我在阿里云上部署Web应用程序的最佳实践

This article was originally published on Alibaba Cloud. Thank you for supporting the partners who make SitePoint possible.

本文最初发表在阿里云上。 感谢您支持使SitePoint成为可能的合作伙伴。

In this article, I want to share the best practices I use when deploying a web application to Alibaba Cloud. I work as a freelancer and recently one of my clients asked me to setup SuiteCRM for his small organization. Since I frequently write tutorials for Alibaba Cloud, I recommended that the client use the same cloud platform. For nearly 100 users and at least 30 concurrent users, here's the configuration I recommended.

在本文中，我想分享将Web应用程序部署到阿里云时使用的最佳实践。我是一名*职业者，最近我的一位客户要求我为他的小型组织设置SuiteCRM。由于我经常为阿里云编写教程，因此我建议客户端使用相同的云平台。对于近100个用户和至少30个并发用户，这是我建议的配置。

ECS instance of 2 vCPUs and 4GB RAM to install Nginx with PHP-FPM.
2个vCPU和4GB RAM的ECS实例，可通过PHP-FPM安装Nginx。
ApsaraDB for RDS instance for MySQL with 1GB core, 1 GB RAM, and 10 GB storage.
适用于MySQL的ApsaraDB for RDS实例，具有1GB内核，1 GB RAM和10 GB存储空间。
Direct Mail for sending emails.
直接邮件发送电子邮件。

The steps I followed are very simple and can be adopted for nearly all PHP based applications.

我遵循的步骤非常简单，几乎可以用于所有基于PHP的应用程序。

If you are new to Alibaba Cloud, you can use this link to sign up to Alibaba Cloud. You will get new user credit worth US$300 for free, which you can use to try out different Alibaba Cloud products.

如果您不熟悉阿里云，则可以使用此链接注册阿里云。您将免费获得价值300美元的新用户信用额，可用于试用其他阿里云产品。

创建ECS实例 (Creating an ECS Instance)

Alibaba Cloud has documented nearly everything you will require to get started with the cloud platform. You can use the Getting Started Tutorials or the Tech Share Blog to learn how to start using Alibaba Cloud. You can find the most obvious steps in the Quick Start Guide and let me walk you through the best practices to use when creating the ECS instance.

阿里云已经记录了您开始使用云平台所需的几乎所有内容。您可以使用入门教程或技术共享博客来学习如何开始使用阿里云。您可以在《快速入门指南》中找到最明显的步骤，并让我逐步介绍创建ECS实例时要使用的最佳实践。

Log in to your Alibaba Cloud console and go to Elastic Compute Service interface. You can easily create the instance by clicking the Create Instance button. Things to keep in mind are:

登录到您的阿里云控制台，然后转到Elastic Compute Service界面。您可以通过单击创建实例按钮轻松地创建实例 。要记住的事情是：

Region: Since Alibaba Cloud has data centers all around the globe, always choose the region which is geographically closer to the users of the application. As the data center is closer to the user, the website will load very fast due to the low latency of the network. In my case, I chose Mumbai region, as the organization was based in Mumbai itself.

地区：由于阿里云在全球范围内拥有数据中心，因此请始终选择地理上更接近应用程序用户的地区。随着数据中心离用户越来越近，由于网络的低延迟，网站将非常快速地加载。就我而言，我选择了孟买地区，因为该组织的总部设在孟买本身。
Billing Method: If you are planning to continuously run the instance 24/7, you should always choose the monthly subscription as it will cut down the price to less than half compared to Pay-As-You-Go. For example, the monthly subscription cost of a shared type ECS instance of 2 vCPUs and 4GB RAM is $23 USD but the same instance in Pay-As-You-Go costs $0.103 USD per Hour. Monthly cost becomes $0.103*24*30 = $74.16 USD.

计费方式 ：如果您打算连续24/7全天候运行实例，则应始终选择按月订购，因为与按需付费相比，它将把价格降低到不到一半。例如，共享型ECS实例(2个vCPU和4GB RAM)的每月订阅费用为23美元，而“按需付费”中的同一实例每小时的费用为0.103美元。每月费用变为$ 0.103 * 24 * 30 = $ 74.16 USD。
Instance Type: Choose the instance type according to your requirements. Resources can be increased later on demand.

实例类型 ：根据需要选择实例类型。以后可以根据需要增加资源。
Image: You may find the application you wish to install on your ECS instance on a Marketplace image but it is always recommended to install it yourself in a clean official image. Later, if your application encounters some error, you will know where to look.

