|
nem posted:Sure. That’s why the source is on Github. You can wget and invoke from shell if that’s your thing too. Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ?
|
#
?
Aug 13, 2018 23:08
|
|
|
|
| # ? Apr 20, 2024 11:09 |
|
|
jre posted:Or you could put a tiny bit more effort in and publish signed packages and not have a embarrassingly insecure install method for a product with "integrated security" ? SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0. I can sign it with whatever key, but does not mean it is secure unless you trust the signing source, which puts us at an impasse.
|
|
#
?
Aug 13, 2018 23:19
|
|
|
nem posted:SHA2 is on apisnetworks.com if you need that. It's for a pristine server. You can always pull the repos and inspect history if necessary. You still have control over it and the expectation is that you'll wipe it after benchmarking. All source is publicly available through the script + Bitbucket repos. Submit a PR if you'd like to improve it. It's still pre-alpha. This script is the most rudimentary step of the entire process. All RPMs are signed. Source code is not signed yet, because it's still before 3.0. So even ignoring fun tricks like this https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ There's a fundamental difference in security between having a package signed with a private key that you keep safely offline, and a random script on github which you only need to obtain push permissions to compromise. People regularly accidentally leak github api keys because it's an easy thing to do in integrations. It happened to home-brew recently. Saying people can manually check the hash or audit the code every time they go to run the script to check it's not been compromised is silly
|
|
#
?
Aug 13, 2018 23:41
|
|
|
jre posted:So even ignoring fun tricks like this https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ This example appears to work for chunked encoding only... code:Compromised? Sure, anyone can get compromised. Unless there are two separate processes for pushing code and signing releases, compromising one most likely implies the second is compromised. MITM? Possible, but then you'd have bigger problems with all of Github. I've open-sourced some components and put them on Github/Bitbucket for that very reason. Right now, with multiple releases pushed daily, it's important to get to a milestone that I can tag and freeze the release, then sign these milestones. I'm still a few months from a final release interested in collecting usage data at this point, which again is why I asked if they had 90 minutes to burn and wipe after running. All advice is helpful when it becomes relevant for that particular milestone.
|
|
#
?
Aug 14, 2018 00:11
|
|
|
I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that. Where should I look? I basically want to stick XFCE on it, install one application and x2go into it a few evenings a week.
|
|
#
?
Oct 16, 2018 00:50
|
|
|
number one pta fan posted:I have an application that I want to run on a remote server. I've used dedicated servers in the past, but I stumbled across Scaleway and I really like the idea of paying for x hours of access to a lot of power as I need it over paying for the full month of hours for much less on a dedicated server. Problem is Scaleway's volumes cap appear to cap at 150gb and I need a single volume substantially larger than that. Scaleway is cheap because their cpus don’t have power
|
|
#
?
Oct 30, 2018 05:49
|
|
|
This seems to be the best place to post this. If not please point me in the right direction. A friend of mine has an informational small business website I help him with. There's currently no SLL certificate because it's just an informational website collecting no personal data. He wants to setup Facebook messenger to chat with customers on his website, and Facebook requires SLL for that. My question is, why do SLL certificates vary so wildly in price, and why shouldn't I just get one of the cheapo $15/yr ones? I know there's three types, website only, business identity and enterprise, but even just looking exclusively at the website only ones, they seem to go from $15/yr to $150/yr. There's no real personal data being transmitted, and certainly no credit cards, so does it really matter?
|
|
#
?
Dec 12, 2018 16:48
|
|
|
counterfeitsaint posted:This seems to be the best place to post this. If not please point me in the right direction. For something like that, Let's Encrypt or whatever free SSL is provided by some hosting companies will work. Lithium Hosting provides free Domain Validated SSL on all shared hosting plans. I'm not pushing you to buy, but there is a description of each type and what they mean here: https://lithiumhosting.com/security
|
|
#
?
Dec 12, 2018 17:29
|
|
|
counterfeitsaint posted:This seems to be the best place to post this. If not please point me in the right direction. SSL on a properly configured host affords HTTP/2 communication, which is as fast if not marginally faster than HTTP/1.1 and now your communication is secure. Any host nowadays worth their salt will provide SSL at no added cost to the account.
|
|
#
?
Dec 12, 2018 18:08
|
|
|
DarkLotus posted:Lithium Hosting provides free Domain Validated SSL on all shared hosting plans.
|
|
#
?
