1. If you're receiving a message that you are banned from the Current Events or Politics forums, it's not you specifically: those forums have been hidden for all users. For more info, see here.
    Dismiss Notice

OCAU's Next Hosting, AKA, Secure PHP on AWS

Discussion in 'Business & Enterprise Computing' started by Agg, Dec 7, 2014.

Thread Status:
Not open for further replies.
  1. Agg

    Agg Lord of the Pings

    Joined:
    Jun 16, 2001
    Messages:
    33,200
    Location:
    A Reported Post Near You
    It's about time I started planning for OCAU's next hosting setup. Our current setup has served us very well for over 5 years but needs a hardware and software refresh. Also it seems likely we will be leaving Internode at the end of January as their sponsorship setup has changed under iiNet - no hard feelings there, they've been very kind to us for a long time.

    So, one of the main goals is to get us away from dedicated hardware. I've looked at a few options (Rackspace, Linode etc) and I keep finding myself coming back to Amazon's AWS. It's not the cheapest option but I think it should be affordable. I've already moved some simple parts of OCAU over to them, with our DNS handled by their Route 53, and the Misc Pics images served from S3. So the obvious next step is to move the databases over to an RDS instance presenting a MySQL interface and the PHP/files to an EC2 instance (and in the future look at loadbalancing multiple instances etc).

    But actually the main concern I have is not really an AWS issue, rather a general Linux issue. Once EC2 spins up a virtual server, AWS are hands off. So the security and updates etc are our problem. I can "apt-get update" like anyone but the security config is much more of a big deal nowadays than when I last did it. When the current servers were rebuilt in 2009 (in response to a security issue) we had the assistance of a vendor, but I'm not sure what they're up to nowadays or who else's niche it would fall into, or if we can get to where we need to be by installing a few what-the-cool-kids-use packages and following some online guides.

    What I don't want to do is move from our current setup onto nice shiny AWS and then find some old hole in our code is now exposed and we get pwned. I'm quite out of the loop on this stuff so I don't even really know if this is something I should particularly be worried about or, or if following a few online guides will get us where we need to be, or if I should be bringing a vendor in, or even if we should ditch the AWS idea and go to something more managed, where we only worry about the application side of things.. really I'd like to be as hands-off as possible as that will let me focus on content and community stuff (and other aspects of my life) rather than lying awake waiting for a PSU to blow or some new security issue.

    I may be a bit brain-fried by the options and over-thinking all this. Surely "hosting a PHP+mysql website" is something that happens a zillion times a day.. anyway, any info you have would be appreciated.
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,384
    Location:
    Brisbane
    why RDS? Smells like Windows.

    There is really no reason for OCAU to be on Windows at all.

    if Security, updates etc is important, get a sub w/ RHEL or use a RHEL instance - http://aws.amazon.com/partners/redhat/

    For security hardening maybe try to engage IAC or millys_c (sp?).

    Did OCAU jump to MariaDB yet?
     
  3. OP
    OP
    Agg

    Agg Lord of the Pings

    Joined:
    Jun 16, 2001
    Messages:
    33,200
    Location:
    A Reported Post Near You
    Why does RDS smell like Windows? RDS is their cloud database server product. I'd prefer the database to be on a separate box rather than one of our EC2 instances, which makes it easier to do load-balancing and makes the instances themselves more easily destroyed and refreshed. Plus if the database management is on AWS's side it makes for one less thing to secure/manage, which is part of the goal of this change. Still planning to use Linux EC2 instances, because I don't have much recent experience on Windows servers and prefer Linux anyway.

    We haven't moved to MariaDB but I am aware of it. I'm not sure if that's really relevant to this discussion because we won't be running our own MySQL or MariaDB on the EC2 instances, but using RDS to present a MySQL-compatible database to vBulletin.

    The goal really would be to move what we have now over to the new platform as much as possible, and then when we have the space and ease of experimentation that comes from being in the cloud, we can think about major changes down the line like XenForo or whatever.
     
    Last edited: Dec 7, 2014
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,384
    Location:
    Brisbane
    Sorry - RDS to me means Remote Desktop Services (which is what they call Windows Terminal Services now).

    As per Monty himself - http://www.themukt.com/2014/09/11/reason-use-mysql-michael-widenius/
     
  5. OP
    OP
    Agg

    Agg Lord of the Pings

    Joined:
    Jun 16, 2001
    Messages:
    33,200
    Location:
    A Reported Post Near You
    Whoops, I've been updating my post above with more thoughts while you were posting yours. I know why MariaDB exists etc, but I think the MySQL vs MariaDB debate simply goes away when we virtualise it through RDS, as long as vBulletin thinks it's talking to MySQL.
     
  6. Zyklone

    Zyklone Member

    Joined:
    May 1, 2005
    Messages:
    516
    Location:
    Canberra
    AWS would be good for OCAU. As mentioned above the Redhat option on AWS would provide alot more "comfort" on the security front that running your own setup on ubuntu/debian/cent OS system.

    At the moment we are as vulnerable as vbulletin is, that will not change once you move to AWS so you are not introducing more risk from that front. As long as you practice good password handling and apply operation system security updates as soon as they are released, how is that different from what is currently being done?

    If you really need peace of mind, would a managed solution be better? I'm not sure what the OCAU hosting fund is, but some form of managed solution could probably be had for under $100 a month.
     
  7. OP
    OP
    Agg

    Agg Lord of the Pings

    Joined:
    Jun 16, 2001
    Messages:
    33,200
    Location:
    A Reported Post Near You
    Traditionally it hasn't been vBulletin that has been the concern, but our oddball custom code like the CMS and Pix etc.

