mirror of
https://github.com/vcmi/vcmi.git
synced 2024-12-22 22:13:35 +02:00
36 lines
1.8 KiB
Markdown
36 lines
1.8 KiB
Markdown
This page dedicated to explain specific configurations of our servers for anyone who might need to improve it in future. Check [project infrastructure](project_infrastructure "wikilink") page for services and accounts overview.
|
|
|
|
## Droplet configuration
|
|
|
|
### Droplet and hosted services
|
|
|
|
Currently we using two droplets:
|
|
|
|
- First one serve all of our web services:
|
|
- [Forum](https://forum.vcmi.eu/)
|
|
- [Bug tracker](https://bugs.vcmi.eu/)
|
|
- [Wiki](https://wiki.vcmi.eu/)
|
|
- [Slack invite page](https://slack.vcmi.eu/)
|
|
- Second serve downloads:
|
|
- [Legacy download page](http://download.vcmi.eu/)
|
|
- [Build download page](https://builds.vcmi.download/)
|
|
|
|
To keep everything secure we should always keep binary downloads separate from any web services.
|
|
|
|
### Rules to stick to
|
|
|
|
- SSH authentication by public key only.
|
|
- Incoming connections to all ports except SSH (22) must be blocked.
|
|
- Exception for HTTP(S) connection on ports 80 / 443 from [CloudFlare IP Ranges](https://www.cloudflare.com/ips/).
|
|
- No one except core developers should ever know real server IPs.
|
|
- Droplet hostname should never be valid host. Otherwise it's exposed in [reverse DNS](https://en.wikipedia.org/wiki/Reverse_DNS).
|
|
- If some non-web service need to listen for external connections then read below.
|
|
|
|
### Our publicly-facing server
|
|
|
|
We only expose floating IP that can be detached from droplet in case of emergency using [DO control panel](https://cloud.digitalocean.com/networking/floating_ips). This also allow us to easily move public services to dedicated droplet in future.
|
|
|
|
- Address: beholder.vcmi.eu (67.207.75.182)
|
|
- Port 22 serve SFTP for file uploads as well as CI artifacts uploads.
|
|
|
|
If new services added firewall rules can be adjusted in [DO control panel](https://cloud.digitalocean.com/networking/firewalls). |