Our offices will be closed Monday, May 28 in honor of Memorial Day
as we recognize and remember the sacrifice of those who lost their lives while serving in the United States Armed Forces.
With unending gratitude - Tendenci


What is really required for hosting

Register or login to post to the forum.
20 Oct, 2015 17:46

I have quite a few websites hosted in the cloud. Some with DailyRazor and some with Arvixe. Can I deploy tendenci there, or do I need something different?

20 Oct, 2015 19:29

Best Practices for Hosting Tendenci

Please categorize these as "best practices" as opposed to baseline. Heck you can technically run Tendenci on an arduino. But, for a typical business in the US working on SEO and lead generation.... here goes:


Ubuntu 14.04 with enough RAM and CPU to handle the modules you have enabled.

re --> "DailyRazor and some with Arvixe." never used either but for all I know they might be OK.

I can only speak to these ones, the ones I can tell you 100% work great are in order of price as follows:

1) AWS 2) Linode 3) Digital Ocean

Yes I have a list of "people who really don't do a good job" but I don't like negative people so I choose not to be one. I can only say the ones above have done a good job from what I have seen.

To the "what is 'really required'" point I would say:

  1. A fast server - this is NOT the place to cut costs on your best source of leads.
  2. Ubuntu 14.04 - baseline / debian works as well if you know what you are doing.
  3. Constant security monitoring (use securi if self hosting). Auto-update security updates etc...
  4. For best SEO - be on Tendenci 7, responsive design with SSL on a blindingly faster server. If you spend 10k/month on hosting but generate 100k with LTV of 500k, who cares? (But don't be reckless obviously.)
  5. Baseline SEO run at least 8 gigs RAM and 4VM CPUs is probably baseline for a large association. Media cos or large associations need to expect 16 to 32 cpus but people at that level - well, they are probably running a proxy in front with IDS/IPS and caching (as we do for many sites) and thus it isn't an issue.

Back to your point, of the hosts listed above, all have been pretty reliable. Just never EVER host with someone guaranteeing 100% uptime because unless you are a server farm with load balancing then they aren't installing their security updates fast enough. They are trading a number that impresses your CEO with actual security. Dumb.

We typically use a combination of managing security through AWS with ACLs. And based on price/performance then proxy to Linode at times. And solr can speed up your search through haystack.

Most of our sites on Tendenci 7.1+ are on dockers load balanced on AWS proper. Others based on their budget are proxied through AWS or some direct. Some are more diverse for security or economic reasons. (Just don't think the nslookup of a site is the real location of the site. Things aren't that simple anymore. Gotta have some honeypots out there, right?)

Flip side - our costs are radically higher than an individual client because we have to manage centralized git servers, backups, DNS, email, SES, mailgun, manage seo blacklists, etc. So you WILL save money short term by self hosting if you have a full time IT person.

It's the management of it and security and constant updates that differentiate us.

20 Oct, 2015 19:38

To the "what differentiates Tendenci from closed-locked-source companies like Wild Apricot or Blackbaud/Convio?" - well it's pretty simple. Newer technology (Python/Postgres) and open source (on github fully) so you aren't trapped. To that point I'd add:

  1. All code is here: https://github.com/tendenci/tendenci/
  2. DB is postgres - on T6/T7+ you can access all of it at /explorer/ on your site. If still on T5 we will send you a Postgres backup file as requested. In fact some clients have us back their site up to THEIR own AWS s3 buckets! (can you tell I love open source!?)
  3. For clients hosted with us we have another private git repo for them. (which we will readily provide a copy of.)

What's different hosting with us? For starters - you don't have to. Why would you? Mainly - just be sure your hosting provider keeps up to date with the security updates. Yes I'm a bit on the paranoid side but then again I see patterns in data from million of visits across our data farm every month. I don't know the details, but when you see color-coded patterns aggregated and anonymized, you learn things. And we adapt. So I have a reason for being focused on security and protecting our clients. No question, you must be vigilant. Every. Day.

Timing and updates - unlike the old days when it was completely our framework, now we are tied to the communities of django and ubuntu so when they say "oh we changed this LTS support date" we kinda have to move. This didn't make me popular earlier this year when Microsoft cut off support. (whole different topic).

I hope this answers your question. If it is a production site I'd recommend setting up a test site yourself first. For that, given we are open source, the full instructions are posted at https://tendenci.readthedocs.org/en/latest/

We make Tendenci as simple as possible, but no simpler. Thus the requirements that I would recommend are at least 8 cpus for a larger site. And at least 8 gigs of memory.

That is WAY WAY over what the "requirements" file says, but google ranks your site partially by response time. We see a significant difference in SEO rank between clients with similar content based on the package they choose. Luckily these days with containers and VMs, clients who purchase a lower priced hosting don't take CPU/mem from the others as everyone is completely isolated. Which is fair imho.

The other easy way to improve your SEO rank is to check your site settings (superuser status) and to add an ssl certificate if you aren't already. You can buy ssl certs from godaddy for as little as $150/yr, but I'd recommend you buy one with a longer term expiration (3 yrs plust) as it takes our engineers, or your engineers, time to install them and so why pay for extra time every year when you can buy a 3 year cert, right?

Sorry for the long answer. Hopefully this helps.

17 Sep, 2017 15:12

@dlongnecker @andrewhick

  1. yes, any cloud server like Linode or AWS would work.
  2. security security security - do that first. I can help if you want by connecting and looking at your config by sending my public key. We only use ssh and disable ftp and pretty much anything else. After that just remove my key.
  3. we use nginx as a reverse proxy to the wsgi server (gunicorn is easier, uwsgi is faster.
  4. read the docs are a bit out of date. I all new installs for us require ssl on ubuntu 16.04 using systemd.
  5. any valid ssl cert will work. Sometimes we use godaddy. Mostly we are using letsencrypt and certbot for clients.
  6. If it is the only app on the server, you do not actually need the virtualenv. It doesn't hurt, but not all automatic security updates will run inside of virtualenvs so given my focus on security we run them in dockers with apparmor or standalone with automatic updates turned on:

These questions are a HUGE help to the Tendenci community because it tells me about holes in the docs. I appreciate y'all! smile

17 Sep, 2017 15:28

This block is a good starting point, but definitely make sure you have UFW and IPTables running before anything else.

sudo apt-get update && \ 
sudo dpkg --configure -a && \
sudo apt-get update && \ 
sudo apt-get upgrade && \ 
sudo apt-get dist-upgrade && \ 
sudo apt-get clean && \ 
sudo apt-get autoclean && \ 
sudo apt-get autoremove && \ 
sudo apt-get install unattended-upgrades update-notifier-common && \ 
sudo dpkg-reconfigure -plow unattended-upgrades

#### then say yes to automatic security updates ####

Yes I realize there are some redundancies in that block with the clean twice, but it's just me being careful if the update line.

And again - I know the docs need improvement. I'd love for one of y'all to document the install process as you experience it and do a pull request on the docs. And I'm all for helping other developers so just let me know.

Lastly - Our team is virtual and all over the place, but I'm personally in Houston so imma gonna go into another semi-toxic house and help a friend rip sh*t out and throw it on the curb, pull nails, cut electrical, in 90+ degree weather. Yea!! #not

It's really a mess here right now. #HurricaneHarveySucks smile