|
just another posted:Anyway I found Wix tedious so I bought a domain and the basic hosting at AngryHosting but now all I get is a 403 error so that's how my adventure in web design is going. You haven't uploaded anything yet, no 'home' / index file => 403
|
#
?
Apr 7, 2020 18:28
|
|
|
|
| # ? Apr 18, 2024 05:02 |
|
|
I have a very basic question I'm embarrassed to ask. Why do people use REST APIs instead of querying the DB with SQL? Is there any reason to make an API in the below example? I have 6 Django or Flask web apps running on AWS EBS or Heroku. There's 3 DBs between them all in RDS. For all of them, when I render pages I have the app query the DB to get whatever data I want and serve the data on the page with f-strings or .format() (except for authentication stuff which is abstracted by Django and I havent read into it). Is there a reason I should do these functions by making a GET/POST to a REST API instead?
|
|
#
?
Apr 8, 2020 15:43
|
|
|
CarForumPoster posted:Is there a reason I should do these functions by making a GET/POST to a REST API instead? One reason would be that your mobile app and your website use the same API
|
|
#
?
Apr 8, 2020 15:50
|
|
|
CarForumPoster posted:I have a very basic question I'm embarrassed to ask. Calling some type of self-configured or managed API rather than calling the database directly allows much finer-grained access control, rate limiting, logging, abstracting away the backing database technologies, and more. It's also about letting different teams work on different tiers, and having the data available to multiple different consumers while avoiding having multiple applications query the database directly. It's also easier to make common mistakes that cause security vulnerabilities if you're free-handing SQL where you render pages. Also, now that the trend is toward Javascript Single Page Apps that run & render entirely in the browser, and make calls to fill in the data and render the templates in the browser, you can't have the browser directly make SQL queries, so you have to build a REST API anyway for the browser to call and load data.
|
|
#
?
Apr 8, 2020 15:54
|
|
|
API-driven design is easier to develop in segments. Instead of testing an entire application to make sure it flows correctly, you can test individual API endpoints, which goes with abstraction. Let's say you have an endpoint, "news" that you call as "GET /api/news". It queries a database and returns the last 20 articles. Down the road you want to change how that data is sourced, maybe there's some hot new technology that's web scale. To change things around, just rewrite the code within the news endpoint. As long as it returns the last 20 news articles nothing else needs to change elsewhere. Having an API allows you to validate form components from the frontend as a user enters them (first name, last name, social security, mother's maiden name, bank account number, blood type, etc) and when the data is finally submitted you can call the same validation routine to confirm. Frontend and backend share the same validation logic and better yet honor Curly's Law: do one thing. Doing one thing helps one write maintainable code.
|
|
#
?
Apr 8, 2020 19:10
|
|
|
Those are all great replies, thanks guys.
|
|
#
?
Apr 8, 2020 19:44
|
|
|
My web host moved my site to a new server, and also changed a bunch of things on the backend which caused a few different fires to break out that I've sorted. There's only one thing I'm not sure about. I had .htaccess files that had this line in: Options All -Indexes All the pages were giving HTTP 500 errors and when I tracked down the error log it was full of ".htaccess: Option All not allowed here". It is years since I wrote those htaccess files and I have forgotten what I knew at the time. I just changed them all to Options -Indexes and now it's working. Are there significant differences between the version I used to have (Options All -Indexes) and what I have now (Options -Indexes)? Most examples I see on the internet use the "All" version.
|
|
#
?
Apr 28, 2020 21:31
|
|
|
Hammerite posted:My web host moved my site to a new server, and also changed a bunch of things on the backend which caused a few different fires to break out that I've sorted. There's only one thing I'm not sure about. I had .htaccess files that had this line in: quote:A symbolic link is a file that refers to another file. For example, a symbolic link named index.html can be created that refers to config.php. Accessing index.html would render config.php in plain-text effectively bypassing PHP. If this file contained sensitive information, such as database credentials, then it would be visible over a HTTP request. Apache ships with +SymLinksIfOwnerMatch -FollowSymLinks as its options and explicitly forbids +FollowSymLinks as an override. This allows for the owner of a file to create a symbolic link to it, but disallows other users to create a symbolic link to it. Source: https://gitlab.com/apisnetworks/apnscp/blob/master/docs/SECURITY.md#disabled-apache-features
|
|
#
?
