mirre-mt/masters-thesis
Archived
1
0
Fork 0
Code Releases 1 Activity

tex: add stuff on test environment

Browse Source
This commit is contained in:
surtur 2023-08-14 13:38:56 +02:00
parent d8a021183a
commit 1707c125b7
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
1 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
tex/part-practical.tex
View File

@ -1164,13 +1164,34 @@ checking of all paths, not just the \emph{happy path} where there are no
issues. issues.
\n{2}{Testing environment} \n{2}{Test environment}
The application has been deployed in a testing environment on author's modest The application has been deployed in a test environment on author's modest
Virtual Private Server (VPS) at \texttt{https://testpcmt.dotya.ml}, protected Virtual Private Server (VPS) at \texttt{https://testpcmt.dotya.ml}, protected
by \emph{Let's Encrypt}\allowbreak issued, short-lived, ECDSA by \emph{Let's Encrypt}\allowbreak issued, short-lived, ECDSA
\texttt{secp384r1} curve TLS certificate, and configured with strict CSP. It is \texttt{secp384r1} curve TLS certificate, and configured with strict CSP. It is
a testing instance; therefore, limits to prevent abuse might be imposed. a test instance; therefore limits (and rate-limits) to prevent abuse might be
imposed.
The application in the test environment is available over both modern IPv6 and
legacy IPv4 protocols, to maximise accessibility. Redirects have been set up
from plain HTTP to HTTPS, as well as from \texttt{www} to non-\texttt{www}
domain. The subject domain configuration has been hardened with a \texttt{CAA}
record limiting certificate authorities (CAs) that are able to issue TLS
certificates for it (and let them be trusted by validating clients).
Additionally, the main domain (\texttt{dotya.ml}) had enabled \textit{HTTP
Strict Transport Security} (HSTS) including the subdomains quite some time ago
(consult the preload lists in Firefox/Chrome), which mandates that clients
speaking HTTP only connect to it (and the subdomains) using TLS.
The whole deployment has been orchestrated using an Ansible\footnotemark{}
playbook created for this occasion, with the aim to have the whole deployment
process reliably automated. At the same time, it is now described reasonably
well in the code. An effort has been made to make the playbook idempotent. Its
code is available at \url{https://git.dotya.ml/mirre-mt/ansible-pcmt.git}.
\footnotetext{A Nix-ops approach was also considered, however, Ansible was
pickes as more suitable since the existing host runs Arch.}
\n{3}{Deployment validation} \n{3}{Deployment validation}