The platform is built on a secure, high-performance infrastructure that ensures full deployment control, operational transparency, and seamless scalability—ready to support demanding web services and evolving business needs.
VPS Stack - Lean Hosting with Full Deployment Ownership
The Transitive platform is hosted on a dedicated Debian 12 (Bookworm) virtual private server (VPS), optimized for reliability and minimal attack surface. The stack includes Apache HTTP Server 2.4 and PHP 8.2 running through PHP-FPM for efficient, process-managed execution.
Deployment is handled through a secure, key-based SFTP workflow, automatically triggered from the development environment. Files are synchronized on save, enabling rapid and traceable updates without relying on third-party CI/CD pipelines.
Security Architecture - Hardened by Principle
All access to the server is secured by key-only SSH authentication on a custom port, and no FTP services are exposed.
HTTPS is strictly enforced via certificates issued by Let’s Encrypt. Apache’s `.htaccess` configuration disables directory listings, prevents PHP execution in public upload folders, and blocks access to sensitive files.
The platform uses OWASP-recommended HTTP headers such as `Content-Security-Policy`, `Strict-Transport-Security`, and `Referrer-Policy`, ensuring compliance with modern browser protection standards.
Repeated or suspicious activity is automatically handled by Fail2ban with real-time log analysis.
Performance Optimization - Cache, Minification, Compression
The site uses long-term browser caching strategies for all static assets, leveraging `Cache-Control: public, max-age=604800, immutable` and `Expires` headers. Apache modules `mod_headers` and `mod_expires` ensure that CSS, JavaScript, images, and fonts are cached efficiently.
On the backend, OPcache is enabled to accelerate PHP execution by compiling and storing bytecode in memory. No legacy TLS versions or weak cipher suites are allowed.
The platform is optimized to eliminate render-blocking resources and is regularly audited using Google PageSpeed Insights.
Monitoring and Audit - Logwatch, Fail2ban, and Custom Scripts
System integrity is ensured through a combination of automated and manual monitoring tools. Logwatch provides daily summaries of system activity, while journalctl allows real-time inspection of systemd-managed services.
A custom shell script (`OctoConf.sh`) performs scheduled audits to check service uptime, open ports, and configuration status. Results are output as JSON and displayed through a secure PHP-based interface. Critical operations (such as file cleanups or scheduled updates) are executed via `systemd` one-shot services, with sudo access tightly restricted and secured by token-based authentication.
Automated reports, alerts, and audit outputs are sent by email using Exim4 configured as a secure relay through Transitive SMTP service. This setup supports both scheduled notifications (e.g., via cron) and on-demand dispatching, ensuring critical insights reach administrators promptly and without manual intervention.
Web Services - Structured, Scalable, and Secure
The platform is designed with future integration of internal and external web services in mind. These services are built around lightweight, RESTful APIs using PHP as the backend engine.
Requests and responses are exchanged in JSON format over HTTPS, following the principles defined in RFC 7231 and RFC 8259.
Authentication mechanisms such as token-based access (e.g., bearer tokens or HMAC) are implemented to secure endpoints. Rate limiting, logging, and access control is enforced at the Apache level and via custom middleware.
APIs are documented and versioned to ensure backward compatibility and maintainability as the system evolves.