Apr 28, 2020 23:22
|
|
|
DarkLotus posted:Source: https://gitlab.com/apisnetworks/apnscp/blob/master/docs/SECURITY.md#disabled-apache-features I think it probably wasn't very clear what question I was asking. I'd like to know whether there are any differences in behaviour I ought to be concerned about between - the behaviour my site had on the old server, where Options All -Indexes was specified - the behaviour my site will have on the new server, where Options -Indexes is specified I see from your link that the disallowing of "All" is a step that has been taken to close a potential security exploit. That is doubtless a positive thing, but I lack an understanding of what other, unrelated differences in behaviour might exist as a result of the change.
|
|
#
?
Apr 29, 2020 00:27
|
|
|
Hammerite posted:I think it probably wasn't very clear what question I was asking. I'd like to know whether there are any differences in behaviour I ought to be concerned about between It probably depends on your app and why you had "All" defined in the first place. If you use Wordpress, you don't need "All". Most apps don't require it or have a real valid justification for it. I've had customers request it due to a software developer's recommendation but when asked to have the developer justify it, they couldn't.
|
|
#
?
Apr 29, 2020 01:59
|
|
|
"All" doesn't do what you think it does. All enables all options, including mod_includes if present on the server (it's disabled by default because of a nasty side-channel attack). I don't understand why "All" is used in bundled .htaccess rules, it's bad practice and unlocks more doors than you need for something to operate. I've been a vocal critic in the past over liberal server configurations that open up too much for no justifiable reason. "Options All" is one of those liberal configurations with no justifiable reason. If you want to disable indexes, Options -Indexes suffices. It's off by default as that'd be an omission in security. "Options All" is also how I grabbed the MySQL root password from a RunCloud instance, so there's that 
|
|
#
?
Apr 29, 2020 06:19
|
|
|
I see, thanks. I will continue under the assumption that the change I made was the right one, unless and until I encounter any issues.
|
|
#
?
Apr 29, 2020 09:42
|
|
|
I've had my personal domain on Nixihost for maybe eight years on goon discount, and I've been paying about 20$/year. I haven't actually hosted a site for a long time now, and so it's mostly been sitting there just to collect emails which I would check through Gmail. Now that they changed the pricing for their plans, I'm looking at 12$/month, and I'm sure I can find better. Are there providers with whom I could just get email hosting for a few accounts under one domain, and not pay much? Also, I'm checking for mail with POP3 in Gmail, and I wonder if there was a better way - specifically one that would rid me of the lag between my account receiving mail and it being imported to Gmail. Thanks in advance for any suggestions you might have.
|
|
#
?
May 3, 2020 17:31
|
|
|
Chocolate Mouse posted:I've had my personal domain on Nixihost for maybe eight years on goon discount, and I've been paying about 20$/year. I haven't actually hosted a site for a long time now, and so it's mostly been sitting there just to collect emails which I would check through Gmail. Now that they changed the pricing for their plans, I'm looking at 12$/month, and I'm sure I can find better. Are there providers with whom I could just get email hosting for a few accounts under one domain, and not pay much? Also, I'm checking for mail with POP3 in Gmail, and I wonder if there was a better way - specifically one that would rid me of the lag between my account receiving mail and it being imported to Gmail. Thanks in advance for any suggestions you might have. Almost every domain registrar comes with free email, I've used gandi.net's for years. To reduce the latency you can use an email redirect instead of POP, but this is not semantically the same. Instead of having a mailbox on your domain, it forwards to your Gmail account immediately. You then get Gmail to use your SMTP server, or just send email from Gmail, using your alias. i.e. https://support.google.com/mail/answer/22370?hl=en With POP I believe Gmail only downloads emails from your other account periodically. If you wanted to keep two accounts, you can at least use IMAP instead, which might have IDLE optimizations (push-based). xtal fucked around with this message at 17:50 on May 3, 2020 |
|
#
?