Dec 18, 2018 08:05
|
|
|
I currently have my domain names (.coms) registered with Gandi because I think at the time they were one of the few ones I found that would do whois privacy protection for free. Ever since then I've just kept renewing from them. I have one coming up for expiration soon and it's $18ish to renew it so I was just wondering if there were better/cheaper alternatives now? Edit: I'm okay with them giving my info out for what they deem to be valid reasons but I just don't want my name, address, phone number, email, etc all listed out in the open in plain text. Edit 2: Just transferred to Cloudflare since they'll probably be around for a while and claim to charge wholesale. Boris Galerkin fucked around with this message at 09:53 on Dec 21, 2018 |
|
#
?
Dec 21, 2018 09:17
|
|
|
I don’t know if this is the right place and I’m laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap? I could sync it up to google drive but I rather it be all automatic and sync on save or what have you Please don’t laugh at this grandpa
|
|
#
?
Dec 21, 2018 21:15
|
|
|
Empress Brosephine posted:I don’t know if this is the right place and I’m laughably out of date in web skillsbut is there a service that lets me put a raw site on like a host that I can pull and edit from and upload directly without messing with FTP and crap? GitHub Pages + Jekyll?
|
|
#
?
Dec 21, 2018 21:25
|
|
|
built a wedding website on my scaleway vps that i use for my media downloading and plex. i am debating if i should fire up another scaleway vps or go with digital ocean downside with scaleway is that they use a piece of lettuce as a CPU but so far not experiencing any issue with speed when using it with cloud flare. any recommendations?
|
|
#
?
Jan 8, 2019 19:54
|
|
|
I found Vultr to be a bit faster than DO, but you're at the mercy of neighboring tenants and how crammed a server is. Virtualization requires better hardware, but you're still at the mercy of a logical core tied to dozens if not hundreds of sites and businesses calling the shots of how many sites they want to attach to that core. Just remember when it comes to something as commoditized as cloud hosting, everyone has roughly analogous costs and you get what you pay for. As with shared hosting, as a platform ages those VMs tend to pick up a ton of cruft that consequently hurts performance for all.
|
|
#
?
Jan 8, 2019 22:08
|
|
|
mewse posted:Yeah I'm gonna switch when I move to the new ispmail guide for the next debian release, I already have a new VPS, just need to get off my rear end. I've never liked spamassassin and it's resource consumption, I just wanted to share the solution to something that was a problem for literally a year Bumping this after running rspamd for the last month, love it. It has support for before-queue milter actions, rate-limiting, greylists, hotlists (bypass filtering on active to/from conversations), integrated DKIM/ARC, and its Bayes algorithm is much improved. mailcow is probably the easiest out of box implementation for it. Installation guide is geared for Debian installs.
|
|
#
?
Jan 16, 2019 19:29
|
|
|
And one more, cross-post. apnscp v3 has been released. I'm giving away 25 lifetime licenses over in SA-Mart to celebrate. First come, first serve. Have fun! 
|
|
#
?
Jan 30, 2019 19:50
|
|
|
How predatory is the domain name industry? If I signal interest in a name by searching for it, will the price of that name skyrocket or something in the time it takes me to comparison shop? I bet comparison shopping will not be trivial or quick to do, assuming some of them would jack up the price in ways that are not initially obvious once someone has signaled interest in that name. Such as, by allowing you to buy it cheap the first month but then in the fine print it's gonna shoot up from that point forward. The SH/SC FAQ says some domain name stores (GoDaddy) are worse than others but doesn't give reasons. What differences could possibly exist when the service being provided is so simple (domain forwarding)? Do some of them just not provide you full control over what the domain points at, or are slower or something, or is there any difference at all besides just price?
|
|
#
?
Jan 31, 2019 23:06
|
|
|
It used to be quite predatory, so bad that ICANN implemented a mandatory domain registration fee to curb domain tasting in 2009. Namecheap and Network Solutions continue to participate in domain tasting, but its algorithms are more discrete than simply registering a domain you queried. Namecheap will taste if you have several variations of the domain in your cart. Netsol based upon query volume for a name. Go with Porkbun, Namesilo, or even Cloudflare for domain registration. A domain is a domain is a domain, doesn't matter where you get it from as long as the company is reputable.
|
|
#
?
Feb 1, 2019 20:07
|
|
|
Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy
|
|
#
?
