We use cookies to enhance your experience. Dismiss this message or find out more.

Have Your DB and Web App In Separate Droplets April 5, 2017

Author: Akeem Spencer


Facebook https://spencertechconsulting.com/posts/have-your-db-and-web-app-in-separate-droplets/ Twitter Linkedin Reddit

Read Time:

5 minutes

Last week I realized with the onslaught of sshd-ddos and sshd attacks coming from China, I've decided it's best to transfer my postgreSQL server to a completely separate host region. When logging into my user account, I can open my mailbox and could never fail to see 100+ replica messages looking like this: ![China Attackers][1] Inside the message, these provinces are "attacking" me: When logging into my user account, I can open my mailbox and could never fail to see 100+ replica messages looking like this: <br> <br> <br> ![China Attackers][2] Inside the message, these provinces are "attacking" me: <br> <br> <br> ![regional attack message][3] <br> <br> So with this barrage of attacks, I've decided to move my postgreSQL server to another droplet, hosted by Digital Ocean. Before you start tampering with the droplet, take notice with how you can setup another database in a private VPS with these series of steps. # Step 1: Choose Your Image: <br> I didn't know exactly what remote OS my website should run behind but initially I picked the $20 per month plan. review the plan that's suitable for your corporation, company, etc. <br> <br> ![digitalocean plans][4] <br> <br> Once you've selected a plan that feasible for you as a developer, please check the virtual private networking, snapshot A.KA. the diff tool plan, and I.P.V.6 for the additional extensions to use later on during the configuration of the droplet. I'd suggest renaming it to the DB you currently have your website in conjunction with (Redis@host, mysql@host etc). Don't forget to check the backup feature for the droplet, it will help considerably if things go wrong in the future! # Step 2: Install & Configure The Host: If you want me to send you an email tutorial for your DB of choice, hit me up on aspencerpsu@gmail.com. Otherwise, this is going to reference PostgreSQL. If you have high-speed internet connection, I suggest configuring the droplet on Digital Ocean's builtin terminal. If your web speed is shotty, then ssh into the terminal. Having ssh RSA keys saved onto your personal computer is slightly unadvisable and doesn't truly take into effect wanting a secure background so if it's unavoidable, go for the console, otherwise, use this command AFTER the configuration goes smooth: > `ssh-keygen -R (your host key)` Install the following packages onto the root: root@myhost:~$ sudo apt-get install python-dev python3-pip \ python3-dev libpq-dev postgresql \ postgresql-contrib The following packages install the developer tools for PG (PostgreSQL) and the cluster commands for the PostgreSQL which makes the database transfer of tables easier and more methodical. Next, open the postgresql.conf file and change the following highlighted line: <br> <br> ![pg_host_based_file][5] <br> <br> Your original host environment can now connect to your remote server with the configuration as displayed above. For extra security purposes, you can use your IPV6 address instead. You'll also have to change the main `postgresql.conf` file in the same server directory: ![postgresql_configuration_file][6] I've included the file location parameters for two specific reasons: - It's the default location - Change it for obvious reasons Change the file location and have it buried two directory levels down from the original location to keep the direction unaware to your staff. Remember you're dealing with personal data where people and not even you yourself should have access to (superusers included). Change the `listening_addresses` of the socket to the private IP address you've created with the droplet generation. # Step 3: Change Django's setting's file: Change the DATABASE parameter as shown below: <br> <br> ![django_conf_file][7] <br> <br> Use the same private ip address you used on the `listen_address` file. Send a SIGHUP to the postgresql configuration file and SIGHUP to the and forward proxy engine you're website is rendering the request and voila! You should be in the clear for a more secure and comfortable system for everything to work in conjunction. <br> <br> # Overview # ---------- This is post is targeted for the at-home bloggers and web-devs doing everything themselves. If your infrastructure begins to flourish and grow exponentially, it's highly desirable to change your configuration management to a third party company like ansible, chef or puppet. Keep looking out for more posts from me and if you're a dev like me always show others how to protect themselves online and share these tips to others. If you have any problems, send me an email at aspencerpsu@gmail.com Thank You, Akeem Leighton Foster Spencer [1]: https://spencertechconsulting.com/media/failure_messages.JPG [2]: https://spencertechconsulting.com/media/failure_messages.JPG [3]: https://spencertechconsulting.com/media/chinese_hackers.JPG [4]: https://www.digitalocean.com/assets/media/homepage/create-5fe2f870.gif [5]: https://spencertechconsulting.com/media/pg_hba_conf.JPG [6]: https://spencertechconsulting.com/media/postgresmainconfig.JPG [7]: https://spencertechconsulting.com/media/django_conf_file.JPG


About The Author

https://spencertechconsulting.com/media/UserFaces/default_avatar_large.png

Akeem

Akeem Spencer is the owner, manager, and architect behind Spencer Tech Consulting. You can catch him at @UUID_Akeem or find him on LinkedIn @ Akeem Spencer. My hobbies include running, active boxing training intervals such as Shaun T Insanity Workouts, and giving it the best I've got in 2018 onwards, with projects both virtual and physical.