Production settings - Githubissues

oshiryaeva commented 6 years ago

Document the recommended production settings:

Tomcat (local.app.properties etc),
production mode ON for vaadin in web.xml
production mode ON for REST API
unset auto-filled default login and password
(optional) if app is running under nginx, the correct version of proxy http and certain headers should be set, otherwise, websockets will not start up, and vaadin will fall into long polling (this can be detected in JS console)

The real question from a client: We want to deploy the portal app on a separate tomcat instance on a different physical server. What config needs to be set for it to know the location of the core app?

alexbudarov commented 4 years ago

My recommendations, mostly from Sherlock experience:

1) app.properties

# Disable query cache if you don't use it
cuba.queryCache.enabled = false

# Change this value from default one, also in web and portal modules
cuba.trustedClientPassword = abcdefgh

# Change this value from default one
cuba.keyForSecurityTokenEncryption = xxxxxxxxxxxxxxxx

# Move file storage out of tomcat / application home to a large disk partition
# It will ease e.g. application server update
cuba.fileStorageDir = /opt/large-disk/filestorage

# Cluster. Decrease unnecessary jgroups traffic:
cuba.userSessionSendTimeoutSec = 120

# Cluster. Decrease unnecessary lock contention in UserSessions bean
cuba.userSessionTouchTimeoutSec = 30

# Cluster. Turn on if you use cluster and round-robin balancing of requests to middleware
# (or portal module -> middleware)
cuba.syncNewUserSessionReplication = true

2) web-app.properties:

# Use empty login and password on login page:
cuba.web.loginDialogDefaultUser = <disabled>
cuba.web.loginDialogDefaultPassword = <disabled>

# Disable triggers for communication with Studio
cuba.triggerFilesCheck = false

# Change this value from default one, also in portal modules
cuba.trustedClientPassword = 87c1a9b126b50b2670103bf88f479e9f

# Changes some Vaadin behavior
cuba.web.productionMode = true

3) Database settings

# SMTP server settings
cuba.email.*

# Enable and tune brute-force protection settings
cuba.bruteForceProtection.enabled = true
cuba.bruteForceProtection.maxLoginAttemptsNumber
cuba.bruteForceProtection.blockIntervalSec

# Set support email to send exception reports
cuba.supportEmail = tech-support@mysoftware.com

# System ID for support emails
cuba.systemId = My Glorious Startup / Production / AWS North America

# External URL to your system
cuba.webAppUrl = https://mysuperstartup.com/app

# Audit. Enable user session log
cuba.userSessionLogEnabled = true

# Convenience and performance. Enable reports background processing (and ability to cancel)
reporting.useBackgroundReportProcessing = true

# Audit. Enable reports execution history (7.2+)
reporting.executionHistory.enabled = true

# Optional security. Enable password complexity policy.
cuba.passwordPolicyEnabled = true
cuba.passwordPolicyRegExp

# Move FTS indexes out of tomcat / application home to a separate folder
# It will ease e.g. application server update
fts.indexDir = /opt/lucene-indexes

# If you use cluster - you can setup separate independent Lucene indexing per node
# But this is a long story
fts.indexingHosts = app1:8080/app-core|app2:8080/app-core

4) JVM options

# Memory
-Xmx4096m
-XX:+HeapDumpOnOutOfMemoryError

# low-pause garbage collector
-XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled

# always log exception stacktrace
-XX:-OmitStackTraceInFastThrow

# gargage collection logs (example for tomcat setenv.sh)
CATALINA_OPTS="$CATALINA_OPTS -Xloggc:$CATALINA_HOME/logs/gc-`date +%x|tr / .`.log"
CATALINA_OPTS="$CATALINA_OPTS -XX:+PrintGCDetails"
CATALINA_OPTS="$CATALINA_OPTS -XX:+PrintGCTimeStamps"
CATALINA_OPTS="$CATALINA_OPTS -XX:+PrintGCDateStamps"
CATALINA_OPTS="$CATALINA_OPTS -XX:-PrintTenuringDistribution"
CATALINA_OPTS="$CATALINA_OPTS -XX:+PrintGCCause"
CATALINA_OPTS="$CATALINA_OPTS -XX:+PrintGCApplicationStoppedTime"
CATALINA_OPTS="$CATALINA_OPTS -XX:+UseGCLogFileRotation"
CATALINA_OPTS="$CATALINA_OPTS -XX:NumberOfGCLogFiles=5"
CATALINA_OPTS="$CATALINA_OPTS -XX:GCLogFileSize=10M"

# if you don't control your server's environment, set locale and time zone settings
-Duser.timezone=Europe/London
-Duser.language=en -Duser.country=GB
-Dfile.encoding=UTF-8

5) jgroups.xml if you use cluster TODO. Tcp config is recommended? With zookeeper if you want flexible nodes adding / removal ? UDP config - only if all your server nodes sit (and WILL stay) in the same dedicated server rack, where you are absolutely sure that UDP works and will not stop working some day.

alexbudarov commented 4 years ago

web client and web portal blocks where REST API is enabled:

cuba.rest.client.id = xxx
cuba.rest.client.secret = yyy

requirements: https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

cuba-platform / documentation

Production settings #15