May 3, 2020 17:40
|
|
|
xtal posted:Almost every domain registrar comes with free email, I've used gandi.net's for years. xtal posted:To reduce the latency you can use an email redirect instead of POP, but this is not semantically the same. Instead of having a mailbox on your domain, it forwards to your Gmail account immediately. You then get Gmail to use your SMTP server, or just send email from Gmail, using your alias. So far I've just preferred having copies stored on my webhost, but I guess there's no real reason to keep doing so. On the Gmail end you can only setup import via POP3, and it can take up to an hour to sync. I know of tricks like using a cron to send out dummy emails every minute and then filtering them out, but that just seems wasteful and silly. On the web client there's an option to check external accounts immediately, so this setup has been tolerable in casual use, but I guess I'd be ready to pay a bit for an upgrade.
|
|
#
?
May 3, 2020 18:15
|
|
|
Chocolate Mouse posted:Well my registrar is Namecheap, and they offer email for three accounts for 22$/year. They have free forwarding which should work for this purpose: https://www.namecheap.com/support/knowledgebase/article.aspx/308/2214/how-to-set-up-free-email-forwarding N.b. that if you use email forwarding and a custom From: address, but use Gmail's SMTP servers, your messages will arrive saying "on behalf of gmail.com" or something like that. To avoid that, you need to use an SMTP server that matches the domain name used by your custom email address. quote:So far I've just preferred having copies stored on my webhost, but I guess there's no real reason to keep doing so. On the Gmail end you can only setup import via POP3, and it can take up to an hour to sync. I know of tricks like using a cron to send out dummy emails every minute and then filtering them out, but that just seems wasteful and silly. On the web client there's an option to check external accounts immediately, so this setup has been tolerable in casual use, but I guess I'd be ready to pay a bit for an upgrade. I thought Google eventually let you download emails from another account through IMAP but I can't find that now. However, a key difference between POP3 and IMAP is that POP3 normally deletes the emails after they're downloaded. Make sure that you do in fact have a copy on the webhost.
|
|
#
?
May 3, 2020 18:24
|
|
|
My wife is working on building a new website for her startup. She found a landing page template online that she liked and purchased it, which gave her an html file, a css file, and a js file for the landing page. The documentation that came with the template says to upload everything to her FTP, which is a big sticking point because she has zero web design experience outside of automated things like Wordpress and I don't have much more experience than she does. What is a good website hosting service with idiot-proof (or as close to it as possible) FTP built in? I would assume most all of them have FTP capabilities, but the more user-friendly the better. Please ask follow-up questions and I will answer them as best I can; we're in a real blind leading the blind situation over here.
C-Euro fucked around with this message at 18:38 on May 3, 2020 |
|
#
?
May 3, 2020 18:32
|
|
|
C-Euro posted:My wife is working on building a new website for her startup. She found a landing page template online that she liked and purchased it, which gave her an html file, a css file, and a js file for the landing page. The documentation that came with the template says to upload everything to her FTP, which is a big sticking point because she has zero web design experience outside of automated things like Wordpress and I don't have much more experience than she does. What is a good website hosting service with idiot-proof (or as close to it as possible) FTP built in? I would assume most all of them have FTP capabilities, but the more user-friendly the better. We're in a real blind leading the blind situation over here. You can use GitHub or GitLab pages and edit the files through the web UI. This would only cost you the domain; the hosting and SSL is free. To put it simply: go to GitHub, make an account, then create a repository called yourusername.github.io. Add the HTML, CSS and JS to the repo (with care to the folder layout.) Then the page will be visible at yourusername.github.io. You can then decide to use a custom domain. There's no necessary reason to use FTP here, it's just static file hosting. Amazon S3 is another option. xtal fucked around with this message at 18:44 on May 3, 2020 |
|
#
?
