Choose a great setup for a Plone production environment
Over the past eight years we've created many different types of Plone infrastructures for our clients and for ourselves. Creating a good Plone production environment is not an easy task.
Choose an OS
First, you'll need to choose an apropiate operating system. We always used CentOS 6.5 and Debian with almost zero compatibility problems with any package. Plone comes with an unified installer for Linux, OSX and BSD that's pretty smooth in the installation process. You should definitely avoid using Windows.
First, you'll need to analyze the number of hits that your website is going to get, obviously high traffic websites require a bigger server. What I recommend you to consider is:
- Build your server inside an infrastructure that lets you scale your server as in gets more users.
- Put more resources and upscale the server the day you put your website online. Then, downscale and adapt their resources as you analyze the real traffic after the first days in production.
In our case, for just a standard or corporate website that is not service orientedand it's only going to get as much as 1.000 pageviews per day, we usually build a tiny VPS machine with 1 or 2 vCPU, 256 MB of RAM, and 10 GB of disk space. Plone 4.x is highly optimized today, so this is enough for that kind of websites.
For bigger websites (city councils, for example) it may be a completely different story. We're may get about more than 30k - 50k pageviews and in this case we usually prepare a 4 vCPU machine with 8 GB of RAM.
Download and install Plone using the Unified Installer
You should install Plone in cluster mode, this way you will be able to enable multiple clients / instances as the project grows. Create different instances (client1, client2, etc.) and assign them to each CPU.
Setup Apache or Nginx to be the frontend of Zope, follow the steps in this guide
If you decide to enable multiple instances, install HAProxy to balance all traffic between them. HAProxy is very reliable and never give us any kind of problem. We also use HAProxy to make critical or security updates without taking the site offline. As we have more than one client, we can update and restart on of them, HAProxy automatically redirects all HTTP requests to the other client and no one notices any downtime.
For a better caching and optimization I use and recommend Varnish in conjunction with plone.recipe.varnish for Plone and there is also a great guide here on how to install and setup all the necessary components.
Finally, you need to setup a monitoring system because everything will go wrong sooner or later. Take a look at Nagios and Monit. Monit is proactive and can take decisions when something goes wrong, for example, reboot an instance if it's not responding, or send you an SMS if the database is down.
Plone has a really great built-in security system, a solid security upgrade policy and a really professional team. Plone is also one of the most secure CMS around. Over the years we realized that we dedicate only a few hours every year to security related tasks, in contrast to other Php CMS and frameworks, where we need to be much more aware of security updates. With more than 100 Plone powered websites in almost 8 years now, we can proudly say that we've had zero security incidents or breaches.
Subscribe to Plone Security Advisories and follow the recommended steps to apply all released hotfixes and patches.