Feb 1, 2019 23:38
|
|
|
Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice? For technical considerations, what I'm going to eventually put on there is a simple Node/Express server and MongoDB install using I guess a cheap/free academic AWS account. Until I get all that working I guess I will just do forwarding to a temporary site. Traffic/latency might matter in the far future.
|
|
#
?
Feb 2, 2019 01:08
|
|
|
if you're planning on using AWS anyway, you can register domains through AWS Route 53 prices here https://d32ze2gidvkk54.cloudfront.net/Amazon_Route_53_Domain_Registration_Pricing_20140731.pdf
|
|
#
?
Feb 2, 2019 01:36
|
|
|
Dumb Lowtax posted:Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice? If the cost of the domain is not prohibitive to you I would just buy it. Seconding AWS if you are gonna host there anyways, it's convenient to have it all in one place. But if you end up hosting elsewhere, it can't hurt to have your domains managed in AWS. I like gandi.net for my domains, that's the registrar AWS uses under the hood.
|
|
#
?
Feb 2, 2019 03:39
|
|
|
I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep)
|
|
#
?
Feb 14, 2019 03:52
|
|
|
PlesantDilemma posted:I see lithium recommend here but cant find the versions of php they support, anyone know? I have to host a 5.x app (yep) 4.x+ is officially supported
|
|
#
?
Feb 14, 2019 04:43
|
|
|
Rufus Ping posted:Probably just go with cloudflare at this point, who are reputable, good at security, and sell at the same prices it costs them to buy Cloudflare registration isn't generally open, though they do allow you to transfer in. I just did it with one of my domains and iirc they charge at-cost, so around $8/year or so. If you can find a place to buy a .com on sale for less then you could always just transfer into Cloudflare before it expires in a year. Dumb Lowtax posted:Thank you! There's a domain name I want to jump on quickly but I have not done any research on what I need from a technical standpoint, and generally know nothing about DNS. Is it a good idea to jump now before I learn more or could I make a regrettable choice? Go to https://domains.google and search for your domain name there. They sell .com domains for $12/year, so it's only slightly above cost and you probably already have a Google account with your credit card information on it so it can't get any easier. You can deal with the DNS stuff later on, it's super easy! Another domain website I like is https://iwantmyname.com which has some TLDs that Google doesn't sell, like a lot of the ccTLDs (.de, .fr, .nl, etc). There's also https://www.gandi.net but I think they are a bit pricier, but they seem to have the most options for TLDs but that only matters if you wanted an obscure domain name. I probably wouldn't search for domain name availability on any other website (other than other reputable companies, like say amazon.com) because there's always the chance that some lovely company will see you're interested in buying it and then try to extort you for more money. I don't know how common this is anymore but I'm pretty sure companies like GoDaddy do it or used to do it. tldr, if you have $12 today then just go buy the domain name and deal with the dns/hosting/etc later. e: Just a quick general tip, if you're trying to buy an obscure/ccTLD you can/should always check if you can buy it directly from the source for much cheaper. Like, iwantmyname.com charges 84€ for a .is domain and some others charge over 100€. The place that actually sells it, isnic.is, sells them for 30€/yr. Boris Galerkin fucked around with this message at 12:39 on Feb 16, 2019 |
|
#
?
Feb 16, 2019 12:35
|
|
|
I have a domain through name.com that just forwards to another site (done through their control panel.) I'd like to get google analytics on it so I can see how many people, from where, etc. are being redirected through the link. What's the most streamlined way to do that with the lowest possible addition to loading time? e: PS lithium rules KOTEX GOD OF BLOOD fucked around with this message at 19:11 on Mar 21, 2019 |
|
#
?
Mar 21, 2019 19:04
|
|
|
KOTEX GOD OF BLOOD posted:I have a domain through name.com that just forwards to another site (done through their control panel.) I'd like to get google analytics on it so I can see how many people, from where, etc. are being redirected through the link. What's the most streamlined way to do that with the lowest possible addition to loading time? If you are redirecting you will lose the benefits of the redirect if you add a HTML page in between.
|
|
#
?
Mar 23, 2019 19:58
|
|
|
What is the best practice for hosting multiple domains on a LEMP stack? There are four domains, each using wordpress, and I am moving them from their current shared hosting to a VPS (probably digitalocean). I'd like to have all four sites on the single VPS, however if ONE wordpress site gets owned/hacked, I don't want the hacker to be able to get to the other three sites. Is Docker the best way to do this, with maybe the host running nginx as reverse proxy, or should I make multiple linux users for each site and follow something like this: https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04
|
|
#
?
