How should I deploy my web form in a production environment?

First of all, I‘m not sure if this is the right place for this question, but since it was marked as off-topic on server fault I thought I should try it here.

I'm going to start with the current development setup: I have a local apache webserver managed with XAMPP and no SSL/Certification set up, running on my personal computer. I have a small MySQL database in the background.

The website is supposed to provide a simple form for the employees to enter their shift details (start time, end time, numbers of boxes processed etc.) into. These details are then send and stored inside the MySQL database.

I believe that the environment is relatively low risk. I don't believe that anybody working with the site is going to try to tamper with the security in any serious way, so basic security required by European law (GDPR) should be enough. I know that my current setup is not for production but I'm also extremely new to this kind of project and that's why I want to get some ideas form you guys about how to set things up.

My questions are but are not limited to:

Should the server and database be running locally (at home) or in the cloud (with azure or something like that)?
If it runs locally how can the employees in the company connect to the local server (via a VPN maybe?)?
How can I guarantee availability when I run it locally?
What alternatives are there to XAMPP (that are for production and not development)?
What else should I take into consideration?

Thank you very much in advance!!

CVE-2017-5754

Posted 2018-10-07T21:44:05.117

Reputation: 13

This is off-topic here too, as it's simply too broad. Questions on here should be about specific problems. – confetti – 2018-10-07T21:48:36.403

Is there any place I can ask this question? – CVE-2017-5754 – 2018-10-07T21:50:37.000

You potentially have a bunch of different question(s) that might need to be asked in different areas. Server@home? Best if it runs locally inside the company to avoid access issues, otherwise cloud so it can be running 24x7. You should probably use a PHP framework to deals with some issues for you. The structure and coding is stackoverflow , security is Information security. There is also Database Administrators for mysql/database questions. – cybernard – 2018-10-08T00:53:13.160

How can I guarantee availability when I run it locally? Define how strict your uptime must be? Most cases a decent UPS with cable modem,computer, and network switch plugged if you got a separate router/switch. Complete loss of power, install a generator. You maybe need 2 or more ISP to guarantee your internet stays up. How about earthquake,flood,fire, or etc protection it gets more and more complicate and expensive. This is why cloud computing makes more sense, they got those handled for you. – cybernard – 2018-10-08T01:00:30.723

Thank you very much for your extensive answers. The problem is that multiple geographical locations have to be covered. That’s why I want to run it at home. It’s not really a professional thing, I’m just doing this for my dad as a hobby project. I’m going to try to split up my question and search for the right communities – CVE-2017-5754 – 2018-10-08T07:11:13.997

Answers

Should the server and database be running locally (at home) or in the cloud (with azure or something like that)?

Both are possible, each with its advantages and disadvantages. The most important consideration is availability.

If it runs locally how can the employees in the company connect to the local server (via a VPN maybe?)?

You will need to port-forward some port on your router (better not 80) to port 80 of the server. You will also need a DNS name for your company. if you don't have one see 5 Best Dynamic DNS Providers You Can Lookup for Free Today . Employees will accede via https://yourDNS:yourPort. You don't need VPN.

How can I guarantee availability when I run it locally?

You can't. There is no guarantee either when running on the cloud, although the percentages are better.

What alternatives are there to XAMPP (that are for production and not development)?

There are other web servers, on Linux and Windows. On Windows mostly IIS is used. Search for them.

What else should I take into consideration?

A lot. Pay special attention to security and to avoiding SQL injection vulnerabilities.

harrymc

Posted 2018-10-07T21:44:05.117

Reputation: 306 093

Thank you very much for the answer. Does it make sense to not open the server up to the internet and keep it in a local network for the employees to connect to it via a vpn? I was wondering if it improves security since not anybody on the internet can interact with the server this way? – CVE-2017-5754 – 2018-10-08T10:58:46.190

Security-wise, it makes a lot of sense. Why would you need VPN inside your local network? – harrymc – 2018-10-08T11:28:35.183

The server is at home inside my local network but the employees somehow need to connect to that network to be able to use the form and to do that without just using the internet I thought you need a vpn connection to the network. They are not in the same place as the server. – CVE-2017-5754 – 2018-10-08T11:36:14.103

VPN is not really necessary - HTTPS is enough. – harrymc – 2018-10-08T13:05:21.320

Even HTTP is all right in an internal network. – harrymc – 2018-10-08T13:25:22.427

But to connect from the company to the server I need a VPN right? Since the server isn’t open to the internet and the employee can only access it if he is on the same network. – CVE-2017-5754 – 2018-10-08T13:28:31.320

On second though, HTTPS is today mandatory or browsers may refuse to connect. In any case, you really don't need VPN, unless the data is of such extreme secrecy that HTTPS is not enough (HTTPS is enough for me to connect to my bank, for example). Is it possible there is a confusion with Port Forwarding?

– harrymc – 2018-10-08T13:36:14.580

I know how port forwarding works, but I might have misunderstood the use of a vpn. To hopefully clear things up, I know a vpn can be used to transmit data safely. I my case, where the server is only accessible from my local network and not from the internet, the employee cannot just access the web page from somewhere else in Germany. Now, I thought that you need a vpn to my home router to let the employees join the local network to then access it from there. – CVE-2017-5754 – 2018-10-08T13:44:06.410

HTTPS is also a limited form of VPN. The difference is that HTTPS will only encrypt traffic between your browser and a particular website, while VPN will encrypt all traffic between your computer and the Internet. As the employees don't need all their communications going through your server, VPN is to be avoided, as your server is no good as a gateway to the Internet for the entire company. – harrymc – 2018-10-08T13:49:15.277

In terms of infrastructure, I would advise not to run and maintain any infrastructure like a LAMP - locally or in the cloud - for a task like that, rather go with a sandboxed approach.

It has a bit of a learning curve at the beginning, but we have been successfully using Google App Engine with PHP - see https://cloud.google.com/appengine/docs/php/ - for smaller tools like yours appears to be

For low traffic applications (and yours looks to be one) it is basically free and you can easily add a MySQL database with Google Cloud SQL.

Also takes away a lot of infrastructure related security considerations from your table, however application related security like SQL injections still need to be taken care of

GeraldDC

Posted 2018-10-07T21:44:05.117

Reputation: 21