv1.3;
      ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
      ssl_prefer_server_ciphers on;


      access_log /var/path/to/log/access.log;
      error_log /var/path/to/log/error.log;
      root /www/path/to/html;
      location / {
        # proxy_pass http://127.0.0.1:8000 ;
        index index.html index.htm ;
      }
    }
  }

The protocols and ciphers are important in making sure the site is secure, along with not using TLSv1.0 and TLSv1.1.

The proxy_pass directive setups a proxy server to an internal web server on the same host. Once that internal server is up and running, we can access it externally if desired.

This is rather similar to some of the original setups from long ago, but the software and host has gotten so much better, faster, and more secure.