The aim of this guide is to help you get the best possible experience and
performance from your Snapt One instance. Below, we give you advice and tips for
getting the most out of your infrastructure and Snapt One configuration.
Snapt One systems attempt to be as secure as possible at all times. By far the most secure system is one that is unreachable though – over the past few years, there have been far more vulnerabilities in “standby services” such as SSH, PHP, web servers and so on than there have been in our Web Accelerator or Load Balancer. This means that the majority of the security patches we issue are only at risk to open servers.
Snapt One images from 2015 and onwards include SSL on port 8081 and HTTP on port 8080 for legacy users. We advise completely blocking port 8080 on your firewall and restricting access to port 8081 to local ranges, or at least a select few public IPs. This protects against an unknown vulnerability in the Snapt One interface, or the web server it runs on, as well as prevents unauthorized access due to weak passwords and so on.
SSH access is provided purely for recovery and debugging purposes – in daily operations, there is no requirement for it. For this reason, you can completely disable it in the interface, and we advise doing so. Firewalling port 22 is also a good idea.
If you are using your own operating system it is critical that you apply any system patches, especially for libraries used by the product, such as OpenSSL. With the Snapt One 2015 image, you have a System Patches section where you can apply patches in the interface. These should always be checked and applied!
When deploying Snapt One as a single instance, it can be provisioned directly on
a public IP address. However, when a redundant configuration of more than one Snapt One instance is deployed, it is recommended to place these behind a firewall. This will allow simpler management of firewall configurations, protecting your instances from unwanted traffic by managing them from one place.
Network Interface Card (NIC)
Ensure the Network Interface Card (NIC) assigned to your Snapt One VM(s) on your
hypervisors are the correct type for optimal performance, such as the E1000
NICs available on VMware. Otherwise, your network may become your
bottleneck as other NICs typically have a maximum throughput of 100Mbps.
Utilize appropriate monitoring tools for your infrastructure, such as those
provided by your hypervisor, hosting provider and IT department in addition
to the alerting options within Snapt One.
Whilst on-the-fly compression of your web content using the Web Accelerator can
provide a significant boost in the performance of your web application, it is
important to note that some content such as videos may not benefit as much
as text, for example. Compressing these types of content may result in higher
than necessary CPU utilization on your Snapt One instance, thereby outweighing
the potential benefit.
You should ensure the correct content is cached when using the Web Accelerator.
Consider setting a “never cache” option for staging areas or frequently
edited internal environments. Similarly, ensure that static content is appropriately cached, as this will result in fewer requests to your web servers/load balancer, facilitating more traffic with less load.