May 3, 2020 18:33
|
|
|
xtal posted:You can use GitHub or GitLab pages and edit the files through the web UI. This would only cost you the domain; the hosting and SSL is free. To put it simply: go to GitHub, make an account, then create a repository called yourusername.github.io. Add the HTML, CSS and JS to the repo (with care to the folder layout.) Then the page will be visible at yourusername.github.io. You can then decide to use a custom domain. Thanks! Being able to edit the files through a web UI would be great, as that's what she's used to with WordPress and the other hosting services she's tried in the past. I looked at Amazon S3 and that's a little too complex for my taste, going to look into GitHub first. As for FTP, that's just the language they used in the documentation. We just need some hosting service that plays nicely with css and js files (which I assume is most to all of them, but in my tired state late last night I couldn't make WordPress do so)
|
|
#
?
May 3, 2020 19:19
|
|
|
If it's just a static site, look at Netlify as well.
|
|
#
?
May 3, 2020 19:53
|
|
|
So on GitHub, I've figured out how to create a repository and make changes to the files therein, but when I go to open the website created from those files all I see is minimally-formatted text on a webpage with a bunch of broken image links, and no styling other than font sizes and bold (similar to if I just opened index.html from my desktop). My understanding is that all of that info is in the css file that came with the purchase, do I need to set something up to make the index file "see" the css file? They are located in different directories within the repository, could that be it?
|
|
#
?
May 3, 2020 20:59
|
|
|
C-Euro posted:So on GitHub, I've figured out how to create a repository and make changes to the files therein, but when I go to open the website created from those files all I see is minimally-formatted text on a webpage with a bunch of broken image links, and no styling other than font sizes and bold (similar to if I just opened index.html from my desktop). My understanding is that all of that info is in the css file that came with the purchase, do I need to set something up to make the index file "see" the css file? They are located in different directories within the repository, could that be it? Inside the HTML file if you search for ".css" you should find a <link> or <style> tag that is pointing to the CSS file. The filename there has to be correct relative to the HTML file. Ditto for the images and so on. It's not important that they be in the same or a different directory, just that it's consistent with the filename in the HTML. The problem is most likely that the filename is wrong and that the requests are failing. You can verify this by opening the developer console in your browser and looking at the Requests or Resources tabs. You should see a bunch of 404 Not Found errors. If you share the link or some code I can help more; PMs open as well.
|
|
#
?
May 3, 2020 21:13
|
|
|
xtal posted:Inside the HTML file if you search for ".css" you should find a <link> or <style> tag that is pointing to the CSS file. The filename there has to be correct relative to the HTML file. Ditto for the images and so on. It's not important that they be in the same or a different directory, just that it's consistent with the filename in the HTML. Oh jeez that was exactly it, somehow one of us changed the file structure of the whole pack when uploading it to GitHub. Big thanks for the help, now the long process of editing all of that HTML code...
|
|
#
?
May 3, 2020 21:43
|
|
|
I have installed apiscp on a centos virtual machine (servercheap.net), i was hoping to use this for personal web and email hosting, is there a guide how to configure email correctly so that i dont join a spam bot network?
|
|
#
?
May 4, 2020 03:13
|
|
|
RoboBoogie posted:I have installed apiscp on a centos virtual machine (servercheap.net), i was hoping to use this for personal web and email hosting, https://docs.apiscp.com And https://discord.gg/wDBTz6V Come chat with us 
|
|
#
?
May 4, 2020 03:34
|
|
|
RoboBoogie posted:I have installed apiscp on a centos virtual machine (servercheap.net), i was hoping to use this for personal web and email hosting, Howdy!  Should be configured correctly out of the box to avoid this: brute-force protection on all services, restrictions on direct SMTP traffic by non-mail users, restrictions on unauthenticated SMTP over 127.0.0.1, SO_PEERCRED tracking for injection via /usr/sbin/sendmail, script tagging for PHP apps that send via mail(). If you're running rspamd as your spam filter, rate-limiting will be coming very shortly; there's also an option to piggyback rspamd for this very role while using SpamAssassin for priming rspamd's neural learning. I run rspamd as the sole spam filter on two servers and use a SpamAssassin/rspamd hybrid for the rest. rspamd provides another layer to reject egregious mail that forwards from the server. There are intractable scenarios where your user's password gets compromised from another combolist. These happen from time to time, best defense is to require stronger passwords. Password length can be changed via the Scope app in the panel (Scopes > cp.config > auth > min_pw_length). If you run into any questions, hop on Discord. I'm generally active on there.
|
|
#
?
