Skip to content

VPS Deployment

The VPS deployment is the staging environment between local test execution and the Kubernetes platform. It demonstrates HTTPS termination, reverse-proxy routing, a WAF decision point, backend network isolation and deployment telemetry without requiring the full Kubernetes control plane for every validation cycle.

flowchart LR
local[Local test stack] --> staging[VPS staging]
staging --> platform[Kubernetes platform]
local --> localScope[Fast feedback without edge security]
staging --> stagingScope[HTTPS, Traefik, WAF, registry pull and monitoring]
platform --> platformScope[GitOps, policy enforcement, network isolation and platform observability]
flowchart TD
Browser[User browser] -- HTTPS --> PublicEndpoint[VPS public HTTPS endpoint]
PublicEndpoint --> Traefik[Traefik container weather-app-traefik]
Browser -- HTTP --> RedirectEndpoint[VPS HTTP endpoint]
RedirectEndpoint -- redirect-to-https middleware --> Traefik
subgraph PublicNetwork["VPS network: public-network"]
Traefik -- weather-app.yourbox.site --> FrontendRouter{Router: frontend-secure}
FrontendRouter -- WAF middleware --> WafPlugin[traefik-modsecurity-plugin]
WafPlugin -- HTTP 8080 --> WafContainer[WAF container weather-app-waf]
WafContainer -- OWASP CRS analysis --> WafDecision{Request allowed?}
WafDecision -- yes --> WafPlugin
WafDecision -- no --> WafPlugin
WafPlugin -- decision --> FrontendRouter
FrontendRouter -- allowed request --> Frontend[weather-app-frontend Nginx]
Frontend -- API Call: / & Serves static files (HTML, JS, CSS) --> FrontendRouter
Frontend -- /api proxy --> BackendProxy{ProxyPass to backend}
end
subgraph AppNetwork["VPS network: weather-app-network"]
BackendProxy -- HTTP 3001 with internal token --> Backend[weather-app-backend]
Backend -- request weather data --> Provider[Open-Meteo API]
Provider -- weather payload --> Backend
Backend -- JSON response --> BackendProxy
end
BackendProxy --> Frontend
Frontend --> FrontendRouter
FrontendRouter --> Traefik
Traefik --> Browser
subgraph Dashboard["Traefik dashboard path"]
Traefik -- traefik-dash.yourbox.site --> DashboardRouter{Router: dashboard-secure}
DashboardRouter -- BasicAuth middleware --> DashboardAuth{Auth allowed?}
DashboardAuth -- yes --> DashboardService["api@internal"]
DashboardService --> DashboardAuth
DashboardAuth --> Traefik
end
subgraph Monitoring["Monitoring stack"]
Prometheus[Prometheus] -- scrape frontend and blackbox targets --> FrontendMetrics[Frontend metrics endpoint]
GitLab[GitLab merge request] -- push deployment timing --> Pushgateway[Pushgateway]
Pushgateway --> Prometheus
Grafana[Grafana] -- query --> Prometheus
end
  • HTTPS is terminated at Traefik.
  • The frontend and WAF share the public network.
  • The backend is only reachable from the application network.
  • The frontend proxy adds the internal service token when calling the backend.
  • Prometheus scrapes application and synthetic health metrics.
  • Grafana visualizes deployment timing and service health.
  • GitLab pushes deployment timing to the Pushgateway for MTTP tracking.
  • The Kubernetes target keeps the same security intent with Ingress, NetworkPolicies, External Secrets and policy enforcement.
  • Runtime secrets move from deployment variables to platform-managed secret injection.
  • Image promotion moves toward immutable artifacts and signed supply-chain evidence.