This content originally appeared on DEV Community and was authored by kodumbeats
Intro
Appwrite is an open-source, self-hosted Backend-as-a-Service that makes app development easier with a suite of SDKs and APIs to accelerate app development. #30DaysOfAppwrite is a month long event focused at giving developers a walkthrough of all of Appwrite's features, starting from the basics to more advanced features like Cloud Functions! Alongside we will also be building a fully featured Medium Clone to demonstrate how these concepts can be applied when building a real world app. We also have some exciting prizes for developers who follow along with us!
Appwrite for Production
Welcome to Day 27 ?. Now that we've covered many of the capabilities of Appwrite, we should discuss running Appwrite in production once your app is finally ready for users.
First and foremost, good security is a moving target. Appwrite provides a suite of APIs that abstracts many security requirements of your application, but hosting software online means exposing a computer to the internet. While we can't cover everything, let's discuss some security best practices when running Appwrite in production.
The Server
Before we discuss the steps to run Appwrite in production, we need to talk about the system on which Appwrite will run. These tips assume you're running Appwrite on a Linux-based server, but the principles apply to any operating system.
Updates
Most security breaches occur on systems that run out-of-date, insecure versions of their software. The problem is understandable - it's hard to keep up with system updates. Running updates on a cron schedule isn't the best either though, as security updates are best installed immediately. Use tools like Ubuntu's unattended-upgrades
and Fedora's dnf-automatic
packages to run with the latest updates for your software.
Firewall and SSH
A security best practice is a deny-by-default security policy - we should only give explicit access to the services we want. Appwrite considers this in its default configuration: the only service exposed to the outside world is what we need, the Traefik proxy. So, if Appwrite is the only service we want to publicly expose on the server, we can use firewall tools to block access to any other unused ports.
If you use SSH to administer your system, don't forget to leave that open in your firewall! SSH is considered a private service, meaning that it should be publicly accessible, but only to authorized accounts. The best practice is to use cryptographic tools like SSH keys instead of passwords, as they're much, much harder to falsify.
More Reading
Here are some additional resources that go into more detail about best practices:
Securing Appwrite
Now, let's discuss setting up Appwrite for production.
Environment Variables
You can easily configure Appwrite for production with the many environment variables that it offers. The following variables should be set in the hidden .env
file in your appwrite
installation directory when deploying for production:
-
_APP_ENV
: Change toproduction
. -
_APP_OPTIONS_ABUSE
: Enables abuse checks and ratelimiting for the API. Set toenabled
. -
_APP_OPTIONS_FORCE_HTTPS
: Forces connections to use HTTPS for secure data transfer. Set toenabled
. -
_APP_OPENSSL_KEY_V1
: This is the secret used to encrypt secrets like sessions and passwords. Change this to something secure and random, and keep it safe and backed up. -
_APP_DOMAIN
: Set this to your domain name for Appwrite to auto-generate an SSL certificate.
Restrict Console Access
Three environment variables are available to restrict access to the Appwrite console:
_APP_CONSOLE_WHITELIST_EMAILS
_APP_CONSOLE_WHITELIST_IPS
_APP_CONSOLE_WHITELIST_ROOT
Set the _ROOT
var to enabled
if you only want a single account to have access to the console. For multiple users, you can restrict access to specific email and IP addresses with their respective environment variables.
Antivirus
For production, you can enable clamav
scanning of uploaded files for any known malicious objects. Set _APP_STORAGE_ANTIVIRUS
to enabled
and uncomment the service in docker-compose.yml
to use this feature. Don't forget to also uncomment clamav
in the depends_on
section of the main appwrite
service.
Functions
Cloud Functions can be customized to suit the needs of your production system, largely for controlling resources available to Function executions:
-
_APP_FUNCTIONS_CPUS
: The maximum number of CPU cores that Cloud Functions can use. -
_APP_FUNCTIONS_MEMORY
: The maximum memory available to Cloud Functions (in megabytes). -
_APP_FUNCTIONS_CONTAINERS
: The maximum number of containers Appwrite keeps alive, defaults to 10. Increase this number to increase the number of warm functions. -
_APP_FUNCTIONS_RUNTIMES
: A list of available runtimes for new Cloud Functions.
All Appwrite environment variables can be found in our docs.
Credits
We hope you liked this write up. You can follow #30DaysOfAppwrite on Social Media to keep up with all of our posts. The complete event timeline can be found here
Feel free to reach out to us on Discord if you would like to learn more about Appwrite, Aliens or Unicorns ?. Stay tuned for tomorrow's article! Until then ?
This content originally appeared on DEV Community and was authored by kodumbeats
kodumbeats | Sciencx (2021-05-27T12:38:54+00:00) #30DaysOfAppwrite : Appwrite for Production. Retrieved from https://www.scien.cx/2021/05/27/30daysofappwrite-appwrite-for-production/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.