Author Topic: FORUM DISRUPTION: Server Upgrade  (Read 15693 times)

0 Members and 1 Guest are viewing this topic.

Offline wilfred

  • Super Contributor
  • ***
  • Posts: 4976
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #50 on: March 31, 2017, 03:23:04 pm »
technical hurdles are no longer much of an issue anymore, the concern was always with performance. We have three options here

1) use CloudFlare for SSL, but that means we must proxy through them.
2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.
3) purchase a SSL certificate

Not my money of course, although option 3 seems to choose itself.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 25884
  • Country: au
    • EEVblog
Re: FORUM DISRUPTION: Server Upgrade
« Reply #51 on: March 31, 2017, 03:46:09 pm »
Another thing... Any thought to putting an SSL on here? We could probably make that happen......
That's been discussed many times on here.
I'm sure gnif can fill you in the tech details as he has investigated this extensively I believe.
I would like to, as a lot of people have asked for it, but I believe there are some technical hurdles to overcome.
The technical hurdles are no longer much of an issue anymore, the concern was always with performance. We have three options here
1) use CloudFlare for SSL, but that means we must proxy through them.

So if we chose to do that and we disable Cloudflare then the website revokes back to http only?

Quote
2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.
3) purchase a SSL certificate

Which type do we need?
http://support.hostgator.com/articles/ssl-certificates/acquire-ssl/how-do-i-purchase-an-ssl-and-what-type-is-it



 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #52 on: March 31, 2017, 03:49:25 pm »
So if we chose to do that and we disable Cloudflare then the website revokes back to http only?

Only if we do not install a cert on the server.

Which type do we need?
http://support.hostgator.com/articles/ssl-certificates/acquire-ssl/how-do-i-purchase-an-ssl-and-what-type-is-it

For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3633
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #53 on: March 31, 2017, 03:50:53 pm »
2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.

Interesting service. It is not much of a problem for this forum, but such a service sounds like the perfect way for the NSA or other 3 letter agencies to get private SSL keys.
LetsEncrypt went through a long period of public security auditing before they offered their service, so it is one of the more secure SSL solutions. It is done properly.

There are many hosting companies that support LetsEncrypt, and they will automatically renew every 3 months - so all you have to do is request a free SSL cert in the CPanel, and you have a certificate that will automatically renew for as long as you want.

Most CPanel hosts now let you enter your own key, so I have 3 LetsEncrypt certs I generate every 3 months (single batch file to update all three), and then I manually add the new keys to tye Cpanels.

For companies, I have always just got a commercial one - RapidSSL is something like A$12 a year if you buy from the right reseller.

Digicert is used by the likes of Facebook, so it is not a bad choice for companies.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #54 on: March 31, 2017, 03:51:54 pm »
2) use letsencrypt.org for a free SSL cert, this involves a little bit of setup on the server to renew the cert before it expires as these have a 3 month expiry.

Interesting service. It is not much of a problem for this forum, but such a service sounds like the perfect way for the NSA or other 3 letter agencies to get private SSL keys.
LetsEncrypt went through a long period of public security auditing before they offered their service, so it is one of the more secure SSL solutions. It is done properly.

There are many hosting companies that support LetsEncrypt, and they will automatically renew every 3 months - so all you have to do is request a free SSL cert in the CPanel, and you have a certificate that will automatically renew for as long as you want.

Most CPanel hosts now let you enter your own key, so I have 3 LetsEncrypt certs I generate every 3 months (single batch file to update all three), and then I manually add the new keys to tye Cpanels.

For companies, I have always just got a commercial one - RapidSSL is something like A$12 a year if you buy from the right reseller.

Digicert is used by the likes of Facebook, so it is not a bad choice for companies.

cPanel is not an option here for the renewal process, this server while runs cPanel is not using it for hosting, it's too slow. This is not an issue though as I can setup some custom scripts to handle the renewal.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 25884
  • Country: au
    • EEVblog
Re: FORUM DISRUPTION: Server Upgrade
« Reply #55 on: March 31, 2017, 03:53:15 pm »
For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?
 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #56 on: March 31, 2017, 03:53:53 pm »
For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?

