DAW/furt
2
0
Fork 0
Code Issues 11 Pull requests Projects Releases 3 Packages 1 Wiki Activity Actions
furt/furt-lua/production_checklist.md
michael 901f5eb2d8 feat(auth): implement complete API-key authentication with modular architecture (#47) 
- Add comprehensive API-key authentication system with X-API-Key header validation
- Implement permission-based access control (mail:send, * for admin)
- Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP)
- Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each)
- Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8)
- Implement Hugo integration with CORS support for localhost:1313
- Add production-ready configuration with environment variable support
- Create comprehensive testing suite (auth, rate-limiting, stress tests)
- Add production deployment checklist and cleanup scripts

This refactoring transforms the API gateway from a single-file monolith into a
biocodie-compliant modular architecture while adding enterprise-grade security
features. Performance testing shows 79 RPS concurrent throughput with <100ms
latency. Hugo contact form integration tested and working. System is now
production-ready for deployment to walter/aitvaras.

Resolves #47
2025-06-24 22:01:38 +02:00

139 lines
No EOL
3.8 KiB
Markdown
Raw Blame History

# Furt API-Gateway Production Deployment Checklist
## 🔐 Security Configuration
### API Keys
- [ ] Generate secure API keys (32+ characters)
- [ ] Set HUGO_API_KEY in .env.production
- [ ] Set ADMIN_API_KEY in .env.production
- [ ] Remove/change all development keys
- [ ] Verify API key permissions in config/server.lua
### CORS Configuration
- [ ] Set production domains in CORS_ALLOWED_ORIGINS
- [ ] Remove localhost/development origins
- [ ] Test CORS with production domains
### Endpoints
- [ ] Disable test endpoint (ENABLE_TEST_ENDPOINT=false)
- [ ] Remove any debug endpoints
- [ ] Verify only required endpoints are exposed
## 📧 SMTP Configuration
- [ ] Configure production SMTP server
- [ ] Test SMTP authentication
- [ ] Set proper FROM and TO addresses
- [ ] Verify mail delivery works
- [ ] Test mail sending with rate limits
## 🔧 Server Configuration
### Environment
- [ ] Copy .env.production to .env
- [ ] Set GATEWAY_HOST (127.0.0.1 for internal)
- [ ] Set GATEWAY_PORT (8080 default)
- [ ] Set LOG_LEVEL to "warn" or "error"
### Performance
- [ ] Verify rate limits are appropriate
- [ ] Test concurrent load handling
- [ ] Monitor memory usage under load
- [ ] Test restart behavior
## 🛡️ Security Testing
### Authentication
- [ ] Test invalid API keys return 401
- [ ] Test missing API keys return 401
- [ ] Test permission system works correctly
- [ ] Test IP restrictions (if configured)
### Rate Limiting
- [ ] Test rate limits trigger at correct thresholds
- [ ] Test 429 responses are returned
- [ ] Test rate limit headers are present
- [ ] Test rate limit cleanup works
## 🚀 Deployment
### File Permissions
- [ ] Lua files readable by server user
- [ ] .env file protected (600 permissions)
- [ ] Log directory writable
- [ ] No world-readable sensitive files
### Process Management
- [ ] Configure systemd service (if applicable)
- [ ] Test automatic restart on failure
- [ ] Configure log rotation
- [ ] Set up monitoring/health checks
### Reverse Proxy (if applicable)
- [ ] Configure nginx/apache reverse proxy
- [ ] Set up SSL termination
- [ ] Configure rate limiting at proxy level
- [ ] Test proxy → furt communication
## 📊 Monitoring
### Health Checks
- [ ] /health endpoint responds correctly
- [ ] Set up external monitoring (e.g., Uptime Kuma)
- [ ] Configure alerting for service down
- [ ] Test health check under load
### Logging
- [ ] Configure appropriate log level
- [ ] Set up log rotation
- [ ] Monitor log file sizes
- [ ] Review error patterns
### Metrics
- [ ] Monitor request rates
- [ ] Monitor response times
- [ ] Monitor memory usage
- [ ] Monitor SMTP connection health
## 🧪 Integration Testing
### Hugo Integration
- [ ] Test contact forms submit successfully
- [ ] Test error handling displays correctly
- [ ] Test rate limiting shows user-friendly messages
- [ ] Test CORS works with production domains
### Mail Delivery
- [ ] Send test emails through all forms
- [ ] Verify emails arrive correctly formatted
- [ ] Test email content encoding
- [ ] Test attachment handling (if applicable)
## 📝 Documentation
- [ ] Document API endpoints for other developers
- [ ] Document configuration options
- [ ] Document troubleshooting procedures
- [ ] Document backup/restore procedures
## 🔄 Backup & Recovery
- [ ] Document configuration files to backup
- [ ] Test service restart procedures
- [ ] Document rollback procedures
- [ ] Test recovery from configuration errors
## ✅ Final Verification
- [ ] All API endpoints respond correctly
- [ ] All security measures tested
- [ ] Performance meets requirements
- [ ] Monitoring and alerting configured
- [ ] Documentation complete
- [ ] Team trained on operations
---
**Last Updated:** $(date +%Y-%m-%d)
**Deployed By:** _______________
**Deployment Date:** _______________
Reference in a new issue View git blame Copy permalink