Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«121 »
  • Post
  • Reply
jre
Sep 2, 2011

To the cloud ?





nem posted:

Sure. Thatís why the source is on Github. You can wget and invoke from shell if thatís your thing too.

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

Adbot
ADBOT LOVES YOU

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


jre posted:

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

jre
Sep 2, 2011

To the cloud ?





nem posted:

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

So even ignoring fun tricks like this https://www.idontplaydarts.com/2016...sh-server-side/

There's a fundamental difference in security between having a package signed with a private key that you keep safely offline, and a random script on github which you only need to obtain push permissions to compromise. People regularly accidentally leak github api keys because it's an easy thing to do in integrations. It happened to home-brew recently.

Saying people can manually check the hash or audit the code every time they go to run the script to check it's not been compromised is silly

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved



This example appears to work for chunked encoding only...

code:
# curl -I [url]https://raw.githubusercontent.com/apisnetworks/apnscp-bootstrapper/master/bootstrap.sh[/url]

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
ETag: "cbc17bdc7fea3ebee66d718d9b7ec5e2c0621c9e"
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
X-Geo-Block-List:
X-GitHub-Request-Id: CC46:4984:9D0AF:A5913:5B720AF2
Content-Length: 4674
Accept-Ranges: bytes
Date: Mon, 13 Aug 2018 22:49:23 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-msp9220-MSP
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1534200564.590134,VS0,VE30
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 5d1766d1abc8b92d22d005bbe9fac3b7d6b23661
Expires: Mon, 13 Aug 2018 22:54:23 GMT
Source-Age: 0
Downloaded the example from the blog. Reproduced so long as the server sends chunked encoding, but Github doesn't chunk its encoding for small files so you can't stuff the stream with arbitrary code. Neat hypothetical nonetheless and something to consider going forward with how data is sent over the panel.

Compromised? Sure, anyone can get compromised. Unless there are two separate processes for pushing code and signing releases, compromising one most likely implies the second is compromised.

MITM? Possible, but then you'd have bigger problems with all of Github. I've open-sourced some components and put them on Github/Bitbucket for that very reason. Right now, with multiple releases pushed daily, it's important to get to a milestone that I can tag and freeze the release, then sign these milestones. I'm still a few months from a final release interested in collecting usage data at this point, which again is why I asked if they had 90 minutes to burn and wipe after running.

All advice is helpful when it becomes relevant for that particular milestone.

number one pta fan
Sep 6, 2011

my work is my play play
every day pay day


I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that.

Where should I look?

I basically want to stick XFCE on it, install one application and x2go into it a few evenings a week.

RoboBoogie
Sep 18, 2008


number one pta fan posted:

I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that.

Where should I look?

I basically want to stick XFCE on it, install one application and x2go into it a few evenings a week.

Scaleway is cheap because their cpus donít have power

counterfeitsaint
Feb 26, 2010

I'm a girl, and you're
gnomes, and it's like
what? Yikes.

This seems to be the best place to post this. If not please point me in the right direction.

A friend of mine has an informational small business website I help him with. There's currently no SLL certificate because it's just an informational website collecting no personal data. He wants to setup Facebook messenger to chat with customers on his website, and Facebook requires SLL for that. My question is, why do SLL certificates vary so wildly in price, and why shouldn't I just get one of the cheapo $15/yr ones? I know there's three types, website only, business identity and enterprise, but even just looking exclusively at the website only ones, they seem to go from $15/yr to $150/yr. There's no real personal data being transmitted, and certainly no credit cards, so does it really matter?

DarkLotus
Sep 30, 2001

Lithium Hosting
Personal, Reseller & VPS Hosting
30 day no risk Free Trial!


counterfeitsaint posted:

This seems to be the best place to post this. If not please point me in the right direction.

A friend of mine has an informational small business website I help him with. There's currently no SLL certificate because it's just an informational website collecting no personal data. He wants to setup Facebook messenger to chat with customers on his website, and Facebook requires SLL for that. My question is, why do SLL certificates vary so wildly in price, and why shouldn't I just get one of the cheapo $15/yr ones? I know there's three types, website only, business identity and enterprise, but even just looking exclusively at the website only ones, they seem to go from $15/yr to $150/yr. There's no real personal data being transmitted, and certainly no credit cards, so does it really matter?

For something like that, Let's Encrypt or whatever free SSL is provided by some hosting companies will work.
Lithium Hosting provides free Domain Validated SSL on all shared hosting plans.

I'm not pushing you to buy, but there is a description of each type and what they mean here:
https://lithiumhosting.com/security

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


counterfeitsaint posted:

This seems to be the best place to post this. If not please point me in the right direction.

