This article is also published on Medium Blogging Platform.
Through this article, I want to share the best practices I use when deploying some web application on Cloud. I work as a freelancer on Upwork and recently one of my clients asked me to setup SuiteCRM for his small organization. Since I frequently write tutorials for Alibaba Cloud, I recommended the Client to use the same cloud platform. For nearly a 100 users and at least 30 concurrent users, here’s the configuration I recommended.
The steps I followed is very simple and can be adopted for nearly all PHP based applications.
If you are new to Alibaba Cloud, you can use this link to sign up to Alibaba Cloud. You will get new user credit worth 300 USD for free which you can use to try out different Alibaba Cloud products.
Alibaba Cloud has documented nearly everything you will require to get started with the cloud platform. You can use the use the Getting Started Tutorials or the Tech Share Blog to learn how to start using the Alibaba Cloud. You can find the most obvious steps on the Quick Start Guide and let me walk you through the best practices to use when creating the ECS instance.
Log in to your Alibaba Cloud console and go to Elastic Compute Service interface. You can easily create the instance by clicking the Create Instance button. Things to keep in mind are:
Here’s the configuration I used.
You can choose the VPC which is created by default. You can add as much as 4092 instances in it. I use a different security group for each ECS instance so that I can configure individually, it makes sure that no unused port is opened.
Another important thing is to use key-based authentication rather than using the passwords. If you already have a key-pair, you can add the public key to Alibaba Cloud. If not, you can use Alibaba Cloud to create one. Make sure that key is stored in a very secure place and the key itself is encrypted by a passphrase.
That’s all the things to keep in mind while creating the ECS instance.
Once you have created your instance and logged into the terminal, there are few things I suggest you should consider before you set up your website.
I created the sudo user and configured key based auth in it. I updated the base image and set up unattended system upgrades. I followed a tutorial to install Nginx web-server, which is a lightweight production-grade web server. Furthur, I installed PHP 7.2 with PHP-FPM. PHP 7.2 is the latest available version of PHP as of now. Using the latest software will ensure that the system is free from all the bugs and we will also get a faster processing and more stability. Finally, I downloaded the SuiteCRM archive from its official website and deployed the files into Nginx.
It is very important to leave no unused port open in security group of the ECS instance. Have a look at the security group rules I used for the SuiteCRM instance.
You can see that I have allowed only the ports 22, 80 and 443 along with all ICMP packets. Post 22 is used for SSH connection. Port 80 is unsecured HTTP port, which in my case just redirects to the port 443 on HTTPS. ICMP packets are used to ping the host to check if it is alive or not. It’s perfectly ok if you want to drop the ICMP packets also, you just won’t be able to ping your instance.
The first question arises in mind before we create the RDS instance is why exactly we need it. We could also install any open source database server such as MySQL, MariaDB, PostgreSQL or MongoDB server on the ECS instance itself.
The answer to the question is that ApsaraDB for RDS instance is optimized for speed and security. By default, the instance we create is only accessible to the whitelisted instances only.
Let’s look at the things to keep in mind when we create the ECS instance.
Here’s the RDS configuration I used for SuiteCRM.
Once the MySQL RDS instance was activated, I whitelisted the ECS instance from the Security tab of the instance. As soon as I whitelist the IP address, I got the hostname to the RDS instance along with the port number, which was MySQL default port “3306”. I created a database named “suitecrm” and a database user named “suitecrm” and provided read/write access to the user.
As the internet is growing more and more websites are being added on daily basis. When Let’s Encrypt certificate authority started giving SSL certificates for free, it became a trend to use SSL on every website. For the purpose of security, it is very important to use SSL on a web application. If the data being exchanged is unencrypted, a person eavesdropping into the network may extract the confidential information.
Alibaba Cloud also provides SSL certificates, but in my point of view, it is quite expensive. However, with expensive things comes extra guarantee. SSL certificates provided by Alibaba Cloud is suitable for enterprise users.
In the SuiteCRM deployment, I also used Let’s Encrypt free SSL to secure the SuiteCRM web application. For generating the certificates by Certbot which is a client application for Let’s Encrypt CA, the domain needs to be pointed towards the server.
Alibaba Cloud provides domain name at very reasonable rates with free whois protection. In my case, my client already had the domain name purchased from elsewhere. I created a subdomain and pointed the domain to the ECS instance. I installed Certbot and could easily generate the certificates. Never forget to set up a cron job to renew the certificates automatically as the certificates are expired in every three months.
Setting up an email server by yourself should be avoided as to create an enterprise-grade web server requires expertise, time and the cost to maintain get very high. A slight misconfiguration leads the email directly into the spam folder.
Alibaba Cloud Direct Mail service provides a cheaper way to send emails from the application using SMTP. It’s free for the first 200 emails every day. In my case, 200 emails per day are enough, and emails exceeding the free quota is also very cheap. I added a new email subdomain into the Direct Mail. Upon adding the domain, I was asked to update the DNS. I did as instructed and it took some time for DNS to get verify as the propagation takes time. Once done, I added the sender address and I had the SMTP server ready to be used with the application.
Finally, I had everything ready. The SuiteCRM application hosted on ECS. Database server hosted on ApsaraDB for RDS. I could easily go through the web-based installation to install the software.
Here’s the configuration I provided for the database server during web-based installation of SuiteCRM.
Similarly, I filled all the required information and provided the SMTP server details.
Finally, my application was successfully deployed on Alibaba Cloud. Furthur, I suggested the client to use ApsaraDB for Memcache to store the session cache of SuiteCRM and to use WAF to secure the application against incoming threats. However, client denied the implementation of the suggestions as it would add more amount to their monthly bill. However, the client was very happy to see the performance of the application on Alibaba Cloud platform.
I frequently write technical blogs on Alibaba Cloud Tech Share platform. Go to the following link to find the tutorials written by me. I will also write the detailed guide of the steps and commands to run which are followed by me to install SuiteCRM on Ubuntu 16.04 on Alibaba Cloud Tech Share Platform.