michael
be3b9614d0
- Remove Go artifacts (cmd/, internal/, pkg/, go.mod) - Move furt-lua/* content to repository root - Restructure as clean src/, config/, scripts/, tests/ layout - Rewrite README.md as practical tool documentation - Remove timeline references and marketing language - Clean .gitignore from Go-era artifacts - Update config/server.lua with example.org defaults - Add .env.production to .gitignore for security Repository now ready for open source distribution with minimal, focused structure and generic configuration templates. close issue DAW/furt#86
3.8 KiB
3.8 KiB
Furt API-Gateway Production Deployment Checklist
🔐 Security Configuration
API Keys
- Generate secure API keys (32+ characters)
- Set HUGO_API_KEY in .env.production
- Set ADMIN_API_KEY in .env.production
- Remove/change all development keys
- Verify API key permissions in config/server.lua
CORS Configuration
- Set production domains in CORS_ALLOWED_ORIGINS
- Remove localhost/development origins
- Test CORS with production domains
Endpoints
- Disable test endpoint (ENABLE_TEST_ENDPOINT=false)
- Remove any debug endpoints
- Verify only required endpoints are exposed
📧 SMTP Configuration
- Configure production SMTP server
- Test SMTP authentication
- Set proper FROM and TO addresses
- Verify mail delivery works
- Test mail sending with rate limits
🔧 Server Configuration
Environment
- Copy .env.production to .env
- Set GATEWAY_HOST (127.0.0.1 for internal)
- Set GATEWAY_PORT (8080 default)
- Set LOG_LEVEL to "warn" or "error"
Performance
- Verify rate limits are appropriate
- Test concurrent load handling
- Monitor memory usage under load
- Test restart behavior
🛡️ Security Testing
Authentication
- Test invalid API keys return 401
- Test missing API keys return 401
- Test permission system works correctly
- Test IP restrictions (if configured)
Rate Limiting
- Test rate limits trigger at correct thresholds
- Test 429 responses are returned
- Test rate limit headers are present
- Test rate limit cleanup works
🚀 Deployment
File Permissions
- Lua files readable by server user
- .env file protected (600 permissions)
- Log directory writable
- No world-readable sensitive files
Process Management
- Configure systemd service (if applicable)
- Test automatic restart on failure
- Configure log rotation
- Set up monitoring/health checks
Reverse Proxy (if applicable)
- Configure nginx/apache reverse proxy
- Set up SSL termination
- Configure rate limiting at proxy level
- Test proxy → furt communication
📊 Monitoring
Health Checks
- /health endpoint responds correctly
- Set up external monitoring (e.g., Uptime Kuma)
- Configure alerting for service down
- Test health check under load
Logging
- Configure appropriate log level
- Set up log rotation
- Monitor log file sizes
- Review error patterns
Metrics
- Monitor request rates
- Monitor response times
- Monitor memory usage
- Monitor SMTP connection health
🧪 Integration Testing
Hugo Integration
- Test contact forms submit successfully
- Test error handling displays correctly
- Test rate limiting shows user-friendly messages
- Test CORS works with production domains
Mail Delivery
- Send test emails through all forms
- Verify emails arrive correctly formatted
- Test email content encoding
- Test attachment handling (if applicable)
📝 Documentation
- Document API endpoints for other developers
- Document configuration options
- Document troubleshooting procedures
- Document backup/restore procedures
🔄 Backup & Recovery
- Document configuration files to backup
- Test service restart procedures
- Document rollback procedures
- Test recovery from configuration errors
✅ Final Verification
- All API endpoints respond correctly
- All security measures tested
- Performance meets requirements
- Monitoring and alerting configured
- Documentation complete
- Team trained on operations
Last Updated: $(date +%Y-%m-%d)
Deployed By: _______________
Deployment Date: _______________