Advice for deploying a website

[OutcastCyborg]

Greetings everyone,

 

Firstly, I apologize if this is posted in the wrong area. I require some advice about deploying a website that has been in development for some time now (i.e. Countless templates (custom and pre-built), optimizations, etc). I am a semi-noob programmer though I am very knowledgeable in terms of HTML, CSS, and Javascript, and less so with things like PHP, server/website administration, etc. Throughout countless videos I have watched, I have heard like don't run as root admin, .htaccess, etc. Yet I know absolutely nothing about any of those aspects. I usually research aspects such as these thoroughly, but conclusively get conflicting reports. So my question is there anything else I should really know before diving deep into this and run into trouble with attacks, hackers, etc?

 

Additionally, I am considering the following to handle my web hosting, but feel free to suggest any good ones you know of:

• A Small Orange (ASO)
• FatCow
• HostGator
• NearlyFreeSpeech
• Site5

 

Thanks in advance,

Mr. Cyborg

[luke_2bossly]

SQUARE SPACE!!!!!!!!!!!!!!

[leodaniel]

Greetings everyone,

 

Firstly, I apologize if this is posted in the wrong area. I require some advice about deploying a website that has been in development for some time now (i.e. Countless templates (custom and pre-built), optimizations, etc). I am a semi-noob programmer though I am very knowledgeable in terms of HTML, CSS, and Javascript, and less so with things like PHP, server/website administration, etc. Throughout countless videos I have watched, I have heard like don't run as root admin, .htaccess, etc. Yet I know absolutely nothing about any of those aspects. I usually research aspects such as these thoroughly, but conclusively get conflicting reports. So my question is there anything else I should really know before diving deep into this and run into trouble with attacks, hackers, etc?

 

Additionally, I am currently considering HostGator for my hosting and domain services, but I like to know of alternatives if things do not work out. Are there any good hosts out there besides HostGator (and no, never GoDaddy! - I know many whom have had massive trouble with them)?

 

Thanks in advance,

Mr. Cyborg

A really important advise for all serverside Programming: NEVER trust user inputs. And with never, I really mean never  

Escape all user inputs, this will give you a pretty good beginning

Also, I would test all links, if they work well (should all be relative). 

[OutcastCyborg]

A really important advise for all serverside Programming: NEVER trust user inputs. And with never, I really mean never

Escape all user inputs, this will give you a pretty good beginning

Also, I would test all links, if they work well (should all be relative). 

Thanks for the reply. Yeah, I hear that a lot too particularly in regards to SQLInjection.

I would provide links, but I have yet to actually acquire the hosting or the domain name to do so.

Will update when I do though.

[leodaniel]

Thanks for the reply. Yeah, I hear that a lot too particularly in regards to SQLInjection.

I would provide links, but I have yet to actually acquire the hosting or the domain name to do so.

Will update when I do though.

Also, I would use HTAccess files to create simple urls. For example: your_website.com/products instead of something like your_website.com/main.php?show=products

It just looks better, but those are details

Also in addition, I would pay for a good web hoster, instead of using some cheap crap

[omniomi]

If you don't know anything about web server administration opt for managed and/or shared hosting. Ie, a company like DreamHost. You will be provided with FTP information, you will dump your files in the website folder ie /mywebsite.com/ and you'll be done. Dreamhost also supports unlimited domains, subdomains, MySQL databases, and FTP users.

 

While a virtual private server (VPS) provides more power and flexibility it requires more configuration and a greater understanding of the platform. When you opt for a VPS you are responsible for choosing and installing the web server along with its configuration and you're responsible for installing and enabling modules and addons. On top of that you need to configure the firewall, install and configure FTP, MySQL, etc, etc, etc. 

 

Dreamhost promo code: AUSUD87 will save you $40 on one year or $60 on two.

[omniomi]

Also, I would use HTAccess files to create simple urls. For example: your_website.com/products instead of something like your_website.com/main.php?show=products

It just looks better, but those are details

Also in addition, I would pay for a good web hoster, instead of using some cheap crap

 

.htaccess files have a lot of uses, they're a directory level configuration file allowing you to do all sorts of webserver configuration specific to the directory where the .htaccess file resides. One example as you mentioned is mod_rewite configuration but you can also setup your cache controls, server side includes, custom error pages, authentication & blocking, and stuff of that nature.