May 4, 2020 04:52
|
|
|
Just a heads up: I was a contact on a linode like a decade ago that was canceled in 2014. The owner supposedly went in and added 2FA a few months ago (idk why for a dead account). On 04/20/20 someone apparently disabled 2FA and added a new CC# to the account and re-upped it, then chargebacked it and linode is freaking out at the previous owner. So, maybe it's linode, maybe not. I'm just :popcorn: p hard right now as they start knifing each other on this.
|
|
#
?
May 5, 2020 02:08
|
|
|
Sounds like a hijacked account if it goes dormant, reactivates, then gets locked with MFA, then receives a chargeback against it a couple months later after the siphoned card holder sees it on the account...
|
|
#
?
May 5, 2020 03:11
|
|
|
Update: Got the landing page up and running on GitHub Pages and styled properly, so now my wife wants to have a custom domain name instead the default github.io domain. Looking at GitHub's documentation of this, it sounds like I need to buy this elsewhere and connect the name to the GitHub repository with the actual site code? GitHub doesn't actually sell custom domains, right?
C-Euro fucked around with this message at 02:16 on May 6, 2020 |
|
#
?
May 6, 2020 02:12
|
|
|
Greetings thread! Introductory post here with a small query at the end. Recently started my foray into selfhosting (with a VPS) and already have a Matrix server and the Ajenti control panel up.I'm really interested is decentralization so I'm currently working (and learning js/node from scratch) on an app that uses Solid - it will let users create simple group pages with custom layouts with everything hosted in solid pods of the participants in the group.Also tried to setup email with postfix/dovecot/SASL but idk what's happening - rainloop connects to the server but sent messages never arrive and when I try sending to my new inbox from gmail i get an automated response that includes "550 5.1.1 <[REDACTED]>: Recipient address rejected: User unknown in local recipient table" Also my domain is already blacklisted for email by one organization  so if anyone could help out with this situation i'd much appreciate it.Also - I'm already being bruteforced (I assume that's what it's called when random IPs keep connecting with attempts to login to random usernames/passwords) , is there anything I could do to prevent that,like blocking IPs?the IPs are random so i'm assuming a botnet so that won't help probably.
|
|
#
?
May 6, 2020 10:37
|
|
|
C-Euro posted:Update: Got the landing page up and running on GitHub Pages and styled properly, so now my wife wants to have a custom domain name instead the default github.io domain. Looking at GitHub's documentation of this, it sounds like I need to buy this elsewhere and connect the name to the GitHub repository with the actual site code? GitHub doesn't actually sell custom domains, right? Correct. Buy your domain from gandi.net or namecheap.com (or anywhere really but those are the most common choices.) That's normally good practice because if a hosting company sells domains too, they probably just resell them from a domain registrar at a markup. Then, put that domain name in a CNAME file, and configure the domain to point to GitHub. https://help.github.com/en/github/working-with-github-pages/configuring-a-custom-domain-for-your-github-pages-site Luckily, once you get this set up, GitHub will automatically set up a TLS certificate for you so you can use the site over HTTPS. xtal fucked around with this message at 19:10 on May 6, 2020 |
|
#
?
May 6, 2020 13:41
|
|
|
Incrediblastic posted:Also my domain is already blacklisted for email by one organization check blacklist status here https://www.spamhaus.org/lookup/ Incrediblastic posted:Also - I'm already being bruteforced (I assume that's what it's called when random IPs keep connecting with attempts to login to random usernames/passwords) , is there anything I could do to prevent that,like blocking IPs?the IPs are random so i'm assuming a botnet so that won't help probably.
|
|
#
?
May 6, 2020 19:02
|
|
|
Incrediblastic posted:Also - I'm already being bruteforced (I assume that's what it's called when random IPs keep connecting with attempts to login to random usernames/passwords) , is there anything I could do to prevent that,like blocking IPs?the IPs are random so i'm assuming a botnet so that won't help probably. Fail2ban helps as mentioned, but if this is a pet server you can also reduce your drive-by login attempts massively by hosting SSH on a nonstandard port.
|
|
#
?
