Start a conversation

Running in production

After you have successfully tested your service locally, you can run the service in production.

This means the PRODUCTION=1 environment variable should be configured to output logs in JSON format for parsing into a log parser where they can be filtered.

Disabling existing SSH

Because the DocEvent server (in production) runs an SSH server on port 22, you must move your existing ssh server from port 22 to another port.

It is best to do a Google search for your production operating system to find out the best way to do this, and ensure the configuration remains after a reboot.

Recommended flags

PRODUCTION=1

By setting the environment variable PRODUCTION=1 the server will push all logs out in a JSON format for parsing.

The server will also check to ensure you are not using test default settings, and will require you set the other parameters defined in this document below.

-sshkeyfile

You must use your own ssh key file, this key file can be generated using a command like so:

ssh-keygen -P "" -f mykey

The mykey file will have the contents of your newly generated ssh key.  This key should remain the same throughout the server life, otherwise users will get an invalid host key verification error when connecting to your server.

If using Windows, you can generate a host key using PUTTYgen, a tutorial for this is located on the ssh.com website.

-tlscert and -tlskey

These 2 options specify the SSL certificate and SSL private key to use for encrypted FTPS connections.

The certificates can be either generated manually using openssl like so

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

However, it is recommended you use an SSL certificate from a verified certificate provider like RapidSSL.  We recommend to use LetsEncrypt as it is free but will need to be renewed more regularly than a paid certificate.

-publicip

This is the public IP address of your server as seen by users who are attempting to connect.  

This is used for passive FTP/s connections, and is a required field when running in production mode.

If running behind a load balancer this needs to be the public IP of the server, not the public IP of the load balancer.

-passiveports21 and -passiveports990

This defines the passive ports that FTP uses to accept passive FTP connections from clients.

The value is a port range, for example 2030-2039.

It is important the port ranges for each of these do not overlap.

-port21, -port22 and -port990

The recommend values for these are 21, 22 and 990 respectively.

Disabling FTP

Some customers prefer to only use SFTP and not allow any FTP connections through the firewall.

In this case FTP configuration for SSL is still required, but can be left at the default values.

Simply disallowing access to the FTP server by the local iptables firewall is enough to ensure customers cannot access FTP.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Mariusz

  2. Posted
  3. Updated

Comments