Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«119 »
  • Post
  • Reply
jre
Sep 2, 2011

To the cloud ?





nem posted:

Sure. Thatís why the source is on Github. You can wget and invoke from shell if thatís your thing too.

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

Adbot
ADBOT LOVES YOU

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


jre posted:

Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

jre
Sep 2, 2011

To the cloud ?





nem posted:

SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0.

I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.

So even ignoring fun tricks like this https://www.idontplaydarts.com/2016...sh-server-side/

There's a fundamental difference in security between having a package signed with a private key that you keep safely offline, and a random script on github which you only need to obtain push permissions to compromise. People regularly accidentally leak github api keys because it's an easy thing to do in integrations. It happened to home-brew recently.

Saying people can manually check the hash or audit the code every time they go to run the script to check it's not been compromised is silly

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.



This example appears to work for chunked encoding only...

code:
# curl -I [url]https://raw.githubusercontent.com/apisnetworks/apnscp-bootstrapper/master/bootstrap.sh[/url]

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
ETag: "cbc17bdc7fea3ebee66d718d9b7ec5e2c0621c9e"
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
X-Geo-Block-List:
X-GitHub-Request-Id: CC46:4984:9D0AF:A5913:5B720AF2
Content-Length: 4674
Accept-Ranges: bytes
Date: Mon, 13 Aug 2018 22:49:23 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-msp9220-MSP
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1534200564.590134,VS0,VE30
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 5d1766d1abc8b92d22d005bbe9fac3b7d6b23661
Expires: Mon, 13 Aug 2018 22:54:23 GMT
Source-Age: 0
Downloaded the example from the blog. Reproduced so long as the server sends chunked encoding, but Github doesn't chunk its encoding for small files so you can't stuff the stream with arbitrary code. Neat hypothetical nonetheless and something to consider going forward with how data is sent over the panel.

Compromised? Sure, anyone can get compromised. Unless there are two separate processes for pushing code and signing releases, compromising one most likely implies the second is compromised.

MITM? Possible, but then you'd have bigger problems with all of Github. I've open-sourced some components and put them on Github/Bitbucket for that very reason. Right now, with multiple releases pushed daily, it's important to get to a milestone that I can tag and freeze the release, then sign these milestones. I'm still a few months from a final release interested in collecting usage data at this point, which again is why I asked if they had 90 minutes to burn and wipe after running.

All advice is helpful when it becomes relevant for that particular milestone.

number one pta fan
Sep 6, 2011

my work is my play play
every day pay day


I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that.

Where should I look?

I basically want to stick XFCE on it, install one application and x2go into it a few evenings a week.

RoboBoogie
Sep 18, 2008


number one pta fan posted:

I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that.

Where should I look?

I basically want to stick XFCE on it, install one application and x2go into it a few evenings a week.

Scaleway is cheap because their cpus donít have power

counterfeitsaint
Feb 26, 2010

I'm a girl, and you're
gnomes, and it's like
what? Yikes.

This seems to be the best place to post this. If not please point me in the right direction.

A friend of mine has an informational small business website I help him with. There's currently no SLL certificate because it's just an informational website collecting no personal data. He wants to setup Facebook messenger to chat with customers on his website, and Facebook requires SLL for that. My question is, why do SLL certificates vary so wildly in price, and why shouldn't I just get one of the cheapo $15/yr ones? I know there's three types, website only, business identity and enterprise, but even just looking exclusively at the website only ones, they seem to go from $15/yr to $150/yr. There's no real personal data being transmitted, and certainly no credit cards, so does it really matter?

DarkLotus
Sep 30, 2001

Lithium Hosting
Personal, Reseller & VPS Hosting
30 day no risk Free Trial!


counterfeitsaint posted:

This seems to be the best place to post this. If not please point me in the right direction.