May 6, 2020 19:13
|
|
|
Just disable username/password logins altogether and only allow certificates as well.
|
|
#
?
May 6, 2020 19:19
|
|
|
I suspect he meant login attempts to IMAP/SMTP not SSH Although you can actually do certificate auth with SASL too, if your clients support it
|
|
#
?
May 6, 2020 20:02
|
|
|
xtal posted:Correct. Buy your domain from gandi.net or namecheap.com (or anywhere really but those are the most common choices.) That's normally good practice because if a hosting company sells domains too, they probably just resell them from a domain registrar at a markup. Then, put that domain name in a CNAME file, and configure the domain to point to GitHub. It looks like she just bought [companyname].com as an apex domain instead of https://www.[companyname].com, and there's a line in the GitHub help guide about how "An apex domain is configured with an A, ALIAS, or ANAME record through your DNS provider". Should I be doing that instead of a CNAME association?
|
|
#
?
May 6, 2020 21:43
|
|
|
C-Euro posted:It looks like she just bought [companyname].com as an apex domain instead of https://www.[companyname].com, and there's a line in the GitHub help guide about how "An apex domain is configured with an A, ALIAS, or ANAME record through your DNS provider". Should I be doing that instead of a CNAME association? Most DNS providers do not support an ALIAS record for the apex, FYI. You'll want to use an A record preferably!
|
|
#
?
May 6, 2020 21:49
|
|
|
DarkLotus posted:Most DNS providers do not support an ALIAS record for the apex, FYI. Works for me. When I go to add a new A record it has fields to fill in for "Host" and "Points To", the latter of which looks like it needs to be an IP address. Would the domain name that we purchased be the host, and how do I tell which IP address I need to fill in? It looks like there are already a number of A records all with very similar IP addresses filled in, but if I want the domain to go to a GitHub Pages site my first instinct is that I would need an IP address associated with that site, which I don't have.
|
|
#
?
May 6, 2020 22:22
|
|
|
C-Euro posted:Works for me. When I go to add a new A record it has fields to fill in for "Host" and "Points To", the latter of which looks like it needs to be an IP address. Would the domain name that we purchased be the host, and how do I tell which IP address I need to fill in? It looks like there are already a number of A records all with very similar IP addresses filled in, but if I want the domain to go to a GitHub Pages site my first instinct is that I would need an IP address associated with that site, which I don't have. The domain probably comes with some A records already for a parking page or something like that. Records for the apex domain are called @. The IP address they point to are here: https://help.github.com/en/github/working-with-github-pages/managing-a-custom-domain-for-your-github-pages-site You can have multiple A records and these are used for redundancy and fault tolerance. This means you want to create a different A record where the host is @ and the IP is each of the 4 on that page: 185.199.108.153, 185.199.109.153,185.199.110.153, 185.199.111.153. Now, importantly, make sure that you don't have any A records for @ aside from those, or you will have visitors who randomly go to that IP address instead. Once that's done, you will want to make sure that going to https://www.example.com redirects to example.com; there are a few ways to do that. But, that should make example.com work. xtal fucked around with this message at 22:52 on May 6, 2020 |
|
#
?
May 6, 2020 22:49
|
|
|
|
| # ? Apr 18, 2024 05:02 |
|
|
xtal posted:The domain probably comes with some A records already for a parking page or something like that. Records for the apex domain are called @. The IP address they point to are here: https://help.github.com/en/github/working-with-github-pages/managing-a-custom-domain-for-your-github-pages-site Hmmm, I added an A record named @ for each of the four IP addresses listed by GitHub and gave them 1 hour TTLs, while deleting any other A record named @. That was over an hour ago and attempting to load the site says that its server IP address can't be found. On the Settings page for the repository holding the site's code, I'm also seeing "Domain's DNS record could not be retrieved". Do I need to add or remove other DNS records, or does the TTL not actually indicate how long it takes such changes to go into effect?
|
|
#
?
May 7, 2020 03:13
|
|