Purpose

The OSE Development Server (osedev1) is a cheap cloud server with a huge disk. It is a minimal lxc host that also runs our VPN server. Development (which could be destructive by definition) should not take place on this osedev1 instance, but rather on lxc containers hosted on osedev1.

Security

Because this server is a staging server, it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords.

And because this server is also a development server, at any given time it's likely to be running untested code and insecure configurations.

Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet:

1. SSH
2. OpenVPN

All other traffic must be blocked by iptables.

Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server.

Initial Creation (Aug 2019)

On August 1st, 2019 Marcin approved my (Michael Altfield) request to spend $100/year on a development server to facilitate the a POC for Discourse (and Askbot) without breaking prod.

The intention was to spin-up the cheapest hetzner cloud node with a 50G block volume. So a CX11 @ 2.49 EUR/mo w/ 1 vCPU, 2G RAM, & 20G disk) + 50G block storage @ 2.00 EUR/mo (total @ 4.49 EUR/mo). That's compared to our existing dedicated production server w/ 4 CPUs, 64G RAM, & 2x 250G disks @ 39 EUR/mo.

See Also

• Web server configuration
• Wordpress
• Vanilla Forums
• Mediawiki
• Munin
• Awstats
• Ossec
• VPN

FAQ

1. What makes VPN and SSH channels secure for staging server purposes? Which other channels are particularly vulnerable?