SSL on a properly configured host affords HTTP/2 communication, which is as fast if not marginally faster than HTTP/1.1 and now your communication is secure. Any host nowadays worth their salt will provide SSL at no added cost to the account.

Etown
Mar 4, 2003


DarkLotus posted:

Lithium Hosting provides free Domain Validated SSL on all shared hosting plans.
https://lithiumhosting.com/security
I have a Lithium Hosting account and can verify the free SSL is easy to setup.

Boris Galerkin
Dec 17, 2011



I currently have my domain names (.coms) registered with Gandi because I think at the time they were one of the few ones I found that would do whois privacy protection for free. Ever since then I've just kept renewing from them. I have one coming up for expiration soon and it's $18ish to renew it so I was just wondering if there were better/cheaper alternatives now?

Edit: I'm okay with them giving my info out for what they deem to be valid reasons but I just don't want my name, address, phone number, email, etc all listed out in the open in plain text.

Edit 2: Just transferred to Cloudflare since they'll probably be around for a while and claim to charge wholesale.

Boris Galerkin fucked around with this message at Dec 21, 2018 around 08:53

Empress Brosephine
Mar 31, 2012


Winner of the "Poor Games Poster" avatar.

I donít know if this is the right place and Iím laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap?

I could sync it up to google drive but I rather it be all automatic and sync on save or what have you

Please donít laugh at this grandpa

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


Empress Brosephine posted:

I donít know if this is the right place and Iím laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap?

I could sync it up to google drive but I rather it be all automatic and sync on save or what have you

Please donít laugh at this grandpa

GitHub Pages + Jekyll?

RoboBoogie
Sep 18, 2008


built a wedding website on my scaleway vps that i use for my media downloading and plex. i am debating if i should fire up another scaleway vps or go with digital ocean

downside with scaleway is that they use a piece of lettuce as a CPU but so far not experiencing any issue with speed when using it with cloud flare.

any recommendations?

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


I found Vultr to be a bit faster than DO, but you're at the mercy of neighboring tenants and how crammed a server is.

Virtualization requires better hardware, but you're still at the mercy of a logical core tied to dozens if not hundreds of sites and businesses calling the shots of how many sites they want to attach to that core. Just remember when it comes to something as commoditized as cloud hosting, everyone has roughly analogous costs and you get what you pay for. As with shared hosting, as a platform ages those VMs tend to pick up a ton of cruft that consequently hurts performance for all.

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


mewse posted:

Yeah I'm gonna switch when I move to the new ispmail guide for the next debian release, I already have a new VPS, just need to get off my rear end. I've never liked spamassassin and it's resource consumption, I just wanted to share the solution to something that was a problem for literally a year

Bumping this after running rspamd for the last month, love it. It has support for before-queue milter actions, rate-limiting, greylists, hotlists (bypass filtering on active to/from conversations), integrated DKIM/ARC, and its Bayes algorithm is much improved.

mailcow is probably the easiest out of box implementation for it. Installation guide is geared for Debian installs.

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


And one more, cross-post. apnscp v3 has been released. I'm giving away 25 lifetime licenses over in SA-Mart to celebrate.

First come, first serve. Have fun!

Dumb Lowtax
Jul 9, 2005



Plaster Town Cop

How predatory is the domain name industry? If I signal interest in a name by searching for it, will the price of that name skyrocket or something in the time it takes me to comparison shop?

I bet comparison shopping will not be trivial or quick to do, assuming some of them would jack up the price in ways that are not initially obvious once someone has signaled interest in that name. Such as, by allowing you to buy it cheap the first month but then in the fine print it's gonna shoot up from that point forward.

The SH/SC FAQ says some domain name stores (GoDaddy) are worse than others but doesn't give reasons. What differences could possibly exist when the service being provided is so simple (domain forwarding)? Do some of them just not provide you full control over what the domain points at, or are slower or something, or is there any difference at all besides just price?

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


It used to be quite predatory, so bad that ICANN implemented a mandatory domain registration fee to curb domain tasting in 2009. Namecheap and Network Solutions continue to participate in domain tasting, but its algorithms are more discrete than simply registering a domain you queried. Namecheap will taste if you have several variations of the domain in your cart. Netsol based upon query volume for a name.