 

For example I  generally include something like this which is cache configuration:

ExpiresActive onExpiresByType application/x-font-woff   "access plus 1 month"ExpiresByType application/javascript "access plus 1 month"ExpiresByType application/x-javascript "access plus 1 month"ExpiresByType text/x-javascript "access plus 1 month"ExpiresByType text/css "access plus 1 month"ExpiresByType image/jpg "access plus 1 month"ExpiresByType image/jpeg "access plus 1 month"ExpiresByType image/gif "access plus 1 month"ExpiresByType image/png "access plus 1 month" <files *.js>SetOutputFilter DEFLATE</files>

[OutcastCyborg]

If you don't know anything about web server administration opt for managed and/or shared hosting. Ie, a company like DreamHost. You will be provided with FTP information, you will dump your files in the website folder ie /mywebsite.com/ and you'll be done. Dreamhost also supports unlimited domains, subdomains, MySQL databases, and FTP users.

 

While a virtual private server (VPS) provides more power and flexibility it requires more configuration and a greater understanding of the platform. When you opt for a VPS you are responsible for choosing and installing the web server along with its configuration and you're responsible for installing and enabling modules and addons. On top of that you need to configure the firewall, install and configure FTP, MySQL, etc, etc, etc. 

 

Dreamhost promo code: AUSUD87 will save you $40 on one year or $60 on two.

 

 

 

.htaccess files have a lot of uses, they're a directory level configuration file allowing you to do all sorts of webserver configuration specific to the directory where the .htaccess file resides. One example as you mentioned is mod_rewite configuration but you can also setup your cache controls, server side includes, custom error pages, authentication & blocking, and stuff of that nature.

 

For example I  generally include something like this which is cache configuration:

ExpiresActive onExpiresByType application/x-font-woff   "access plus 1 month"ExpiresByType application/javascript "access plus 1 month"ExpiresByType application/x-javascript "access plus 1 month"ExpiresByType text/x-javascript "access plus 1 month"ExpiresByType text/css "access plus 1 month"ExpiresByType image/jpg "access plus 1 month"ExpiresByType image/jpeg "access plus 1 month"ExpiresByType image/gif "access plus 1 month"ExpiresByType image/png "access plus 1 month" <files *.js>SetOutputFilter DEFLATE</files>

I am open to suggestions and greatly appreciate them, I have temporarily placed Dreamhost under the category of "Avoid." I have seen multitudes of reports (granted that everything on the internet is to be taken with a grain of salt and everyone's situation is different) that allude to and/or explicitly state that they have closed accounts without warning due to high resource usage. While I understand that they need to maintain a certain level of available bandwidth to maintain speed and uptime, it is difficult for me to trust a firm that operates in bad faith.

 

That being said, are there other managed/shared hosts that you know of? Additionally, do you know of any reputable place to learn more about web server administration should I need to go down that road?

[omniomi]

I am open to suggestions and greatly appreciate them, I have temporarily placed Dreamhost under the category of "Avoid." I have seen multitudes of reports (granted that everything on the internet is to be taken with a grain of salt and everyone's situation is different) that allude to and/or explicitly state that they have closed accounts without warning due to high resource usage. While I understand that they need to maintain a certain level of available bandwidth to maintain speed and uptime, it is difficult for me to trust a firm that operates in bad faith.

 

What you've mentioned is something that will occur with any shared host, even a VPS, when you reach a certain threshold but there will generally be a warning and a period where you're able to rectify the problem or move the site. I for example had one site on shared hosting that was extremely CPU intensive for some reason and was contacted by the hosting company and given 48 hours to rectify the issue or that site would be disabled (the site, not my account)... I opted to shut it down myself and find & fix the problem and everything was fine. 

