Deployment Guide
Complete guide for deploying CAS authentication system to production
Quick Navigation
System Requirements
Minimum Requirements
- CPU: 2 vCPUs (4 vCPUs recommended)
- RAM: 4GB (8GB recommended)
- Storage: 50GB SSD
- Network: 1Gbps connection
Software Dependencies
- PHP: 8.2+ with extensions (pdo, pgsql, bcmath, redis)
- PostgreSQL: 14+ with SSL support
- Redis: 6.0+ for caching and sessions
- Web Server: Nginx 1.20+ or Apache 2.4+
- SSL: Let's Encrypt or commercial certificate
Docker Deployment
Production Docker Compose
version: '3.8'
services:
cas-app:
image: cas-system:latest
container_name: cas-app
restart: unless-stopped
environment:
- APP_ENV=production
- APP_DEBUG=false
- APP_URL=https://cas.yourdomain.com
- DB_CONNECTION=cas_system
- PGHOST=cas-db
- PGPORT=5432
- PGDATABASE=cas_production
- REDIS_HOST=cas-redis
- REDIS_PORT=6379
volumes:
- ./storage:/var/www/html/storage
- ./logs:/var/www/html/storage/logs
networks:
- cas-network
depends_on:
- cas-db
- cas-redis
cas-db:
image: postgres:15-alpine
container_name: cas-db
restart: unless-stopped
environment:
- POSTGRES_DB=cas_production
- POSTGRES_USER=cas_user
- POSTGRES_PASSWORD=${DB_PASSWORD}
volumes:
- cas_db_data:/var/lib/postgresql/data
- ./database/init:/docker-entrypoint-initdb.d
networks:
- cas-network
command: postgres -c ssl=on -c ssl_cert_file=/etc/ssl/certs/server.crt
cas-redis:
image: redis:7-alpine
container_name: cas-redis
restart: unless-stopped
command: redis-server --requirepass ${REDIS_PASSWORD}
volumes:
- cas_redis_data:/data
networks:
- cas-network
cas-nginx:
image: nginx:alpine
container_name: cas-nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/production.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
- cas_logs:/var/log/nginx
networks:
- cas-network
depends_on:
- cas-app
volumes:
cas_db_data:
cas_redis_data:
cas_logs:
networks:
cas-network:
driver: bridgeBuild Production Image
# Build production image
docker build -t cas-system:latest -f docker/production/Dockerfile .
# Create production environment file
cp .env.production.example .env.production
# Edit production environment variables
nano .env.production
# Deploy with production compose
docker-compose -f docker-compose.production.yml up -dKubernetes Deployment
Namespace and ConfigMap
apiVersion: v1
kind: Namespace
metadata:
name: cas-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cas-config
namespace: cas-system
data:
APP_ENV: "production"
APP_DEBUG: "false"
APP_URL: "https://cas.yourdomain.com"
DB_CONNECTION: "cas_system"
PGHOST: "cas-postgresql"
PGPORT: "5432"
PGDATABASE: "cas_production"
REDIS_HOST: "cas-redis"
REDIS_PORT: "6379"Application Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: cas-app
namespace: cas-system
spec:
replicas: 3
selector:
matchLabels:
app: cas-app
template:
metadata:
labels:
app: cas-app
spec:
containers:
- name: cas-app
image: cas-system:latest
ports:
- containerPort: 8000
envFrom:
- configMapRef:
name: cas-config
- secretRef:
name: cas-secrets
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
readinessProbe:
httpGet:
path: /health
port: 8000
initialDelaySeconds: 30
periodSeconds: 10
livenessProbe:
httpGet:
path: /health
port: 8000
initialDelaySeconds: 60
periodSeconds: 30Environment Configuration
Critical Security Settings
These environment variables must be configured for production deployment:
Required Environment Variables
# Application Configuration
APP_NAME="CAS Authentication System"
APP_ENV=production
APP_DEBUG=false
APP_URL=https://cas.yourdomain.com
# Database Configuration
DB_CONNECTION=cas_system
PGHOST=your-postgres-host
PGPORT=5432
PGDATABASE=cas_production
PGUSER=cas_user
PGPASSWORD=secure-database-password
# JWT Secrets (Generate with: openssl rand -base64 32)
JWT_SECRET=your-jwt-secret-key-32-chars-minimum
CUSTOMER_PORTAL_JWT_SECRET=your-portal-jwt-secret
# Session Security
SESSION_DRIVER=redis
SESSION_LIFETIME=120
SESSION_ENCRYPT=true
SESSION_SECURE_COOKIE=true
# Cache Configuration
CACHE_DRIVER=redis
REDIS_HOST=your-redis-host
REDIS_PASSWORD=secure-redis-password
REDIS_PORT=6379
# Mail Configuration
MAIL_MAILER=smtp
MAIL_HOST=your-smtp-host
MAIL_PORT=587
MAIL_USERNAME=your-smtp-username
MAIL_PASSWORD=your-smtp-password
MAIL_ENCRYPTION=tls
# reCAPTCHA Configuration
RECAPTCHAV3_SITEKEY=your-recaptcha-site-key
RECAPTCHAV3_SECRET=your-recaptcha-secret-keyProduction Security
SSL/TLS Configuration
- Force HTTPS redirects
- TLS 1.3 minimum
- HSTS headers
- Certificate auto-renewal
Database Security
- SSL connections only
- Role-based access
- Encrypted backups
- Connection pooling
Security Checklist
Change all default passwords and secrets
Configure firewall rules (ports 80, 443 only)
Enable fail2ban for brute force protection
Set up SSL certificate auto-renewal
Configure backup and monitoring
Review and configure IP whitelist
Monitoring & Maintenance
Health Check Endpoints
# Application health check
GET /health
# Database connectivity check
GET /health/database
# Redis connectivity check
GET /health/redis
# Full system status
GET /health/fullKey Metrics to Monitor
- Response time (< 200ms)
- Error rate (< 1%)
- Authentication success rate
- Database connection pool
- Memory and CPU usage
Maintenance Tasks
- Daily: Log review and cleanup
- Weekly: Database backup verification
- Monthly: Security patch updates
- Quarterly: SSL certificate renewal
- Yearly: Security audit
Support and Troubleshooting
Common Issues
Log Locations
- Application:
/var/www/html/storage/logs/ - Nginx:
/var/log/nginx/ - PostgreSQL:
/var/log/postgresql/ - System:
/var/log/syslog