Go with Porkbun, Namesilo, or even Cloudflare for domain registration. A domain is a domain is a domain, doesn't matter where you get it from as long as the company is reputable.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy

Dumb Lowtax
Jul 9, 2005



Plaster Town Cop

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


if you're planning on using AWS anyway, you can register domains through AWS Route 53

prices here https://d32ze2gidvkk54.cloudfront.n...ng_20140731.pdf

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

Dumb Lowtax posted:

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

If the cost of the domain is not prohibitive to you I would just buy it. Seconding AWS if you are gonna host there anyways, it's convenient to have it all in one place. But if you end up hosting elsewhere, it can't hurt to have your domains managed in AWS. I like gandi.net for my domains, that's the registrar AWS uses under the hood.

PlesantDilemma
Dec 5, 2006

The Last Hope for Peace

I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep)

DarkLotus
Sep 30, 2001

Lithium Hosting
Personal, Reseller & VPS Hosting
30 day no risk Free Trial!


PlesantDilemma posted:

I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep)

4.x+ is officially supported

Boris Galerkin
Dec 17, 2011



Rufus Ping posted:

Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy

Cloudflare registration isn't generally open, though they do allow you to transfer in. I just did it with one of my domains and iirc they charge at-cost, so around $8/year or so. If you can find a place to buy a .com on sale for less then you could always just transfer into Cloudflare before it expires in a year.

Dumb Lowtax posted:

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

Go to https://domains.google and search for your domain name there. They sell .com domains for $12/year, so it's only slightly above cost and you probably already have a Google account with your credit card information on it so it can't get any easier. You can deal with the DNS stuff later on, it's super easy!

Another domain website I like is https://iwantmyname.com which has some TLDs that Google doesn't sell, like a lot of the ccTLDs (.de, .fr, .nl, etc). There's also https://www.gandi.net but I think they are a bit pricier, but they seem to have the most options for TLDs but that only matters if you wanted an obscure domain name.

I probably wouldn't search for domain name availability on any other website (other than other reputable companies, like say amazon.com) because there's always the chance that some lovely company will see you're interested in buying it and then try to extort you for more money. I don't know how common this is anymore but I'm pretty sure companies like GoDaddy do it or used to do it.

tldr, if you have $12 today then just go buy the domain name and deal with the dns/hosting/etc later.

e: Just a quick general tip, if you're trying to buy an obscure/ccTLD you can/should always check if you can buy it directly from the source for much cheaper. Like, iwantmyname.com charges 84Ä for a .is domain and some others charge over 100Ä. The place that actually sells it, isnic.is, sells them for 30Ä/yr.

Boris Galerkin fucked around with this message at Feb 16, 2019 around 11:39

KOTEX GOD OF BLOOD
Jul 7, 2012



Fallen Rib

I have a domain through name.com that just forwards to another site (done through their control panel.) I'd like to get google analytics on it so I can see how many people, from where, etc. are being redirected through the link. What's the most streamlined way to do that with the lowest possible addition to loading time?

e: PS lithium rules

KOTEX GOD OF BLOOD fucked around with this message at Mar 21, 2019 around 18:11

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

KOTEX GOD OF BLOOD posted:

I have a domain through name.com that just forwards to another site (done through their control panel.) I'd like to get google analytics on it so I can see how many people, from where, etc. are being redirected through the link. What's the most streamlined way to do that with the lowest possible addition to loading time?

e: PS lithium rules

If you are redirecting you will lose the benefits of the redirect if you add a HTML page in between.

Alpha Mayo
Jan 15, 2007

VANQUISH THE GLOBALISTS


What is the best practice for hosting multiple domains on a LEMP stack? There are four domains, each using wordpress, and I am moving them from their current shared hosting to a VPS (probably digitalocean).

I'd like to have all four sites on the single VPS, however if ONE wordpress site gets owned/hacked, I don't want the hacker to be able to get to the other three sites.

Is Docker the best way to do this, with maybe the host running nginx as reverse proxy, or should I make multiple linux users for each site and follow something like this:
https://www.digitalocean.com/commun...on-ubuntu-14-04

Soaring Kestrel
Nov 7, 2009

I have no idea what happened to Zulea.


Fun Shoe

Alpha Mayo posted:

What is the best practice for hosting multiple domains on a LEMP stack?

I use FPM pools separated by user and chrooted and have not felt any concern regarding security or performance, so that's my personal recommendation.

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


Alpha Mayo posted:

What is the best practice for hosting multiple domains on a LEMP stack? There are four domains, each using wordpress, and I am moving them from their current shared hosting to a VPS (probably digitalocean).

I'd like to have all four sites on the single VPS, however if ONE wordpress site gets owned/hacked, I don't want the hacker to be able to get to the other three sites.