About 1/2 hour, nothing huge.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 25884
  • Country: au
    • EEVblog
Re: FORUM DISRUPTION: Server Upgrade
« Reply #57 on: March 31, 2017, 03:55:56 pm »
About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #58 on: March 31, 2017, 03:57:25 pm »
About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.

Great, I will later today. In the CF configuration you just tell it to use "Strict" mode, then it enforces the SSL cert your server produces is valid.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 25884
  • Country: au
    • EEVblog
Re: FORUM DISRUPTION: Server Upgrade
« Reply #59 on: March 31, 2017, 04:11:04 pm »
About 1/2 hour, nothing huge.

Make it so when you have some free time!
I can add the SSL certificate to Cloudflare I believe if that's required.

Great, I will later today. In the CF configuration you just tell it to use "Strict" mode, then it enforces the SSL cert your server produces is valid.

Great, thanks.
Should start a new thread for this to report issues and discuss. Many nerds may rejoice.
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3633
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #60 on: March 31, 2017, 04:15:46 pm »
For this website since there is no real sensitive information, the cheapest option. You do not need to use HG for this, any certificate authority is fine, personally I have used RapidSSL, and AlphaSSL, but I believe there are better/cheaper options today. To be completely honest though if it was me I would just go for the letsencrypt.org service, it is if anything more secure then a generic SSL cert from other providers as it renews every 3 months, and the setup is quite simple on the server.

I like the idea of a new certificate every few months from a "why not" point of view.
How much work is involved in setting this up?
The 3 month expiry is a great idea. If someone hacks your site and gets the keys to your commercial 2+ year SSL certificate, they can pretend to be you. You can revoke the certificate, but it is up to the browsers to check to see if certificates are revoked or not. As far as I know, Chrome does not actually check for revoked certs. They have their own system that can accept some revoked certificates.
 

Offline rrinker

  • Super Contributor
  • ***
  • Posts: 1621
  • Country: us
Re: FORUM DISRUPTION: Server Upgrade
« Reply #61 on: April 01, 2017, 12:40:58 am »
 I'm pretty sure Chrome blocks if the cert is revoked just like other browsers. Just had a customer attempt to replace their SHA-1 certs with SHA-256 and didn't realize that once he requests the existing cert to be re-keyed it revokes the old version of it, and attempting to access the site using this cert with Chrome resulted in a revocation error until it was replaced. Prior to rekeying, the error in Chrome was the one that since it was SHA-1 it wasn't actually secure.


 

Offline jippie

  • Supporter
  • ****
  • Posts: 118
  • Country: nl
Re: FORUM DISRUPTION: Server Upgrade
« Reply #62 on: April 01, 2017, 09:37:52 am »
Seems the forum is no longer sending HTTP_REFERER, which broke my dynamic avatar  :--

Stopped working probably somewhere between:
31/Mar/2017:13:03:04 +0200
and
31/Mar/2017:14:24:58 +0200
« Last Edit: April 01, 2017, 09:44:33 am by jippie »
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3633
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #63 on: April 01, 2017, 10:05:08 am »
I'm pretty sure Chrome blocks if the cert is revoked just like other browsers. Just had a customer attempt to replace their SHA-1 certs with SHA-256 and didn't realize that once he requests the existing cert to be re-keyed it revokes the old version of it, and attempting to access the site using this cert with Chrome resulted in a revocation error until it was replaced. Prior to rekeying, the error in Chrome was the one that since it was SHA-1 it wasn't actually secure.
Last I heard, Google had decided not to let browsers check if a cert was revoked, but instead Google runs its own in-house tracking of revoked certs, and somehow Chrome uses this Google service. They did have an optional setting to re-enable revoke cert checking in Chrome, but that seems to have disappeared. This solution often works but not all the time. Google's cert database may be much faster, but it is not necessarily comprehensive or up-to-date.

If Google has gone back to allowing Chrome to directly check for revoked certs, it would be interesting to know.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 25884
  • Country: au
    • EEVblog
Re: FORUM DISRUPTION: Server Upgrade
« Reply #64 on: April 05, 2017, 10:47:44 am »
Big jump in the number of forum sessions:
 

Offline cw360

  • Newbie
  • Posts: 4
  • Country: us
Re: FORUM DISRUPTION: Server Upgrade
« Reply #65 on: April 05, 2017, 10:53:33 am »
Big jump in the number of forum sessions:

Wow. This new traffic from somewhere? Google? I know they like SSLs.....

