Jump to content

Services:Best Practices: Difference between revisions

From jb-vpn.uk Wiki
← Older edit
Content added - troubleshooting guide: Best Practices for Adding Services (11 sections)
Updated documentation from markdown files
 
Line 1: Line 1:
This document outlines best practices when adding new services to the reverse proxy system.
Best practices when adding hostnames to the Caddy reverse proxy.


== General Best Practices ==
== General ==


=== '''Always test configuration''' before reloading nginx ===
* Validate the Caddyfile before reload: <code>caddy validate --config /etc/caddy/Caddyfile</code>
== '''Use descriptive subdomain names''' that indicate the service ==
== '''Document your services''' in [Current Services](current-services.md) ==
== '''Backup configurations''' before making changes ==
== '''Monitor logs''' after adding new services ==
== '''Use HTTPS''' for all public-facing services ==
== '''Test thoroughly''' before marking service as complete ==


== Checklist ==
* Use clear subdomain names and document them in [[Services:Current Services]]


Use this checklist when adding a new service:
* Back up <code>/etc/caddy/Caddyfile</code> before changes


* [ ] DNS A record created and propagated
* Check <code>journalctl -u caddy</code> after adding a site


* [ ] Service running on Synology NAS
* Use HTTPS for all public services (Caddy handles certificates automatically)


* [ ] Service accessible from VPN network
* Test VPS backends with <code>curl</code> on <code>127.0.0.1</code> before testing the public URL


* [ ] Nginx configuration file created
== Checklist ==


* [ ] Site enabled (symlink created)
* [ ] DNS A record points to <code>87.106.61.62</code>


* [ ] Nginx configuration tested (<code>nginx -t</code>)
* [ ] Backend running and reachable from VPS (<code>127.0.0.1</code> or <code>10.8.0.2</code> via VPN)


* [ ] Nginx reloaded
* [ ] Site block added to <code>/etc/caddy/Caddyfile</code>


* [ ] HTTP access verified
* [ ] <code>caddy validate</code> succeeds


* [ ] SSL certificate obtained
* [ ] <code>systemctl reload caddy</code> completed


* [ ] HTTPS access verified
* [ ] <code>curl -I https://newservice.jb-vpn.uk</code> succeeds


* [ ] Browser testing completed
* [ ] Browser test with valid certificate


* [ ] Service documented in [Current Services](current-services.md)
* [ ] Entry added to [[Services:Current Services]]


== Security Considerations ==
== Security ==


* Always use HTTPS for public-facing services
* Prefer VPN-backed NAS services over exposing the NAS to the internet


* Keep SSL certificates up to date (automatic renewal via Certbot)
* Restrict sensitive admin UIs where possible (e.g. phpMyAdmin basic auth in Caddyfile)


* Use strong authentication for services that require it
* Keep OpenVPN and VPS packages updated


* Monitor access logs for unusual activity
== Related documentation ==


== Related Documentation ==
* [Step By Step Step-by-Step Process]


* [Step-by-Step Process](step-by-step.md) - Setup process
* [Prerequisites Prerequisites]


* [[Documentation:Index|Troubleshooting]] - Common issues


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/Services]]
[[Category:Documentation/Services]]
[[Category:Documentation/Services/Adding Services]]
[[Category:Documentation/Services/Adding Services]]

Latest revision as of 14:04, 16 May 2026

Best practices when adding hostnames to the Caddy reverse proxy.

General

[edit]
  • Validate the Caddyfile before reload: caddy validate --config /etc/caddy/Caddyfile
  • Back up /etc/caddy/Caddyfile before changes
  • Check journalctl -u caddy after adding a site
  • Use HTTPS for all public services (Caddy handles certificates automatically)
  • Test VPS backends with curl on 127.0.0.1 before testing the public URL

Checklist

[edit]
  • [ ] DNS A record points to 87.106.61.62
  • [ ] Backend running and reachable from VPS (127.0.0.1 or 10.8.0.2 via VPN)
  • [ ] Site block added to /etc/caddy/Caddyfile
  • [ ] caddy validate succeeds
  • [ ] systemctl reload caddy completed
  • [ ] Browser test with valid certificate

Security

[edit]
  • Prefer VPN-backed NAS services over exposing the NAS to the internet
  • Restrict sensitive admin UIs where possible (e.g. phpMyAdmin basic auth in Caddyfile)
  • Keep OpenVPN and VPS packages updated
[edit]
  • [Step By Step Step-by-Step Process]
  • [Prerequisites Prerequisites]
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=Services:Best_Practices&oldid=254"