A friend of mine has an informational small business website I help him with. There's currently no SLL certificate because it's just an informational website collecting no personal data. He wants to setup Facebook messenger to chat with customers on his website, and Facebook requires SLL for that. My question is, why do SLL certificates vary so wildly in price, and why shouldn't I just get one of the cheapo $15/yr ones? I know there's three types, website only, business identity and enterprise, but even just looking exclusively at the website only ones, they seem to go from $15/yr to $150/yr. There's no real personal data being transmitted, and certainly no credit cards, so does it really matter?

For something like that, Let's Encrypt or whatever free SSL is provided by some hosting companies will work.
Lithium Hosting provides free Domain Validated SSL on all shared hosting plans.

I'm not pushing you to buy, but there is a description of each type and what they mean here:
https://lithiumhosting.com/security

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


counterfeitsaint posted:

This seems to be the best place to post this. If not please point me in the right direction.

SSL on a properly configured host affords HTTP/2 communication, which is as fast if not marginally faster than HTTP/1.1 and now your communication is secure. Any host nowadays worth their salt will provide SSL at no added cost to the account.

Etown
Mar 4, 2003


DarkLotus posted:

Lithium Hosting provides free Domain Validated SSL on all shared hosting plans.
https://lithiumhosting.com/security
I have a Lithium Hosting account and can verify the free SSL is easy to setup.

Boris Galerkin
Dec 17, 2011



I currently have my domain names (.coms) registered with Gandi because I think at the time they were one of the few ones I found that would do whois privacy protection for free. Ever since then I've just kept renewing from them. I have one coming up for expiration soon and it's $18ish to renew it so I was just wondering if there were better/cheaper alternatives now?

Edit: I'm okay with them giving my info out for what they deem to be valid reasons but I just don't want my name, address, phone number, email, etc all listed out in the open in plain text.

Edit 2: Just transferred to Cloudflare since they'll probably be around for a while and claim to charge wholesale.

Boris Galerkin fucked around with this message at Dec 21, 2018 around 08:53

Empress Brosephine
Mar 31, 2012


Winner of the "Poor Games Poster" avatar.

I donít know if this is the right place and Iím laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap?

I could sync it up to google drive but I rather it be all automatic and sync on save or what have you

Please donít laugh at this grandpa

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


Empress Brosephine posted:

I donít know if this is the right place and Iím laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap?

I could sync it up to google drive but I rather it be all automatic and sync on save or what have you

Please donít laugh at this grandpa

GitHub Pages + Jekyll?

RoboBoogie
Sep 18, 2008


built a wedding website on my scaleway vps that i use for my media downloading and plex. i am debating if i should fire up another scaleway vps or go with digital ocean

downside with scaleway is that they use a piece of lettuce as a CPU but so far not experiencing any issue with speed when using it with cloud flare.

any recommendations?

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


I found Vultr to be a bit faster than DO, but you're at the mercy of neighboring tenants and how crammed a server is.

Virtualization requires better hardware, but you're still at the mercy of a logical core tied to dozens if not hundreds of sites and businesses calling the shots of how many sites they want to attach to that core. Just remember when it comes to something as commoditized as cloud hosting, everyone has roughly analogous costs and you get what you pay for. As with shared hosting, as a platform ages those VMs tend to pick up a ton of cruft that consequently hurts performance for all.

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


mewse posted:

Yeah I'm gonna switch when I move to the new ispmail guide for the next debian release, I already have a new VPS, just need to get off my rear end. I've never liked spamassassin and it's resource consumption, I just wanted to share the solution to something that was a problem for literally a year

Bumping this after running rspamd for the last month, love it. It has support for before-queue milter actions, rate-limiting, greylists, hotlists (bypass filtering on active to/from conversations), integrated DKIM/ARC, and its Bayes algorithm is much improved.

mailcow is probably the easiest out of box implementation for it. Installation guide is geared for Debian installs.

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


And one more, cross-post. apnscp v3 has been released. I'm giving away 25 lifetime licenses over in SA-Mart to celebrate.

First come, first serve. Have fun!

Dumb Lowtax
Jul 9, 2005

Save blue hippo from danger, vote for Moo Moo in the best cat contest

Plaster Town Cop

How predatory is the domain name industry? If I signal interest in a name by searching for it, will the price of that name skyrocket or something in the time it takes me to comparison shop?

