Cloud Servers - Virtual Private Servers (VPS)
Cloud Servers
We setup, configure and manage the physical server that hosts our own sites, and can perform this operation for clients.
Our cloud server is a virtual private server (VPS) installed on a machine sited in London. It acts as if it is a single physical server, offering us root access, but is in fact one of many virtual servers hosted on one physical machine.
The virtual servers are controlled by 'hypervisor' software on the physical machine, which provides good isolation between the virtual servers, hence the appearance of being a server running on a unique machine.
The VPS is provided by a cloud server provider and thus requires no physical maintenance or expensive internet backbone connections, so it is ideal for small companies and individual developers.
Server Setup
We set up the cloud VPS with server software, in our case Ubuntu Linux, and then we communicate with the server by SSH (Secure Shell), which allows us to configure the server, install software to enable it to host our websites and web apps.
The main server we use is a Linux/Apache/MySQL (LAMP) server.
We have also installed Java servers, Apache/Tomcat, GlassFish, and Wildfly which allow us to create and test simple web applications and more sophisticated projects that make use of the various JEE platform APIs.
Server Security
Isolation of the VPS is out of our hands, but we maintain a firewall and other software that restricts access to the server to as few protocols and ports as possible.
Another part of security is the use of a certificate to allow encryption with TLS/SSL for web server communications (see Encryption), and the prevention of non-secure communications.
DNS Management
Part of hosting websites involves configuring Domain Name System (DNS) entries, and this we do as standard.
Also available on the VPS is the possibility of running a full DNS server, which might be necessary for some web applications, but for most uses is not necessary.
TLS/SSL Encryption
In the past, most servers served pages in answer to requests from the internet, via the HTTP protocol (Hypertext Transfer Protocol), and used secure transfer, HTTPS, for a limited number of pages, mostly for accessing accounts with passwords, and for making online payments etc. Using secure transfers takes longer as more information has to be transferred, so this made sense.
With increasing bandwitdth, and greater security requirements, the trend is for serving all pages via HTTPS, and in 2016, Google made this part of its ranking procedure, and now gives preference to sites that use secure transactions.
To provide this greater security, HTTPS uses public/private key encryption, facilitated by a security certificate installed on the server which holds the public and private keys.
The secure communications aim to provide authentication, which is the process of proving you (the web server) are who you say you are.
There are many types of certificate, which provide differing levels of authentication, for widely differing costs and also free certificates via self-certification.
The problem with self-certification is that web browsers and web applications can not verify the chain of trust, so they interrogate the user, on whether or not to accept the certificate in order to proceed. This is unworkable for anything other than in a testing environment.
Fortunately, as of 2016, it has been possible to get free certificates from certification authority Lets Encrypt, which are widely accepted.
There is no in-depth authentication procedure to demonstrate that you, personally or corporately, are who you purport to be, but the certificate creation process, returns the certificate to the server which hosts the domains specified in the certificate request, so users can be certain that they are communicating with an authentic site, and not an impostor.
The LetsEncrypt certificates do not tie site ownership to an individual or corporate entity, and have a validity of only 3 months, but renewal can be automated, and so all websites can now fairly easily provided HTTPS only transfers without the expense of paying annual fees for certificates.
For an e-commerce site however, it might still be better to pay for a commercial certificate from Comodo etc. as these will link site ownership to an individual or corporate entity, and this will give clients greater confidence in making financial transactions. Payments gateways might make this a requirement if you want to open an account with them, and these certificates will cost from €100/annum or so, up to several hundred euros per annum.