Secure server construction method with CPI server + CDN
Many people rent a shared server but are worried about sudden traffic or security concerns.
In this article, we will introduce CPI’s shared rental server ACE01 + CDN, introduce measures against sudden traffic, introduce configurations that can enhance security, and introduce how to install.There are many CPI customers who operate the site by combining ACE01 and CDN.
table of contents
What is a CDN?
CDN installation procedure
What is a CDN? Secure server construction method with CPI server + CDN,
CDN is an abbreviation for Content Delivery Network, which is a mechanism for efficiently delivering content.Users (visitors of the Web site) is, ” https://example.com and the access to”, content will be delivered from CDN close from the user .There are multiple CDNs in the world, access is distributed, and even with heavy traffic, the load on the Web server (origin) can be minimized .In addition, the CDN responds to requests from users (browsing the web), so the existence of the web server (origin) can be hidden. Therefore, by introducing a CDN, it is possible to effectively block attacks from an unspecified number of people.
Benefits of introducing a CDN
Can handle sudden traffic
A secure configuration can be built
In addition, there are various effects such as high availability (fault resistance), but it will be long if you write all of them, so please refer to other sites for further information.
CDN installation method
First, select a CDN operator. There are many CDN companies, and the ones that are often used are as follows.CloudFront
RedboxSecure server construction method with CPI server + CDN,
This time , we will introduce the introduction method using the shared server ACE01 of Red Box and CPI from among these companies .
The reason for introducing the red box is that the red box is a domestic vendor, and the troublesome setting is done by the red box.In addition, the fee is fixed and you pay a fixed monthly fee. Due to Japanese business customs, it’s easier to pay a fixed amount than to pay the usage fee only for what you use.
CDN installation procedure
Now, let’s actually introduce a CDN for the test URL “cdn-test.mochiya.co”.
(It is assumed that you have a contract with the CPI server and the site is on cdn-test.mochiya.co.)
Apply for the Red Box. Secure server construction method with CPI server + CDN,
Red Box takes 2 business days at the shortest from application to service start. If you add the cache settings from there, you can incorporate it into the site in about 4 business days.Once your application is complete, you will be issued a CDN URL and a red box control panel ID and PW.
[CDN URL example] user0004.cdnw.netDNS change
Once the CDN URL is issued,
delete the A record in cdn-test.mochiya.co and register the CDN URL ([example] user0004.cdnw.net) in the CNAME.Apply for settings so that the CMS management screen is not cached.
The reason for not caching the CMS management screen is that the pages opened by the administrator to manage the site are cached and can be viewed by general users. Secure server construction method with CPI server + CDN,
Therefore, “/ wp-admin” for WordPress and “/ admin” for Drupal will be the URL of the management screen, so set it so that it will not be cached.
Since WordPress is used for the red box, the setting does not cache the management screen, just request from the inquiry form etc.
(How easy it is)Originally, in addition to “/ wp-admin”, it is necessary to exclude the parts used on the management screen such as RSS and article preview screen.This completes the CDN settings.
Web server (origin) and management screen access restrictions Secure server construction method with CPI server + CDN,
With the introduction of a CDN, the CDN will respond to your web browsing. Therefore, web viewers do not need to access the web server (origin).
First , limit the users who can access the Web server (origin) to CDN only .Edit “/.htaccess” of the web server and add the following code.
SetEnvIf X-redbox-Auth KEY-NUMBER allow-cdn # Allow RedboxSetEnvIf X – Redbox – Auth KEY – NUMBER Allow – Cdn allow # Redbox
order deny , allow
deny from all
Allow From Env = Allow – Cdn
X-redbox-Auth is header information originally issued by the redbox. KEY-NUMBER will be set after the contract for the red box.
With this setting, the web server can only be accessed from the CDN.Limit the users who can access the management screen to specific IPs .As an example, limit the “/ admin” directory.Create a “/admin/.htaccess” file.
Add the code below.
SetEnvIf X-Forwarded-For 127.XXX.XXX.XXX allowipX – Forwarded – For 127.XXX . XXX . XXX Allowip
SetEnvIf X – Forwarded – For 157.XXX . XXX . XXX Allowip
order deny , allow
deny from all
allow from env = allowip
The normal IP limit is described as allow from 127.XXX.XXX.XXX, but the user’s IP via CDN etc. can be determined by “X-Forwarded-For”.You will not be able to access the web server (origin) except for a specific IP.
Load verification Secure server construction method with CPI server + CDN,
For load verification, you can evaluate the performance of the server by using Apache Bench or JMeter .
(If you want to actually perform load verification, please speak to the let box.)Then, when it comes to how many requests can actually be handled, if you consult with the Red Box, it will tune appropriately from the expected number of requests and access simulation.Let’s throw 2000 requests as much as a jab.ab -n 2000 -c 200 http://cdn-test.mochiya.co/- N 2000 – C 200 Http : //Cdn-test.Mochiya.Co/Failed request: 0
Requests per second: 426.14 [# / sec]
Time per request: 469.325 [ms]At the same time, I made 2000 requests and the error was 0.
The time it took to process the 2000 request was Time per request: 469.325 [ms] (mean). Since 1 second is 1000ms, we are responding to 2000 requests within 1 second.A simple calculation of this allows us to process the request as follows:1 minute: 120,000 requests
1 hour: 7.2 million requests
1 day: 170 million requestsYou can see that the result is quite good.
please note Secure server construction method with CPI server + CDN,
The above figures are simply calculated figures and are not guaranteed.
Requests that can be responded to will vary depending on the nature of the site and the plan to be introduced, so please contact us before introducing.From the management screen of the red box, you can check the current cache hit rate and the number of requests in real time.
With about 2000 requests, the cache hit rate is 100%, so you can see that the web server (origin) is not overloaded.
at the end Secure server construction method with CPI server + CDN,
In this article, we introduced the combination of CPI’s shared rental server ACE01 and Red Box.
Depending on how you combine the shared rental server, you can handle sudden traffic and build a secure environment.It is attractive for web personnel to be able to easily withstand high traffic and build a secure environment.