Rebuilding all our virtual servers onto new hosting has been an educational experience, and as you might expect, very different to the first time round in 2009.
Here are a few things we changed:
- Let’s Encrypt now exists, so all Internet-facing services are protected by SSL/TLS.
- We took this a stage further and decided most web servers will cease to listen on port 80 and redirect. Recent changes to Chrome make it an ideal time to tighten this up.
- DNSSEC is enabled on all our domains
- We’ve rolled out SPF in more places and we’re looking at DANE for e-mail
One thing which I’m pleased to say didn’t change was IPv6: we had it working in 2009, and we have it working now.
Some of us have taken it a stage further and are running IPv6-only VMs with a bit of help from Cloudflare and Mythic Beasts’ proxy. I’m finding it pretty liberating only having to reason about a single stack, and if I were building a new “back end” network today, I’d give it serious consideration.