Jump to content

Services:Best Practices: Difference between revisions

From jb-vpn.uk Wiki
Added troubleshooting guide: Best Practices for Adding Services
 
Updated documentation from markdown files
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Best Practices for Adding Services =
Best practices when adding hostnames to the Caddy reverse proxy.


This document outlines best practices when adding new services to the reverse proxy system.
== General ==


== General Best Practices ==
* Validate the Caddyfile before reload: <code>caddy validate --config /etc/caddy/Caddyfile</code>


= '''Always test configuration''' before reloading nginx =
* Use clear subdomain names and document them in [[Services:Current Services]]
= '''Use descriptive subdomain names''' that indicate the service =
 
= '''Document your services''' in [Current Services](current-services.md) =
* Back up <code>/etc/caddy/Caddyfile</code> before changes
= '''Backup configurations''' before making changes =
 
= '''Monitor logs''' after adding new services =
* Check <code>journalctl -u caddy</code> after adding a site
= '''Use HTTPS''' for all public-facing services =
 
= '''Test thoroughly''' before marking service as complete =
* Use HTTPS for all public services (Caddy handles certificates automatically)
 
* Test VPS backends with <code>curl</code> on <code>127.0.0.1</code> before testing the public URL


== Checklist ==
== Checklist ==


Use this checklist when adding a new service:
* [ ] DNS A record points to <code>87.106.61.62</code>
 
* [ ] Backend running and reachable from VPS (<code>127.0.0.1</code> or <code>10.8.0.2</code> via VPN)
 
* [ ] Site block added to <code>/etc/caddy/Caddyfile</code>
 
* [ ] <code>caddy validate</code> succeeds
 
* [ ] <code>systemctl reload caddy</code> completed
 
* [ ] <code>curl -I https://newservice.jb-vpn.uk</code> succeeds
 
* [ ] Browser test with valid certificate
 
* [ ] Entry added to [[Services:Current Services]]
 
== Security ==
 
* Prefer VPN-backed NAS services over exposing the NAS to the internet
 
* Restrict sensitive admin UIs where possible (e.g. phpMyAdmin basic auth in Caddyfile)


'' [ ] DNS A record created and propagated
* Keep OpenVPN and VPS packages updated
'' [ ] Service running on Synology NAS
'' [ ] Service accessible from VPN network
'' [ ] Nginx configuration file created
'' [ ] Site enabled (symlink created)
'' [ ] Nginx configuration tested (<code>nginx -t</code>)
'' [ ] Nginx reloaded
'' [ ] HTTP access verified
'' [ ] SSL certificate obtained
'' [ ] HTTPS access verified
'' [ ] Browser testing completed
'' [ ] Service documented in [Current Services](current-services.md)


== Security Considerations ==
== Related documentation ==


'' Always use HTTPS for public-facing services
* [Step By Step Step-by-Step Process]
'' Keep SSL certificates up to date (automatic renewal via Certbot)
'' Use strong authentication for services that require it
'' Monitor access logs for unusual activity


== Related Documentation ==
* [Prerequisites Prerequisites]


'' [Step-by-Step Process](step-by-step.md) - Setup process
'' [[Documentation:Index|Troubleshooting]] - Common issues


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/Services]]
[[Category:Documentation/Services]]
[[Category:Documentation/Services/Adding Services]]
[[Category:Documentation/Services/Adding Services]]

Latest revision as of 14:04, 16 May 2026

Best practices when adding hostnames to the Caddy reverse proxy.

General

[edit]
  • Validate the Caddyfile before reload: caddy validate --config /etc/caddy/Caddyfile
  • Back up /etc/caddy/Caddyfile before changes
  • Check journalctl -u caddy after adding a site
  • Use HTTPS for all public services (Caddy handles certificates automatically)
  • Test VPS backends with curl on 127.0.0.1 before testing the public URL

Checklist

[edit]
  • [ ] DNS A record points to 87.106.61.62
  • [ ] Backend running and reachable from VPS (127.0.0.1 or 10.8.0.2 via VPN)
  • [ ] Site block added to /etc/caddy/Caddyfile
  • [ ] caddy validate succeeds
  • [ ] systemctl reload caddy completed
  • [ ] Browser test with valid certificate

Security

[edit]
  • Prefer VPN-backed NAS services over exposing the NAS to the internet
  • Restrict sensitive admin UIs where possible (e.g. phpMyAdmin basic auth in Caddyfile)
  • Keep OpenVPN and VPS packages updated
[edit]
  • [Step By Step Step-by-Step Process]
  • [Prerequisites Prerequisites]
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=Services:Best_Practices&oldid=254"