All work
A real DevOps story — security, infrastructure and monitoring

DevOps & Security — Education platform

A real story from a production environment for a client running an educational platform: we detected automated intrusion attempts on the admin panel and rebuilt a secure operations and deployment stack on AWS + Cloudflare Zero Trust, with precise monitoring that surfaces any issue before it reaches users.

DevOps / SREWeb application securityCloud infrastructureMonitoring & alerting
Stable technical stack — Nginx · Docker · Next.js · HTTPS
The problem

What the client was facing

While running the client's educational platform in production, Critical alerts started firing about the admin panel being unstable. Initial checks showed the servers and containers were up, but reviewing the Apache and application logs revealed the real pattern: automated attempts to reach sensitive files like .env and .git/config, and attempts to execute commands via /cgi-bin/../../bin/sh, from IP addresses across the world. There was no actual breach, but simply exposing the admin panel to the public internet caused pressure, instability and repeated alerts. The root cause wasn't a technical fault — it was a bad exposure design.

The solution

How we solved it

Instead of treating the symptoms (muting alerts or raising timeouts), we worked with the client on the root cause. We re-engineered the way traffic reaches the platform's servers: Cloudflare became the only entry point (Edge Gateway), and Cloudflare Zero Trust Access was enabled on the admin panel so no request reaches the server without identity verification. At the AWS network level we closed ports 80/443 to the public internet and allowed them only for Cloudflare ranges via Terraform. We then tuned the Blackbox Exporter to match the new protection so monitoring became accurate again with no false alerts, and we documented everything in a Runbook and a Playbook ready for any future incident.

What was built?

Project components

  • Full incident investigation: analysing Apache and application logs and separating automated attacks from operational issues
  • Fast containment: closing exposure at the web-server layer before requests reach the app
  • Making Cloudflare the only entry point and completely hiding the server's real IP
  • Enabling Cloudflare Zero Trust Access on the admin panel — identity-based access instead of a shared password
  • Hardening the AWS Security Group: 80/443 accepted only from Cloudflare ranges, SSH restricted to a single IP
  • Automating network configuration through Terraform (aws_vpc_security_group_ingress_rule)
  • Wiring Apache as a Reverse Proxy in front of Docker containers (Frontend, Admin, Services) in a stable, maintainable layout
  • Restructuring deployment and updates to be clear, repeatable and low-risk
  • Setting up Blackbox Exporter to monitor HTTP, SSL and response time from outside the network
  • Alertmanager rules tuned so there are no false positives and no missed alerts
  • Full documentation: a Playbook for handling web-security incidents and a Runbook for operating the system
  • Final architectural verification: probe_success = 1, and the origin IP does not respond to any direct request
Project shots

Snapshots from the interface

Admin protection — secure admin-only access
Stable technical stack — Nginx · Docker · Next.js · HTTPS
Continuous monitoring & security — Uptime · Alerts · Cloudflare · Zero Trust
Grafana — Global Kubernetes Dashboard
Grafana — kube-state-metrics (Cluster / Node)
The outcome

The client moved from an exposed-origin model to a full Zero Trust architecture: Cloudflare is the only gateway, the admin panel is protected by edge identity and the server is fully closed at the AWS level. The result: no active intrusion attempts, no false alerts, higher stability and precise monitoring that surfaces any issue before it reaches users — which is exactly what real DevOps work means for us: we don't just build the front-end, we build the foundation that carries it safely.

Want a similar system?

Start with a consultation — we'll shape the best path for your project together.

More projects