映像：您可能会在Marketplace映像上的ECS实例上找到要安装的应用程序，但始终建议您以干净的官方映像自行安装。以后，如果您的应用程序遇到错误，您将知道在哪里寻找。
Storage: System disks are deleted when the ECS instance is released. Use data disk when possible as your disk will be retained even after the instance is accidentally deleted.

存储：释放ECS实例后，系统磁盘将被删除。尽可能使用数据磁盘，因为即使意外删除实例后，磁盘也会保留下来。

Here's the configuration I used.

这是我使用的配置。

You can choose the VPC which is created by default. You can add as many as 4092 instances in it. I use a different security group for each ECS instance so that I can configure individually and make sure that no unused port is opened.

您可以选择默认创建的VPC。您最多可以添加4092个实例。我为每个ECS实例使用一个不同的安全组，以便可以单独配置并确保未打开未使用的端口。

Another important thing is to use key-based authentication rather than using passwords. If you already have a key-pair, you can add the public key to Alibaba Cloud. If not, you can use Alibaba Cloud to create one. Make sure that key is stored in a very secure place, and the key itself is encrypted by a passphrase.

另一个重要的事情是使用基于**的身份验证，而不是使用密码。如果已经具有**对，则可以将公钥添加到阿里云。如果没有，您可以使用阿里云创建一个。确保将**存储在非常安全的位置，并且**本身已通过密码加密。

That's all the things to keep in mind while creating the ECS instance.

创建ECS实例时要牢记所有这些。

设置ECS实例 (Setting Up the ECS Instance)

Once you have created your instance and logged into the terminal, there are few things I suggest you should consider before you set up your website.

创建实例并登录到终端后，建议您在设置网站之前应考虑的几件事。

Rather than using the root account for executing the commands, set up a sudo user on the first connection and always use the sudo user for running the commands. You can also set key based authentication for the sudo user, and disable root login entirely.
而不是使用root帐户执行命令，而是在第一个连接上设置sudo用户，并始终使用sudo用户来运行命令。您还可以为sudo用户设置基于**的身份验证，并完全禁用root登录。
Always keep your base image updated.
始终保持基础映像更新。
Alibaba base images do not have any extra package which is not required. Do not install any package that’s not required.
阿里巴巴基础映像没有任何不需要的额外程序包。不要安装任何不需要的软件包。
If things go bad during installation, you can always reset the instance by changing the system disk. You don't need to delete the instance and recreate it.
如果在安装过程中出现问题，则始终可以通过更改系统磁盘来重置实例。您无需删除实例并重新创建它。

I created the sudo user and configured key based auth in it. I updated the base image and set up unattended system upgrades. I followed a tutorial to install Nginx web server, which is a lightweight production-grade web server. Further, I installed PHP 7.2 with PHP-FPM. PHP 7.2 is the latest available version of PHP as of now. Using the latest software will ensure that the system is free from all the bugs and we will also get a faster processing and more stability. Finally, I downloaded the SuiteCRM archive from its official website and deployed the files into Nginx.

我创建了sudo用户并在其中配置了基于**的auth。我更新了基本映像并设置了无人值守的系统升级。我按照教程安装Nginx Web服务器，这是一种轻量级的生产级Web服务器。此外，我安装了带有PHP-FPMPHP 7.2。 PHP 7.2是到目前为止的最新可用PHP版本。使用最新软件将确保系统没有所有错误，并且我们还将获得更快的处理速度和更高的稳定性。最后，我从其官方网站下载了SuiteCRM存档，并将文件部署到Nginx中。

You can use the getting started tutorials or the tutorials written by Tech Share authors to install the applications.

您可以使用入门教程或Tech Share作者编写的教程来安装应用程序。

配置安全组规则 (Configuring Security Group Rules)

It is very important to leave no unused port open in the security group of the ECS instance. Have a look at the security group rules I used for the SuiteCRM instance.

在ECS实例的安全组中不要使未使用的端口保持打开状态非常重要。看看我用于SuiteCRM实例的安全组规则。

You can see that I have allowed only the ports 22, 80 and 443 along with all ICMP packets. Port 22 is used for SSH connection. Port 80 is the unsecured HTTP port, which in my case just redirects to the port 443 on HTTPS. ICMP packets are used to ping the host to check if it is alive or not. It's perfectly okay if you want to drop the ICMP packets as well — you just won't be able to ping your instance.