I bet comparison shopping will not be trivial or quick to do, assuming some of them would jack up the price in ways that are not initially obvious once someone has signaled interest in that name. Such as, by allowing you to buy it cheap the first month but then in the fine print it's gonna shoot up from that point forward.

The SH/SC FAQ says some domain name stores (GoDaddy) are worse than others but doesn't give reasons. What differences could possibly exist when the service being provided is so simple (domain forwarding)? Do some of them just not provide you full control over what the domain points at, or are slower or something, or is there any difference at all besides just price?

nem
Jan 4, 2003

Managed + self-hosted hosting platforms since 2002.


It used to be quite predatory, so bad that ICANN implemented a mandatory domain registration fee to curb domain tasting in 2009. Namecheap and Network Solutions continue to participate in domain tasting, but its algorithms are more discrete than simply registering a domain you queried. Namecheap will taste if you have several variations of the domain in your cart. Netsol based upon query volume for a name.

Go with Porkbun, Namesilo, or even Cloudflare for domain registration. A domain is a domain is a domain, doesn't matter where you get it from as long as the company is reputable.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy

Dumb Lowtax
Jul 9, 2005

Save blue hippo from danger, vote for Moo Moo in the best cat contest

Plaster Town Cop

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

Rufus Ping
Dec 27, 2006





I'm a Friend of Rodney Nano


if you're planning on using AWS anyway, you can register domains through AWS Route 53

prices here https://d32ze2gidvkk54.cloudfront.n...ng_20140731.pdf

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

Dumb Lowtax posted:

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

If the cost of the domain is not prohibitive to you I would just buy it. Seconding AWS if you are gonna host there anyways, it's convenient to have it all in one place. But if you end up hosting elsewhere, it can't hurt to have your domains managed in AWS. I like gandi.net for my domains, that's the registrar AWS uses under the hood.

PlesantDilemma
Dec 5, 2006

The Last Hope for Peace

I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep)

DarkLotus
Sep 30, 2001

Lithium Hosting
Personal, Reseller & VPS Hosting
30 day no risk Free Trial!


PlesantDilemma posted:

I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep)

4.x+ is officially supported

Adbot
ADBOT LOVES YOU

Boris Galerkin
Dec 17, 2011



Rufus Ping posted:

Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy

Cloudflare registration isn't generally open, though they do allow you to transfer in. I just did it with one of my domains and iirc they charge at-cost, so around $8/year or so. If you can find a place to buy a .com on sale for less then you could always just transfer into Cloudflare before it expires in a year.

Dumb Lowtax posted:

Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice?

For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.

Go to https://domains.google and search for your domain name there. They sell .com domains for $12/year, so it's only slightly above cost and you probably already have a Google account with your credit card information on it so it can't get any easier. You can deal with the DNS stuff later on, it's super easy!

Another domain website I like is https://iwantmyname.com which has some TLDs that Google doesn't sell, like a lot of the ccTLDs (.de, .fr, .nl, etc). There's also https://www.gandi.net but I think they are a bit pricier, but they seem to have the most options for TLDs but that only matters if you wanted an obscure domain name.

I probably wouldn't search for domain name availability on any other website (other than other reputable companies, like say amazon.com) because there's always the chance that some lovely company will see you're interested in buying it and then try to extort you for more money. I don't know how common this is anymore but I'm pretty sure companies like GoDaddy do it or used to do it.

tldr, if you have $12 today then just go buy the domain name and deal with the dns/hosting/etc later.

e: Just a quick general tip, if you're trying to buy an obscure/ccTLD you can/should always check if you can buy it directly from the source for much cheaper. Like, iwantmyname.com charges 84Ä for a .is domain and some others charge over 100Ä. The place that actually sells it, isnic.is, sells them for 30Ä/yr.

Boris Galerkin fucked around with this message at Feb 16, 2019 around 11:39

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«119 »