    Managed would be great, and $100 a month is a lot less than I would be expecting to pay, even for an unmanaged AWS setup. Provider suggestions welcome..
     
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,384
    Location:
    Brisbane
    As in managed VBB? or Managed Hosts?

    You aren't getting a Managed Host for OCAU for < $4-500/month imo

    Managed VBB is gonna suck with all our mods etc.
     
  9. Great_Guru

    Great_Guru Member

    Joined:
    Sep 5, 2001
    Messages:
    1,225
    Location:
    Australia
    Just a layman suggestion here but maybe engage someone like Troy Hunt (an aussie) to do a review before starting any migration.
     
  10. fad

    fad Member

    Joined:
    Jun 26, 2001
    Messages:
    2,568
    Location:
    City, Canberra, Australia
    If your worried about security how about putting cloudflare in front of your website traffic.
     
    Last edited: Dec 7, 2014
  11. DTG

    DTG Member

    Joined:
    Sep 16, 2002
    Messages:
    541
    Location:
    Melbourne, Aust
    Be aware the RDS can cause problems as all their specs are based of average performance. Because it is a shared system latency spikes (disk not network) caused by others can degrade the performance of the whole app fairly badly.

    I know if a few places that have gone to the cloud and then back because performance wasn't consistent. When it was good it was the best solution, but when it was poor, which happens randomly, it was causing them to loose users.

    Web layers seem to be not as sensitive and when behind a load balancer it is even less of an issue.
     
  12. BluBoy

    BluBoy Member

    Joined:
    Jan 20, 2006
    Messages:
    1,899
    Location:
    Brisbane
    Let me know if you need a hand with anything. I am currently an infrastructure admin for a website in the Alexa 100 list, working on migrating it to AWS.

    I've managed to get my head around their cloudformation workflow (a must for a site of this size) and would be happy to offer my thoughts on any solution you are considering (free) or design and deploy the solution for you (paid).

    Regardless, best of luck with the move. It is seriously a great platform!
     
  13. albeeny

    albeeny Member

    Joined:
    Feb 25, 2002
    Messages:
    124
    Location:
    Syd
    Agg, have you considered using a Web Application Firewall?
     
  14. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,471
    Location:
    qld.au
    RHEL and CentOS are the same codebase, the only difference is who compiles it. The difference comes down to the support provided and this is where RedHat excels.

    It'll be a lot more than $100!

    AWS EC2 is more expensive than other providers if you're just paying for month-by-month pricing, the main advantage comes from a spin up / spin down capability. Unless you take advantage of this, there are better solutions available.

    For OCAU hosting, one of the first things I'd look at is CloudFlare. This can be utilised now, so you can test it before you migrate the backend systems. On a Professional subscription (US$20/month), you get access to their Web Application Firewall: https://www.cloudflare.com/waf

    There's a lot of other security advantages also, they automatically block known bad IP's / bots and anything suspect can popup a captcha to ensure bad elements are blocked. If you host with CloudFlare certified host, you also get access to Railgun for free.

    They have a support article on Vbulletin here: https://support.cloudflare.com/hc/e...ps-for-using-CloudFlare-with-vBulletin-forums

    With Amazon RDS, be aware that the performance can be a bit variable without provisioned IOPS. Do you have a reasonable figure for what your peak TPS are?

    Another option to consider is SoftLayer, who have now launched in Melbourne and the Sydney DC will be open very soon.
     
  15. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    I read a report recently comparing CloudFlare with Incapsula (it might have been this one, can't remember) but neither of them came out looking wonderful with respect to their WAF capabilities.
     
  16. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,471
    Location:
    qld.au
    CloudFlare have changed their system massively since then. When that report was first run, they were simply relying on their heuristic tests. They're now using the OWASP ModSecurity core rule set, so roughly what you see in the ModSecurity results is what you should see through CloudFlare. Here's their blog on it: http://blog.cloudflare.com/heuristics-and-rules-why-we-built-a-new-old-waf/

    ModSecurity is one of the better WAF platforms you can run, especially if you pay for some of the rule packs. However, it does take significant resource to do so and can take some ongoing management to keep it all smooth.

    This is what makes CloudFlare a nice solution, especially now that it's part of the $20 plan and not just on the $200+ plan. You can also purchase and run third party ModSecurity rulesets as well. For example, the AtomicCorp rulset is $14.95 a month (US).

    There's also a number of other security features (such as the bad bot / malicious IP blocks) which make it a fairly powerful combo at a very reasonable price.
     
  17. encode

    encode Member

    Joined:
    May 21, 2003
    Messages:
    497
    Location:
    Wollongong
    Linode offer managed services at $100/linode. Their pricing is fairly competitive as far as the VPS goes, and they do load balancers etc as well.
     
  18. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,645
    Location:
    Sydney, Australia
    Ah great, thanks for the update. I'll check the CloudFlare blog entry when I get home, it's blocked here at work.
     
  19. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682

    As much as i love linode they dont offer a AU based host and forcing a 160ms rrt on 90% of the user base is silly (im looking at you bigfooty).
     
  20. aza2001

    aza2001 Member

    Joined:
    Sep 14, 2002
    Messages:
    2,016
    Location:
    Northmead
    I'd like to throw into the mix why not a Sophos UTM sitting in front that also has WAF built in plus other features like IPS etc...?


    At least you will have visibility/ transparency on the website & traffic, as well there is a way to have a hosted solution through AWS.

    How will you be backing up the environment?

    Regards,
    Az
     
    Last edited: Dec 8, 2014
Thread Status:
Not open for further replies.

Share This Page

Advertisement: