Ask HN: How to build, deploy and maintain a web application?

8 points by zwnow ↗ HN
Hey HN!

I know this is a very broad question that allows many opinionated answers. To give some context as to why I am asking this:

I am a junior developer with 3 years of experience. My main line of work is programming ERP-Systems, so no web dev at all. In the next 2 weeks I will quit my job to join a startup owned by a friend of mine. I will be the only developer starting out, so I will have a lot of decisions to make.

In my time off, I learned a lot about how to build full stack apps. But none of them were production grade apps with security considerations, auth and so on...

My new job will require me to rebuild the frontend of the current system and later on decouple the API from wordpress to have a independent application.

I try to prepare for that role as much and as good as I can. This job creates many risks for me and I want to succeed and do it right.

Currently I am learning about auth, route guards, general deployment with Nginx, HTTPS, general system design and so on.

This is where my question comes into play.

I can not seem to find good guidance regarding on how to actually deploy a production grade web app. Full stack courses often disregard security concerns to simplify the code. Deployment often just uses some 3rd party vendor that does the heavy lifting for you. I have no mentor to ask about all of this, no guidance if I am doing right. So by asking this questions I am hoping for general guidelines on what to look out for. Maybe resources that help me with specifics.

18 comments

[ 3.0 ms ] story [ 49.8 ms ] thread
given your experience i believe using azure web apps with an api gateway will get you a good runway. you can deploy to Azure directly from github actions and configure api gateway along with Azure AD to handle auth and security.
Azure is what we use at work, but if I am completely honest, I want to move away from Windows/Microsoft.
If you're already using Azure, they offer Linux stuff too. You can move away from Windows without moving away from Microsoft (if you want to). Or you can find equivalent services on AWS or Gcloud, or more abstracted ones like Vercel or Netlify (who whitelabel and value-add features & ease of use on top of big clouds).
i'm using azure, aws and gcp at work and personal projects. i recommend azure for better management UX and relatively transparent cost and billing management. once you setup your infrastructure as code you can move anything but the vendor specific services easily. Azure AD is easy to migrate from, API gateway not so much.
Backend:

Stick with the LAMP/LEMP stack. It's not perfect, but if you're moving from WordPress (which uses the LAMP/LEMP stack) then sticking with it will make the move less painful.

In terms of a framework. Laravel is a good idea for RAD, although Symfony is a fine choice too!

---

Frontend:

Assuming is has to be a SPA: Use whatever you know best. React, Vue, or Angular are fine. Laravel seems to prefer Vue slighty?

If you can get away with SSR: Use a templating system. Assuming you're using PHP, you could use Blade (for Laravel) or Twig (for Symfony).

---

In terms of hosting and deploying, use one big VM for as long as possible. It's not better, but it's simpler... and I'd say you've got a lot on your plate!

---

But to answer your original question:

If you stick with LAMP/LEMP and a framework, there is so much documentation (and so many guides) that you will be able to figure out what to do. :)

This helps a ton, I appreciate it, thanks! Planning to stick with LEMP stack unless I find a reason not to. Gonna work with Vue as I already know it.
Just reinforcing to stick with as much stuff you already know since you'll be learning about other areas. SANS web application security principles are a good start: https://www.sans.org/cloud-security/securing-web-application...

Another thing to look into might be a provider like CloudFlare which will take care of a lot of things for you. You might be thinking "who would DDos my little site/app?" I don't think anything is immune and this (or other providers) at least give you time back to focus on building your app. Its probably super cheap for small traffic domains to start with too. Its okay to not know the nitty gritty details of something not core to what you're building. Think of services like that in the beginning to just purchase/subscribe to and revisit later.

If you want to use LEMP, I'd look into at least abstracting the lower parts of the stack (mainly the L and E, maybe the M too) into vendor-supported services. You can use Google App Engine to host the PHP code on managed auto-scaling infra, DigitalOcean or another hosted MySQL, or virtualize the whole thing using something like Cloudways.

The more you can offload to managed services, the more time you can spend coding application logic (the P part) instead of managing OS and SQL servers updates, Nginx rules, etc. A lot of that is commoditized these days and managed by specialized companies & people & scripts who can do it cheaper, faster, and better than you (if you don't have much experience).

There are legit use cases for rolling your own infra (or rolling your own everything), but "I'm a new solo web dev needing to launch a startup web app" probably isn't one of them. Any one part of that stack (LEMP) can require a lot of knowledge and setup and regular maintenance, and doing those things without downtime can be difficult, especially without a mentor/partner to help you. If you're a one-dev shop / tiny startup, let the specialized vendors take some load off while you grow. You can always in-house the stack later, once you can afford more experienced people (or you yourself get more experience).

Your best bet on app security is to not create vector attacks. For example running your own auth system.

But if you just wanna learn the current "best practices", learning nextjs will put in the same position that most full stack and frontend programmers are currently (I hate nextjs and wouldn't get anywhere close to it tho)

I will use Vue js as I like it a lot. Won't run my own auth and I already implemented client side auth with auth0 and Vue. But I wouldn't know how to let people auth server side for example. Auth is a really deep rabbit hole and unfortunately not very well explained. All I hear is "use this" but there is no one telling you why, or why not. And how to actually implement it beside the tutorials. Even with docs auth0 seemed very confusing, especially when it's uncertain on what user info I actually get from it...
You could use Amazon Cognito which is like auth0 but more low level, to implement it you'll learn more about Auth.
Deploying a Production Grade Web App is very subjective and can be done in may different ways. Some of it also depends on the specific tech stack you are using (JS vs PHP etc).