您可以看到，我只允许端口22、80和443以及所有ICMP数据包。端口22用于SSH连接。端口80是不安全的HTTP端口，在我的情况下，该端口仅重定向到HTTPS上的端口443。 ICMP数据包用于对主机执行ping操作，以检查主机是否处于活动状态。如果您也想丢弃ICMP数据包，那是完全可以的-您将无法ping您的实例。

创建RDS实例 (Creating the RDS Instance)

The first question to ask before we create the RDS instance is why exactly we need it. We could install any open source database server such as MySQL, MariaDB, PostgreSQL or MongoDB server on the ECS instance itself.

在创建RDS实例之前要问的第一个问题是为什么我们确实需要它。我们可以在ECS实例本身上安装任何开源数据库服务器，例如MySQL，MariaDB，PostgreSQL或MongoDB服务器。

The answer to the question is that ApsaraDB for RDS is optimized for speed and security. By default, the instance we create is only accessible to the whitelisted instances only.

该问题的答案是ApsaraDB for RDS已针对速度和安全性进行了优化。默认情况下，我们创建的实例只能由白名单实例访问。

Let's look at the things to keep in mind when we create the ECS instance.

让我们看一下创建ECS实例时要记住的事情。

Region: Always choose the same region for the database instance and the ECS instance. Also, make sure that they both are in the same VPC. This will enable you to leverage the free intranet data transfer between the hosts in the same network. Another advantage is that you will need to whitelist only the private IP address of the ECS instance. This increases the security of the database to a great extent.

区域：数据库实例和ECS实例始终选择相同的区域。另外，请确保它们都在同一VPC中。这将使您能够利用同一网络中主机之间的免费Intranet数据传输。另一个优点是，您仅需要将ECS实例的私有IP地址列入白名单。这在很大程度上提高了数据库的安全性。
Billing: Again, the cost of monthly subscription is less than that of the Pay-As-You-Go method. Choose according to your needs.

计费：同样，按月订购的费用比按需付费方法要少。根据需要选择。
Capacity: You can start with a low-end configuration such as 1 Core, 1 GB instance, and 5 GB storage. Later on you can increase resources.

容量：您可以从低端配置开始，例如1 Core，1 GB实例和5 GB存储。以后您可以增加资源。
Accounts: Never create the Master account for the MySQL 5.6 instance unless required. You can create a database and a database user for each database.

帐户：除非需要，否则请勿为MySQL 5.6实例创建主帐户。您可以为每个数据库创建一个数据库和一个数据库用户。

Here's the RDS configuration I used for SuiteCRM.

这是我用于SuiteCRM的RDS配置。

Once the MySQL RDS instance was activated, I whitelisted the ECS instance from the Security tab of the instance. As soon as I whitelist the IP address, I got the hostname to the RDS instance along with the port number, which was MySQL default port "3306". I created a database named "suitecrm" and a database user named "suitecrm" and provided read/write access to the user.

**MySQL RDS实例后，我从实例的“ 安全性”选项卡将ECS实例列入白名单。一旦我将IP地址列入白名单，我就将RDS实例的主机名和端口号(即MySQL默认端口“ 3306”)一起获得。我创建了一个名为“ suitecrm”的数据库和一个名为“ suitecrm”的数据库用户，并提供了对该用户的读/写访问权限。

使用HTTPS (Using HTTPS)

As the internet is growing more and more websites are being added on daily basis. When Let's Encrypt certificate authority started giving SSL certificates for free, it became a trend to use SSL on every website. For the purpose of security, it is very important to use SSL on a web application. If the data being exchanged is unencrypted, a person eavesdropping into the network may extract the confidential information.

随着互联网的发展，每天都有越来越多的网站被添加。当“让我们加密”证书颁发机构开始免费提供SSL证书时，在每个网站上使用SSL成为一种趋势。为了安全起见，在Web应用程序上使用SSL非常重要。如果正在交换的数据未加密，则窃听网络的人员可能会提取机密信息。

Alibaba Cloud also provides SSL certificates, but in my point of view, it is quite expensive. However, with expensive things come extra guarantees. SSL certificates provided by Alibaba Cloud is suitable for enterprise users.

阿里云还提供SSL证书，但在我看来，它非常昂贵。但是，昂贵的东西会带来额外的保证。阿里云提供的SSL证书适用于企业用户。

In the SuiteCRM deployment, I also used Let's Encrypt’s free SSL to secure the SuiteCRM web application. For generating the certificates by Certbot, which is a client application for Let's Encrypt CA, the domain needs to be pointed towards the server.

