Implementation Plan
1. SSL Certificate and Domain Setup
- Purchase SSL Certificate: Obtain an SSL certificate from GoDaddy if you haven't already.
- Link Domain to DigitalOcean Droplet (GoDaddy):
-
DNS Configuration:
- Log in to your GoDaddy account (opens in a new tab).
- Navigate to the Domain Manager and select the domain.
- Under the DNS settings, update the A record to point to your DigitalOcean droplet's public IP.
- Set up CNAME records if needed (for
wwwsubdomains). - Wait for DNS propagation (may take up to 48 hours).
- GoDaddy Documentation: Managing DNS Records (opens in a new tab)
-
SSL Certificate Installation:
- Generate a CSR (Certificate Signing Request):
- SSH into your droplet and generate the CSR:
sudo openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr - Enter details as prompted.
- SSH into your droplet and generate the CSR:
- Upload the CSR in your GoDaddy account and complete the validation process.
- Download the certificate files once issued.
- Generate a CSR (Certificate Signing Request):
-
Install the SSL Certificate on Nginx:
- Transfer the certificate files to your droplet using SCP or SFTP.
- Configure Nginx to use the SSL certificate:
Add the following under the
sudo nano /etc/nginx/sites-available/defaultserverblock for port443:server { listen 443 ssl; server_name yourdomain.com www.yourdomain.com; ssl_certificate /etc/nginx/ssl/yourdomain.crt; ssl_certificate_key /etc/nginx/ssl/yourdomain.key; } - Test and reload Nginx:
sudo nginx -t sudo systemctl reload nginx - GoDaddy SSL Certificate Installation Guide for Nginx (opens in a new tab)
-
2. Initial Setup
- Create Virtual Private Cloud (VPC): Set up a VPC in DigitalOcean for secure network isolation.
- Configure Public and Private IPs: Assign public and private IPs to droplets and configure Floating IPs if needed.
- DNS Setup: Create A and CNAME records in DigitalOcean to point to your domain.
- Load Balancers: Create load balancers if necessary and attach droplets.
3. Security Configurations
- SSH Key Setup: Set up key-based authentication and disable password login.
- Firewall (UFW) Setup: Enable UFW and configure necessary ports (SSH, HTTP, HTTPS).
sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw enable - Fail2Ban Setup: Install Fail2Ban to prevent brute-force attacks.
sudo apt install fail2ban - Enable Automatic Security Updates: Set up unattended upgrades for security patches.
sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades
4. Application and Web Security
- SSL/TLS Setup: Verify the proper implementation of SSL/TLS. Redirect HTTP traffic to HTTPS.
Add a 301 redirect:
sudo nano /etc/nginx/sites-available/defaultserver { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://$host$request_uri; } - Install Web Application Firewall (WAF): Consider using a WAF like ModSecurity for Nginx.
- HTTP Security Headers: Add security headers in Nginx:
add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block";
5. Monitoring and Backups
- Install Monitoring Tools: Use tools like Prometheus and Grafana to monitor server health.
- Automated Backups: Set up DigitalOcean's automatic backups.
6. Documentation and Maintenance
- Document IP, DNS, SSL, and security settings.
- Regular Maintenance:
- Weekly log checks and monitoring alerts.
- Monthly security audits and documentation updates.
- Quarterly security testing and performance reviews.
This plan provides a clear path from setting up your droplet, domain, SSL, and security to ongoing maintenance and monitoring.