Apr 1, 2019 21:12
|
|
|
Alpha Mayo posted:What is the best practice for hosting multiple domains on a LEMP stack? I use FPM pools separated by user and chrooted and have not felt any concern regarding security or performance, so that's my personal recommendation.
|
|
#
?
Apr 1, 2019 21:22
|
|
|
Alpha Mayo posted:What is the best practice for hosting multiple domains on a LEMP stack? There are four domains, each using wordpress, and I am moving them from their current shared hosting to a VPS (probably digitalocean). Make sure you're remaining diligent on updating plugins/themes. WP by default only updates core. Jailing is your best bet or with containers. Better yet is to leave the web app system files under a separate uid than what PHP-FPM operates under such that everything but wp-content/ is under 1 uid and wp-content/ under another. Deploy core updates with wp-cli. Go with Vultr or Hetzner instead of DO. Their performance isn't incredible compared to alternatives.
|
|
#
?
Apr 1, 2019 22:19
|
|
|
Soaring Kestrel posted:I use FPM pools separated by user and chrooted and have not felt any concern regarding security or performance, so that's my personal recommendation. Is that Digitalocean guide pretty accurate on doing that?
|
|
#
?
Apr 1, 2019 22:19
|
|
|
Anyone used Gandi as an email host before? Any issues I could expect from them?
|
|
#
?
Apr 2, 2019 11:22
|
|
|
Alpha Mayo posted:Is that Digitalocean guide pretty accurate on doing that? It specifically omits chroot, which i think shouldn't be done, and it should probably also be noted that newer versions of PHP are available from code:
|
|
#
?
Apr 2, 2019 11:45
|
|
|
Time to update Apache! https://httpd.apache.org/security/vulnerabilities_24.html cPanel is working on an EA4 update to address this, should be out later today. https://forums.cpanel.net/threads/ea-8307-update-ea-apache24-to-2-4-39-for-cve-2019-0211.650517/
|
|
#
?
Apr 3, 2019 15:43
|
|
|
Affects mod_php but not FPM workers provided you're not running FPM workers under the same UID as the web server... I can't imagine why you would.
|
|
#
?
Apr 3, 2019 23:36
|
|
|
I've been home hosting a couple of game servers and NodeJS based websites/webapps for a while. Nginx in docker is acting as a reverse proxy, and I'm using docker containers and volume bind mounts for the applications too. Pretty much everything is either managing its own state in said volume mount, or using SQLite with the .db in a volume mount. Host OS is Ubuntu 16.04 on Hyper-V, with 8GB RAM allocated to it. There's more RAM available on the host if need be. A friend is asking me to host a low but not zero load hobby Wordpress site now, which I've been intentionally avoiding. Should I spin up an entirely new VM for isolating the Wordpress / Mysql to its own thing and just install them the traditional way as a service, or is Wordpress less toxic than I think and I can just throw in Wordpress and MySQL docker containers alongside my other stuff? I hear PHP is better now, but I'm still wary.
|
|
#
?
Apr 16, 2019 15:55
|
|
|
PHP isn't the problem (directly), it's the state of the plugin/theme ecosystem. My personal position, learned the difficult way, is don't go near hosting other people's code - pay someone else to do it instead. That said, the worst that's likely to happen is someone getting code exec inside the container as the same user that wordpress runs as. So consider how your docker setup would fare under those circumstances and weigh up your options accordingly. The most obvious point is make sure the docker control socket isn't accessible from inside the container or an attacker can break out trivially. And make sure the wordpress database user doesn't have access or privs it doesn't need. The linux kernel itself has a fairly poor track record of isolating containers correctly, although this can be mitigated somewhat using seccomp and reducing capabilities.
|
|
#
?
Apr 16, 2019 18:29
|
|
|
WordPress is only as safe as you let it be. People do stupid things, so if you can't trust your friend to not do stupid things then pass. Just today I handled a situation where a theme allowed a user to enter an arbitrary email address and send a copy to itself... sure enough that was exploited by a Chinese botnet of around 250 distinct addresses to spam. If you do host him a few things,
|
|
#
?
Apr 16, 2019 18:56
|
|
|
|
| # ? Apr 20, 2024 11:09 |
|
|
Biowarfare posted:If you are redirecting you will lose the benefits of the redirect if you add a HTML page in between.
|
|
#
?
Apr 17, 2019 17:18
|
|