github.com/ddev/ddev@v1.23.2-0.20240519125000-d824ffe36ff3/docs/content/users/topics/hosting.md (about) 1 # Casual Hosting 2 3 !!!warning "Experimental Feature!" 4 This is not a replacement for scalable, managed hosting. It’s unknown how much traffic it can handle in a given environment. 5 !!!warning "Let's Encrypt support not directly compatible with Traefik router" 6 `ddev config global --use-letsencrypt` is not directly compatible with the Traefik router, but it [can be configured using Traefik docs](https://doc.traefik.io/traefik/https/acme/). 7 8 One of DDEV’s experimental features is lightweight hosting with Let’s Encrypt for HTTPS support. You can run DDEV on a public web server, point DNS to it, and use it as a limited hosting environment. 9 10 This may be appropriate for small or abandoned sites that have special requirements like old versions of PHP that aren’t supported elsewhere. 11 12 Here’s how to try it for yourself: 13 14 1. Install DDEV on an internet-connected Linux server. (You’re responsible for your firewall and maintenance of the server!) 15 2. On Debian/Ubuntu, you can set up a simple firewall with 16 `ufw allow 80 && ufw allow 443 && ufw allow 22 && ufw enable`. 17 3. Point DNS for the site you’re going to host to the server. 18 4. Before proceeding, your system and your project must be accessible on the internet on port 80 and your project DNS name (`myproject.example.com`) must resolve to the appropriate server. 19 5. Configure your project with [`ddev config`](../usage/commands.md#config). 20 6. Import your database and files using [`ddev import-db`](../usage/commands.md#import-db) and [`ddev import-files`](../usage/commands.md#import-files). 21 7. Tell DDEV to listen on all network interfaces, omit the SSH agent, use hardened images, and enable Let’s Encrypt: 22 23 ``` 24 ddev config global --router-bind-all-interfaces --omit-containers=ddev-ssh-agent --use-hardened-images --use-letsencrypt --letsencrypt-email=you@example.com` 25 ``` 26 27 8. Create your DDEV project as you normally would, but `ddev config --project-name=<yourproject> --project-tld=<your-top-level-domain>`. If your website responds to multiple hostnames (e.g., with and without `www`), you’ll need to add `additional_hostnames`. 28 9. Redirect HTTP to HTTPS. If you’re using `nginx-fpm`, for example, create `.ddev/nginx/redirect.conf`: 29 30 ``` 31 if ($http_x_forwarded_proto = "http") { 32 return 301 https://$host$request_uri; 33 } 34 ``` 35 36 10. Run [`ddev start`](../usage/commands.md#start) and visit your site. With some CMSes, you may also need to clear your cache. 37 38 You may have to restart DDEV with `ddev poweroff && ddev start --all` if Let’s Encrypt has failed because port 80 is not open, or the DNS name is not yet resolving. (Use `docker logs ddev-router` to see Let’s Encrypt activity.) 39 40 ## Additional Server Setup 41 42 * Depending on how you’re using this, you may want to set up automated database and file backups—ideally off-site—like you would on any production system. Many CMSes have modules/plugins to allow this, and you can use `ddev export-db` or `ddev snapshot` as you see fit and do the backup on the host. 43 * You may want to allow your host system to send email. On Debian/Ubuntu `sudo apt-get install postfix`. Typically you’ll need to set up reverse DNS for your system, and perhaps SPF and/or DKIM records to for more reliable delivery to other mail systems. 44 * You may want to generally tailor your PHP settings for hosting rather than local development. Error-reporting defaults in `php.ini`, for example, may be too verbose and expose too much information publicly. You may want something less: 45 46 ```ini 47 ; Error handling and logging ; 48 error_reporting = E_ALL 49 display_errors = On 50 display_startup_errors = On 51 log_errors = On 52 ``` 53 54 * To make DDEV start sites on system boot, you’ll want to set up a `systemd` unit on systems like Debian/Ubuntu and Fedora. For example, a file named `/etc/systemd/system/ddev.service` containing: 55 56 ``` 57 # Start DDEV when system starts (after Docker) 58 # Stop DDEV when Docker shuts down 59 # Start with `sudo systemctl start ddev` 60 # Enable on boot with `sudo systemctl enable ddev` 61 # Make sure to edit the User= for your user and the 62 # full path to `ddev` on your system. 63 # Optionally give a list of sites instead of --all 64 [Unit] 65 Description=DDEV sites 66 After=multi-user.target 67 Requires=docker.service 68 PartOf=docker.service 69 [Service] 70 User=rfay 71 Type=oneshot 72 ExecStart=/usr/local/bin/ddev start --all 73 RemainAfterExit=true 74 ExecStop=/usr/local/bin/ddev poweroff 75 76 [Install] 77 WantedBy=multi-user.target 78 ``` 79 80 * You’ll need to regularly renew the Let’s Encrypt certificates. This is often done on a system reboot, but that may not be soon enough. A cron with the command `docker exec ddev-router bash -c "certbot renew && nginx -s reload"` will do the renewals. 81 * You’ll likely want to turn off PHP errors to screen in a `.ddev/php/noerrors.ini`: 82 83 ```ini 84 display_errors = Off 85 display_startup_errors = Off 86 ``` 87 88 Caveats: 89 90 * It’s unknown how much traffic a given server and Docker setup can sustain, or what the results will be if the traffic is more than the server can handle. 91 * DDEV does not provide outgoing SMTP mail handling service, and the development-focused Mailpit feature is disabled if you’re using `use_hardened_images`. You can provide SMTP service a number of ways, but the recommended way is to use SMTP in your application via a third-party transactional email service such as [SendGrid](https://sendgrid.com), [Postmark](https://postmarkapp.com), or [Mailgun](https://www.mailgun.com). This is the best way to ensure mail is actually delivered. 92 * You may need an external cron trigger for some CMSes. 93 * Debugging Let’s Encrypt failures requires viewing the `ddev-router` logs with `docker logs ddev-router`. 94 * A malicious attack on a website hosted with `use_hardened_images` will likely not be able to do anything significant to the host, but it can certainly change your code, which is mounted on the host. 95 96 When `use_hardened_images` is enabled, Docker runs the web image as an unprivileged user, and the container does not have sudo. However, any Docker server hosted on the internet is a potential vulnerability. Keep your packages up to date and make sure your firewall does not allow access to ports other than (normally) 22, 80, and 443. 97 98 There are no warranties implied or expressed.