在SuiteCRM部署中，我还使用了Let's Encrypt的免费SSL来保护SuiteCRM Web应用程序。为了由Certbot(这是Let's Encrypt CA的客户端应用程序)生成证书，需要将域指向服务器。

Alibaba Cloud provides domain names at very reasonable rates with free whois protection. In my case, my client already had the domain name purchased elsewhere. I created a subdomain and pointed the domain to the ECS instance. I installed Certbot and could easily generate the certificates. Never forget to set up a cron job to renew the certificates automatically as the certificates expire every three months.

阿里云以非常合理的价格提供域名，并提供免费的whois保护。就我而言，我的客户已经在其他地方购买了域名。我创建了一个子域，并将该域指向ECS实例。我安装了Certbot，可以轻松生成证书。永远不要忘记设置一个cron作业来自动更新证书，因为证书每三个月过期一次。

设置直接邮件 (Setting Up Direct Mail)

Setting up an email server by yourself should be avoided as to create an enterprise-grade web server requires expertise, time and the cost to maintain get very high. A slight misconfiguration leads the email directly into the spam folder.

应避免自己设置电子邮件服务器，因为创建企业级Web服务器需要专业知识，时间和很高的维护成本。轻微的配置错误会导致电子邮件直接进入垃圾邮件文件夹。

Alibaba Cloud’s Direct Mail service provides a cheaper way to send emails from the application using SMTP. It's free for the first 200 emails every day. In my case, 200 emails per day are enough, and emails exceeding the free quota is also very cheap. I added a new email subdomain into the Direct Mail. Upon adding the domain, I was asked to update the DNS. I did as instructed and it took some time for the DNS to verify as the propagation takes time. Once done, I added the sender address and I had the SMTP server ready to be used with the application.

阿里云的Direct Mail服务提供了一种使用SMTP从应用程序发送电子邮件的便宜方法。每天前200封电子邮件都是免费的。就我而言，每天200封电子邮件就足够了，超过免费配额的电子邮件也非常便宜。我在“直接邮件”中添加了一个新的电子邮件子域。添加域后，要求我更新DNS。我按照指示进行，随着传播需要时间，DNS验证花费了一些时间。完成后，我添加了发件人地址，并准备好将SMTP服务器与该应用程序一起使用。

基于Web的安装 (Web-Based Installation)

Finally, I had everything ready. The SuiteCRM application is hosted on ECS, and the database server is hosted on ApsaraDB for RDS. I could easily go through the web-based installation to install the software.

最后，我已经准备好一切。 SuiteCRM应用程序托管在ECS上，数据库服务器托管在ApsaraDB for RDS上。我可以轻松地通过基于Web的安装来安装软件。

Here's the configuration I provided for the database server during the web-based installation of SuiteCRM.

这是在SuiteCRM基于Web的安装过程中为数据库服务器提供的配置。

Similarly, I filled in all the required information and provided the SMTP server details.

同样，我填写了所有必需的信息，并提供了SMTP服务器的详细信息。

Finally, my application was successfully deployed on Alibaba Cloud. Further, I suggested that the client use ApsaraDB for Memcache to store the session cache of SuiteCRM and to use WAF to secure the application against incoming threats. However, the client didn’t want to implement the suggestions as they’d increase their monthly bill. However, the client was very happy to see the performance of the application on Alibaba Cloud’s platform.

最后，我的应用程序已成功部署在阿里云上。此外，我建议客户端使用ApsaraDB for Memcache来存储SuiteCRM的会话缓存，并使用WAF来保护应用程序免受传入威胁。但是，客户不希望实施建议，因为他们会增加每月账单。但是，客户很高兴看到阿里云平台上应用程序的性能。

I frequently write technical blogs on Alibaba Cloud Tech Share platform. Go to the following link to find the tutorials written by me. I will also write the detailed guide of the steps and commands to run which are followed by me to install SuiteCRM on Ubuntu 16.04 on Alibaba Cloud Tech Share Platform.

我经常在阿里云技术共享平台上写技术博客。转到以下链接查找我编写的教程。我还将编写运行步骤和命令的详细指南，然后按照我的指导在阿里云技术共享平台上的Ubuntu 16.04上安装SuiteCRM。

翻译自: https://www.sitepoint.com/my-best-practices-for-deploying-a-web-application-on-alibaba-cloud/