What do the source reports say?

If it's direct/eevblog.com there might be a self refer issue in the analytics.


Sent from my iPhone using Tapatalk
 

Offline wilfred

  • Super Contributor
  • ***
  • Posts: 4976
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #66 on: April 05, 2017, 11:10:39 am »
What is the date of the jump?
What is the cycle of the peaks/troughs in the new session level? Weekly?
What is the old/new session length on average?

Like i've said before I'm no network expert but is there a session reuse or maybe it is called persistent sessions. Has that changed?
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 11740
  • Country: nz
    • Taupaki Technologies Ltd.
Re: FORUM DISRUPTION: Server Upgrade
« Reply #67 on: April 05, 2017, 02:01:54 pm »
Big jump in the number of forum sessions:

There's been some crazy #'s viewing GK's thread:
http://www.eevblog.com/forum/projects/oscilloscope-pong-for-1-or-2-players/
Avid Rabid Hobbyist & NZ Siglent Distributor
 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #68 on: April 05, 2017, 04:39:17 pm »
What is the date of the jump?
What is the cycle of the peaks/troughs in the new session level? Weekly?
What is the old/new session length on average?

Like i've said before I'm no network expert but is there a session reuse or maybe it is called persistent sessions. Has that changed?

This coincides with fixing the 502 errors, I suspect CF has been serving tons of cached requests to try to work around the issue, we saw this jump before we turned on SSL.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline dimkasta

  • Regular Contributor
  • *
  • Posts: 185
  • Country: gr
Re: FORUM DISRUPTION: Server Upgrade
« Reply #69 on: April 06, 2017, 12:19:18 am »
I have letsencrypt on a couple of small sites for testing. I have no issues with it yet. Through cpanel, or using Laravel's homestead/forge.
You might want to check Taylor Otwell's scripts if you don't want to write them yourself. I think they are available with homestead.
Also, keep an eye on their newsletter. They recently changed their services, and caused disruption on certificate updates for many sites that did not update their scripts in time.

About cloudflare, keep an eye on your webmaster tools too. you might have to fiddle with seo settings or sitemap creation.
Google deindexed all images when we switched to https on one of our sites (without any obvious seo problems)
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 11740
  • Country: nz
    • Taupaki Technologies Ltd.
Re: FORUM DISRUPTION: Server Upgrade
« Reply #70 on: April 06, 2017, 10:24:30 am »
Short period of forum outages that lasted only a minute or two @~12.20 NZ time.
522 error.
Avid Rabid Hobbyist & NZ Siglent Distributor
 

Offline dimkasta

  • Regular Contributor
  • *
  • Posts: 185
  • Country: gr
Re: FORUM DISRUPTION: Server Upgrade
« Reply #71 on: April 06, 2017, 11:06:46 am »
Same here
 

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #72 on: April 06, 2017, 01:48:19 pm »
Short period of forum outages that lasted only a minute or two @~12.20 NZ time.
522 error.

Thanks,

522 is a CloudFlare error, it is when CF can not establish a connection to the server, there has been no server faults or reported network outages on our end, I would guess that there was a temporary down route somewhere between CF and the server.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 
The following users thanked this post: tautech

Online tautech

  • Super Contributor
  • ***
  • Posts: 11740
  • Country: nz
    • Taupaki Technologies Ltd.
Re: FORUM DISRUPTION: Server Upgrade
« Reply #73 on: April 29, 2017, 10:09:29 am »
Gotta say how good the forum's been lately....just brilliant.  :-+

Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks.  :-/O
« Last Edit: April 29, 2017, 10:35:39 am by tautech »
Avid Rabid Hobbyist & NZ Siglent Distributor
 
The following users thanked this post: SeanB

Offline gnif

  • Administrator
  • *****
  • Posts: 985
  • Country: au
Re: FORUM DISRUPTION: Server Upgrade
« Reply #74 on: April 29, 2017, 10:49:18 am »
Gotta say how good the forum's been lately....just brilliant.  :-+

Not an error at all for weeks, just perfect.
Thanks Dave for putting your hand in your pocket and gnif for the grafting and tweaks.  :-/O

Thanks mate, I am glad to hear it :)
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 
The following users thanked this post: SeanB, tautech


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf