Business needs of a optimal secure Magento hosting
- Best response times for each hit – server response is a critical factor to overall page load time.
- Planned use of memory and other resources.
- Cost effective solution – neither a cheap solution that may not work nor an over engineered expensive one that may never get used.
- Path to scalability should be well defined depending on the business need for the next 3, 6 or 12 months.
- Multi layered security for your customers’ data and the infrastructure.
- Serve valid human traffic and keep BOTs out.
- Reasonable protection against DOS attacks.
- Web Application Firewall to keep application hacks like SQL Injection at bay
- Backup and disaster recovery
- Efficiently done automatically in background
- Minifiy css and js assets
- Generation images of various sizes needed in the app
- Optimize images on load or on generation
- Configurable alerting when site slows or breaks
- Dashboard to see system performance
- Debug help for developers when something breaks
Renting a server for hosting is now a commodity. Most vendors have very similar offerings. A multi vendor strategy that as far as possible avoids vendor lockin is needed. Managed hosting from a provider with multi vendor capability will help you keep your processes and choices clear.
Can this be achieved?
Hosting a Magento website does not have to be either an ignored problem nor should it be rocket science (or maybe magic even). Firm scientific principles can be used to ensure a website is well hosted and has alerts when the system goes out of capacity.
nginx + php-fpm
- load balance as you scale or as per traffic pattern.
- rate limit from a single IP to protect against DOS attacks.
- restrict bad IPs from accessing the sites.
- allow or keep away BOTS based on their User Agent signature.
- Secure configuration disables php execution from non code directories
- Secure hosting ensures web application cannot change code files
- Used for storing cache and sessions in memory
- Configurations of Full Page Cache include memory limiting
- sessions rejection based on rate preventing Magento lock
- oracle mysql is improving but Percona and Mariadb perform better even now
- Mysql for Magento requires configured balance between memory available and cache size.
- Cloud tool to analyze log file data from live site
- Dashboard to show crucial parameters from the site
- Alerting when site slows or gives error
- Alerts from analyzing actual hits on the site
- See Top 10 IPs, BOTS to help decide what to block or allow
- Rate limit blocking to help find good from bad
Web Application Firewall (WAF)
Using Open Source ModSecurity custom built for nginx, along with custom rules for Magento we enable a reasonable level of security directly on the edge server as part of the stack. Preventing popular SQL injection and Cross Site Scripting using the OWASP ruleset (or the commercial Trustwave ruleset)
Offline minification of css and js
css and js files need to be minified. Magento offers merge and minify option, but many times the minifier fails, resulting in a site that cannot be rendered.
Our minification technology allows exclusion of files that give errors on minification and is only performed on deployment of new code.
Image Upload & Optimization
When a site needs frequent uploads of products, upload of images requires insecure access to Magento. Our solution allows safe upload to a “pod” from where images are transferred transparently and automatically to the desired folder.
Similarly our image optimization will optimize Magento generated images, either lossless or to a level of optimization acceptable, keeping the original images intact. This technology is compatible to all modern CDNs.