Is Docker the best way to do this, with maybe the host running nginx as reverse proxy, or should I make multiple linux users for each site and follow something like this:
https://www.digitalocean.com/commun...on-ubuntu-14-04

Make sure you're remaining diligent on updating plugins/themes. WP by default only updates core. Jailing is your best bet or with containers. Better yet is to leave the web app system files under a separate uid than what PHP-FPM operates under such that everything but wp-content/ is under 1 uid and wp-content/ under another. Deploy core updates with wp-cli.

Go with Vultr or Hetzner instead of DO. Their performance isn't incredible compared to alternatives.

Alpha Mayo
Jan 15, 2007

VANQUISH THE GLOBALISTS


Soaring Kestrel posted:

I use FPM pools separated by user and chrooted and have not felt any concern regarding security or performance, so that's my personal recommendation.

Is that Digitalocean guide pretty accurate on doing that?

Earl of Lavender
Jul 29, 2007

This is not my beautiful house!!

This is not my beautiful wife!!!


Pillbug

Anyone used Gandi as an email host before? Any issues I could expect from them?

Soaring Kestrel
Nov 7, 2009

I have no idea what happened to Zulea.


Fun Shoe

Alpha Mayo posted:

Is that Digitalocean guide pretty accurate on doing that?

It specifically omits chroot, which i think shouldn't be done, and it should probably also be noted that newer versions of PHP are available from
code:
 sudo add-apt-repository ppa:ondrej/php
, but other than that at my exceedingly speedy read-through it seemed okay!

DarkLotus
Sep 30, 2001

Lithium Hosting
Personal, Reseller & VPS Hosting
30 day no risk Free Trial!


Time to update Apache!
https://httpd.apache.org/security/v...ilities_24.html

cPanel is working on an EA4 update to address this, should be out later today.
https://forums.cpanel.net/threads/e...19-0211.650517/

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


Affects mod_php but not FPM workers provided you're not running FPM workers under the same UID as the web server... I can't imagine why you would.

Twerk from Home
Jan 17, 2009

This avatar brought to you by the 'save our dead gay forums' foundation.


I've been home hosting a couple of game servers and NodeJS based websites/webapps for a while. Nginx in docker is acting as a reverse proxy, and I'm using docker containers and volume bind mounts for the applications too. Pretty much everything is either managing its own state in said volume mount, or using SQLite with the .db in a volume mount. Host OS is Ubuntu 16.04 on Hyper-V, with 8GB RAM allocated to it. There's more RAM available on the host if need be.

A friend is asking me to host a low but not zero load hobby Wordpress site now, which I've been intentionally avoiding.

Should I spin up an entirely new VM for isolating the Wordpress / Mysql to its own thing and just install them the traditional way as a service, or is Wordpress less toxic than I think and I can just throw in Wordpress and MySQL docker containers alongside my other stuff? I hear PHP is better now, but I'm still wary.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


PHP isn't the problem (directly), it's the state of the plugin/theme ecosystem. My personal position, learned the difficult way, is don't go near hosting other people's code - pay someone else to do it instead.

That said, the worst that's likely to happen is someone getting code exec inside the container as the same user that wordpress runs as. So consider how your docker setup would fare under those circumstances and weigh up your options accordingly.

The most obvious point is make sure the docker control socket isn't accessible from inside the container or an attacker can break out trivially. And make sure the wordpress database user doesn't have access or privs it doesn't need. The linux kernel itself has a fairly poor track record of isolating containers correctly, although this can be mitigated somewhat using seccomp and reducing capabilities.

nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved


WordPress is only as safe as you let it be. People do stupid things, so if you can't trust your friend to not do stupid things then pass. Just today I handled a situation where a theme allowed a user to enter an arbitrary email address and send a copy to itself... sure enough that was exploited by a Chinese botnet of around 250 distinct addresses to spam.

If you do host him a few things,

  • WordPress system files should be under a different user than wp-content/ files
  • Run WordPress under the wp-content/ owner, not the system files user - if he were to get hacked it makes developing an audit trail easier (find . -user wpuser)
  • Use WP-CLI to automatically update core, plugins, and themes. Super simple to do. WP by default only updates core
  • Be smart with plugins/themes. Anyone can write a plugin, even someone at the end of their career rope looking for a hail mary to put on their resume

Adbot
ADBOT LOVES YOU

KOTEX GOD OF BLOOD
Jul 7, 2012



Fallen Rib

Biowarfare posted:

If you are redirecting you will lose the benefits of the redirect if you add a HTML page in between.
How do you mean? The benefits as in, not needing to have separate hosting?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«121 »