Building Back Better

Rebuilding all our virtual servers onto new hosting has been an educational experience, and as you might expect, very different to the first time round in 2009.

Here are a few things we changed:

  • Let’s Encrypt now exists, so all Internet-facing services are protected by SSL/TLS.
  • We took this a stage further and decided most web servers will cease to listen on port 80 and redirect. Recent changes to Chrome make it an ideal time to tighten this up.
  • DNSSEC is enabled on all our domains
  • We’ve rolled out SPF in more places and we’re looking at DANE for e-mail

One thing which I’m pleased to say didn’t change was IPv6: we had it working in 2009, and we have it working now.

Some of us have taken it a stage further and are running IPv6-only VMs with a bit of help from Cloudflare and Mythic Beasts’ proxy. I’m finding it pretty liberating only having to reason about a single stack, and if I were building a new “back end” network today, I’d give it serious consideration.

Updated:

You May Also Enjoy

Meaco’s dehumidifiers

It’s a very boring thing to spend money on, but a dehumidifer can come in handy. In my case, even leaving the windows open a crack all day, leaking expensive...

The Arzopa 14 inch portable monitor

This is a simple idea which was pointed out to me by a friend, but I’d completely missed it. Which is unfortunate given that twice in the past week, I’ve bee...