Soon, I will be look to deploy my first AwareIM app.
I am thinking of using an Amazon Web Services (AWS) server. I think one advantage of that as I understand, is that its elastic, and can be expanded (CPUs, Memory, etc) as the application needs to scale up due to higher volume.
Since I am most familiar with Windows (and maybe that's bad reasoning to decide), it will be a Windows server.
Since I will need access to that server to install software at will (on demand), I think it needs to be an "unmanaged" server.
I will need to install SQLExpress. I do not believe that SQL Server Standard Edition is free.
When I deploy the AWAREIM app, I think it installs all components, including Tomcat. I am not familiar with the java executable / Tomcat "run settings" to allocate memory, etc, so that application performance is best achieved. So, the default java / Tomcat run settings may not be best.
For the application, I am thinking that this will best execute as a link from a "Main" Website domain (with all the pretty stuff) to the AwareIM app. In that scenario the app will be on a separate domain, correct? Otherwise I would have to run in a frame in the Main website, and I am guessing that is sub-optimal. Maybe the two approaches do not necessitate 2 separate domains?
Does this above sound like a reasonable architecture? I am probably missing some things.
Dave
Deployment architecture
-
- Posts: 197
- Joined: Fri Jun 17, 2016 7:10 am
- Location: Brisbane Australia
- Contact:
Re: Deployment architecture
We use AWS but you should restrict RDP access to the server our it will get hacked.
Refer https://docs.aws.amazon.com/AWSEC2/late ... tance.html
Refer https://docs.aws.amazon.com/AWSEC2/late ... tance.html
AWS Linux, Windows Server, AIM 8.4 & 8.6
Re: Deployment architecture
Wow. Great tip. I will be sure to take note, and make sure security is setup to handle that.
May I ask if your architecture setup is similar to the one I am describing? I basically know how to spell AWS, but that's it
Dave
May I ask if your architecture setup is similar to the one I am describing? I basically know how to spell AWS, but that's it
Dave
-
- Posts: 2391
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Deployment architecture
I have now migrated 7 of my 8 servers away from AWS and into Upcloud.
Much Simpler
Nearly twice as fast + basically 1/2 the cost.
And allows you to back up an entire server in the blink of an eye (I actually had to test it to beleive it !!)
You are welcome to user this referral code...
https://upcloud.com/signup/?promo=F7YB75
Additionally....
Have moved all DB except 1 from MySQL to MariaDB
I agree about RDP..... Change port and user and crazy long strong password.... and install IPBan. Made a huge difference.
There are a few other Gotchas (Such as SSL certs and all the changes after an Aware IM update, landing pages and Font Awesome etc etc ) but let me know when you get there and will give you a hand and point you in the right direct for resources.
Much Simpler
Nearly twice as fast + basically 1/2 the cost.
And allows you to back up an entire server in the blink of an eye (I actually had to test it to beleive it !!)
You are welcome to user this referral code...
https://upcloud.com/signup/?promo=F7YB75
Additionally....
Have moved all DB except 1 from MySQL to MariaDB
I agree about RDP..... Change port and user and crazy long strong password.... and install IPBan. Made a huge difference.
There are a few other Gotchas (Such as SSL certs and all the changes after an Aware IM update, landing pages and Font Awesome etc etc ) but let me know when you get there and will give you a hand and point you in the right direct for resources.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Deployment architecture
I agree with pretty much everything said here, however port numbers and long password strings alone will not protect you from all attempts.
Classic example is 'bluekeep' vulnerability.
https://www.bleepingcomputer.com/news/s ... ndows-pcs/
Security is like an onion.. layers!
I would consider the following.
1. Keep on-top of vulnerabilities by having latest updates (in your case windows updates).
2. Change the port from 3389 to something else .
3. Long password.
4. Restrict access to RDP port via firewall
5. Consider a VPN server (if youre really paranoid) as you'll need another method to authenticate.
6. Consider a 2FA service when it comes to logging into said server as an administrator.
7. Geoblock / reverse proxy requests as much as possible.
8. USE SSL and have up to date ciphers.
9. Run AwareIM under a restricted user.
General rule of thumb is to keep a bare minimum of ports open and layer on the security from there.
I personally use Linux (shell) on AWS infrastructure with a raft of other applications/customisation's to hide AwareIM from the exposed internet as much as possible.
Classic example is 'bluekeep' vulnerability.
https://www.bleepingcomputer.com/news/s ... ndows-pcs/
Security is like an onion.. layers!
I would consider the following.
1. Keep on-top of vulnerabilities by having latest updates (in your case windows updates).
2. Change the port from 3389 to something else .
3. Long password.
4. Restrict access to RDP port via firewall
5. Consider a VPN server (if youre really paranoid) as you'll need another method to authenticate.
6. Consider a 2FA service when it comes to logging into said server as an administrator.
7. Geoblock / reverse proxy requests as much as possible.
8. USE SSL and have up to date ciphers.
9. Run AwareIM under a restricted user.
General rule of thumb is to keep a bare minimum of ports open and layer on the security from there.
I personally use Linux (shell) on AWS infrastructure with a raft of other applications/customisation's to hide AwareIM from the exposed internet as much as possible.
Avid Linux user....
Re: Deployment architecture
Thanks, I will look through those, and make sure they are implemented on the AWS install. I will have to hire someone to do all this, as I have not experience in Server setup and Admin.
Dave
Dave