2

I'll first start off by saying I'm no sysadmin or by any means knowledgable on servers, I'm just a developer tasked with a job of setting up the infrastructure for a SaaS application I'm working on, so forgive me for not entirely understanding everything. I've been doing a lot of research on this but still need a little guidance.

I'm thinking of using DigitalOcean Droplets for a Laravel application. There will be 3 Droplets, 2 acting as website/servers while the 3rd being used as a load balancer, all which will be setup using Laravel Forge. There will be a Digital Ocean Managed Database which both servers will connect to, as well as using Digital Ocean Spaces for assets being delivered through their CDN.

Cloudflare will be used for DDoS protection but I'm just wondering how this would be setup, I assume it would be best placed on the load balancer as this is the first line in the chain when viewing/connecting to the site? So a request comes in, Cloudflare handles it, passes the request to the load balancer, which then distributes to either server, where the server then connects to the Managed Database thus protecting both servers and the database in one go.

Is this considered a good setup or is there a better way to configure this? I'm also thinking that the Spaces CDN would need additional DDoS protection as it's a separate area but I'm not sure how to best handle this either or if there is a way to use Cloudflare for the Droplet/Database and the CDN.

I've also read about hiding the servers public IP which could be used to bypass Cloudflare, what steps can I take to prevent this to give me the best protection against an attack?

no.
  • 123
  • 4

1 Answers1

2

Putting Cloudflare in front of the load balancer is the way to go, since then your load balancer then only sees "real" traffic. Cloudflare's DDOS protection works by "hiding" your web server behind their Anycast network, which essentially means that the specific IP that Cloudflare serves as the answer to DNS queries for your site is available at over 100 locations around the world, and would-be attackers then can't overwhelm your web servers since they don't know how to send traffic to it except through Cloudflare.

I'd recommend also looking into using Cloudflare or DigitalOcean for the load balancing part as well, they both offer a dedicated product for this purpose, which is easier to set up and quite a bit more robust. They can also do things like SSL offloading, caching and other things, greatly reducing the load on your web servers.

As for putting Cloudflare infront of the DigitalOcean Spaces CDN, that might be a bit overkill, since DO's CDN should already be quite capable of handling DDOS attacks.

Stuggi
  • 3,506
  • 4
  • 19
  • 36
  • Awesome, thanks for the confirmation! So setting the DDoS protection on the load balancer using their Anycast network protects my servers/droplets unless they somehow manage to obtain the IP of those server to access them directly? I was going to use a Droplet server as a load balancer as it's a couple of clicks to setup using Laravel Forge (https://laracasts.com/series/learn-laravel-forge/episodes/7) but would you advise not doing this? Good to know with the Spaces CDN, it's just I've read of a few people having their assets deleted due to attacks, so just wanted to be extra secure with it. – no. Feb 25 '20 at 16:05
  • 1
    No worries! I wouldn't recommend especially against any product, I was just bringing these other products to your attention, since they might provide other features, or be faster or cheaper. I'm not overly familiar with Laravel Forge, so I can't really say which one would be "better". :) – Stuggi Feb 27 '20 at 05:45
  • 1
    Ah ok, looking into it a little more I think Cloudflare has more flexibility in terms of DO's load balancers, since DO's are restricted to the same region as the Droplet, as well as a few other things I've noticed! Thanks again for the help! – no. Feb 27 '20 at 12:13
  • No worries mate! – Stuggi Feb 27 '20 at 15:35