What you need is to first learn some basics of few things:

- Web Servers (nginx, Apache, Caddy etc). They usually process request and then pass them on to what we usually call "App Servers". For some languages like PHP, you will need additional service like PHP-FPM or Wsgi for Python as web servers like nginx/caddy cannot directly process those.

- App/API Server. The server actually running the application and/or APIs (.e.g a PHP or PYthon or Typescript app).

- Load Balancers: Optional but usually a good idea for Production grade apps where you at least have 2 App Servers under the Load Balancer. Some platforms can auto scale it. For example, AWS ECS (using containers) or Heroku (dynos). Usually these are the entry points for an external User Request.

- Database server: Usually where you Db is hosted. Most people go with hosted solutions such as AWS RDS etc.

- A way to deploy your code changes to the App Servers. Usually connected with a version control like Git. Fancy term is CI/CD where you can do code changes automatically through Git etc using certain configuration files.

Note that technically, you can do all of the above on an actual single hardware/machine but usually they are set up separate.

However, before deploying, you need to build. For someone like you, I highly suggest starting with a tested framework with batteries included (e.g. Laravel for PHP, Django for Python, rails for Ruby etc). These frameworks also provide great deployment options. For example, laravel has forge which basically does everything for you in terms of deployment. Everything else will be noise for you including things like Kubernetes etc. Don't even worry about those until you have a need (most don't).

What exactly will the webapp do? What kind of auth do you need?

IMO if you have no production web app experience and you're a solo dev, you shouldn't be rolling your own. There are many footguns along the way, security and performance issues, deliberate attacks, bots, etc. It can become a full-time job just keeping the website up and running. That's fine if your goal is to learn, but if you just want to launch something ASAP, well, we've had two decades of Web productizations and you can pretty much one-click deploy a website these days.

I'd look into more ready-built solutions like Vercel/Netlify, AWS Amplify, Google Firebase (or maybe App Engine), Shopify, etc. There's probably some vendor that offers what you want for very cheap (but it's not clear to me what you want... more details would help).

True, you won't learn as much this way as rolling your own from the ground up, but I don't think your startup's production website should also be your personal learning project... maybe first get it up and running on a vendor supported service, then slowly replace each piece of it (like one system or API route at a time, or whatever) as you gain knowledge?

Otherwise if you DIY it and you have no mentor and no fallback, if and when something breaks, you'll have to debug it while production is down and your customers are screaming at you. That's no fun.

You can also hire someone with more experience and have them architect and deploy the initial system, then you can co-learn and help maintain and iterate it afterward.

I don't think it's a good idea to just YOLO this for a production commercial site. Too many things can and will go wrong.

"I'd look into more ready-built solutions like Vercel/Netlify, AWS Amplify, Google Firebase (or maybe App Engine), Shopify, etc. There's probably some vendor that offers what you want for very cheap (but it's not clear to me what you want... more details would help)."

That's unfortuneately the issue I have. I want to learn how to actually deploy and manage a site, not how to throw some files to some vendor and let them lift it. I mean, I will have to use some kind of vendor to do it, as I wont use the project to learn. It also wont be a site with tons of traffic, so people won't scream at me if it's down for 5 minutes.

To me it just feels wrong to give away management and maintanance tasks to some vendor. It just racks up bills.

If you want to experiment on your own, you can easily spin up a simple LEMP stack with MAMP or XAMPP in a few clicks, and then configure each service to your liking.

I don't think there is any business value in maintaining a site that way for a small biz (I think "you don't know what you don't know" applies here, and there are a lot of issues you'll have to solve along the way that you might not have considered upfront). There's certainly educational value. But can't you do that on your own and learn in a lower-risk environment with a side project, instead of making your company's production website reliant on it?

If you really don't want to do that, sure, you can still roll your own and either just deploy the whole thing as-is (uploading files and mirroring DBs, etc.) or containerizing it with Docker. For making a reproducible LEMP stack that can be easily transferred to another host, also consider the free tool Lando: https://lando.dev/ It is a CLI wrapper around Docker, specifically for making it easier to deploy containerized LEMP stacks reproducibly.

Managing a webserver is such a simple but time consuming effort that you will soon see that using a PaaS is better. But it is worth knowing what they do to serve your website. I definitely don't miss managing apaches and nginxes.
This is what you seek... Don't try do it all(aka reinventing the wheel), especially if you are it(programmer-wise that is). Scalability(saas) summary/intro video:https://youtu.be/mbiHPHT1FQs?si=_GMyQaZsvabnYyor ... and he has this "if I was forced to host on a vps" video as well(which I think is where you are right now): https://youtu.be/pAtLsJAz0jQ?si=KNeozMHo4J-GYnwt ... bonus point.. you may need to beef up on your CI/CD..(psst..trade secret.. you only need CI.. really..lol..). https://youtu.be/42UP1fxi2SY?si=dPjVL26eT3WSzMUu ..... Bottom line dude... youtube is your friend!! If you want something more structured, you can always resort to the paid videotuts.. with your silo programming background, you're not really starting fromm zero...which is a good thing.
Like most cases, the answer is always “it depends”. Without knowing too much about the application and the state of the startup (do you have users? do you have funding-related milestones or are you bootstrapping?), it’s tricky to recommend a production stack off the bat.

Most basic versions of production web apps could be backends coupled with an ORM like Ruby on Rails/Django/Spring/etc. No need to complicate things by splitting the front-end since you’re the only developer and your experience is ERP. Pick a tech that you’re strong with and reuse popular battle-proof libraries. Deploy to application platforms and offload the infrastructure management if your startup can afford it.

You can also leverage fractional CTO services to help guide you through the process. Personally, I’ve mentored a few junior developers on an ad-hoc, hourly basis to help them build out their expertise.