 

I've had similar situations with VPS hosting but they were outside anyone's control. One of the servers I was managing was being constantly hit by extremely large DDoS attacks that were not only affecting the physical host my server was on but the entire data center when they hit. The company worked with us for a few months to null route when it occurred, move us to new IP addresses to hide from the attacker, and so on but after about 6 months of on and off attacks they told us to take a hike. (before anyone replies about "why didn't you get DDoS protection" in the end we did but it was extremely expensive... we're talking multiple thousands per year so it wasn't an immediate option.)

 

Super high traffic sites are also not the purpose of shared hosting. You're sharing the computing power of the server and the bandwidth with other users so you're not going to be able to run something like reddit.com on shared hosting. Temporary spikes in high traffic (the "slashdot effect" for example) will generally result in temporary suspension which is the server attempting to protect itself. 

 

In other words... if you tax the resource of the host they're not going to want to host you but in every instance where I have been the troublesome customer I've had plenty of opportunity to fix it. 

 

 

 

That being said, are there other managed/shared hosts that you know of? 

 

I've personally used Dreamhost for for my small stuff, but there is also: Hostgator, Bluehost, GoDaddy, 1&1.

For my virtual private servers I use Linode and DigitalOcean.

 

 

 

Additionally, do you know of any reputable place to learn more about web server administration should I need to go down that road?

 

If you opt for a VPS you'll be administrating the operating system and the web server layer... You're more than likely going to want to opt for Linux so if you don't know anything/much about Linux I can't recommend "Essential Linux Administration: A Comprehensive Guide for Beginners" enough, it's a great book for beginners but there are plenty of resources online as well. For the webserver you're going to want to go with Apache which has a bunch of great tutorials: http://httpd.apache.org/docs/2.0/misc/tutorials.html

 

To give you an idea of the things I do when I create a new VPS (I'll probably forget something but this is a basic list):

 

- I setup my users and SSH security (key-pair authentication & PremitRootLogin no).

- Setup and configure screen.

- Setup iptables (firewall) & Create a startup script to ensure my config is applied on boot.

- Install and configure fail2ban

- Install Apache, MySQL, PHP, and PhpMyAdmin

- Configure the above

- Disable the default Apache site and make my own. 

- Setup site config files for what I'm actually hosting

- Install and configure FTP

- Setup logrotate

- Setup backup jobs

 

I'm sure I'm forgetting some things as well... I haven't done a fresh setup in a while and you constantly add and tweak things as the need arises anyhow. Personally I don't use /var/www (the default) for my sites and I use ~/public_html/<domain name>/<public/logs/backups> so there is some directory permission configuration that goes along with that as well.

 

Ongoing management involves monitoring, backups, performance tweaking, updating, and so on... As an example, if you're monitoring disk i/o and notice some odd spikes you might want to run iotop for a while and attempt to isolate the problem and rectify it..

[kirashi]

Greetings everyone,

 

Firstly, I apologize if this is posted in the wrong area. I require some advice about deploying a website that has been in development for some time now (i.e. Countless templates (custom and pre-built), optimizations, etc). I am a semi-noob programmer though I am very knowledgeable in terms of HTML, CSS, and Javascript, and less so with things like PHP, server/website administration, etc. Throughout countless videos I have watched, I have heard like don't run as root admin, .htaccess, etc. Yet I know absolutely nothing about any of those aspects. I usually research aspects such as these thoroughly, but conclusively get conflicting reports. So my question is there anything else I should really know before diving deep into this and run into trouble with attacks, hackers, etc?

 

Additionally, I am considering the following to handle my web hosting, but feel free to suggest any good ones you know of:

• A Small Orange (ASO)
• FatCow
• HostGator
• NearlyFreeSpeech
• Site5

 

Thanks in advance,

Mr. Cyborg

 

What you've mentioned is something that will occur with any shared host, even a VPS, when you reach a certain threshold but there will generally be a warning and a period where you're able to rectify the problem or move the site. I for example had one site on shared hosting that was extremely CPU intensive for some reason and was contacted by the hosting company and given 48 hours to rectify the issue or that site would be disabled (the site, not my account)... I opted to shut it down myself and find & fix the problem and everything was fine. 

 

I've had similar situations with VPS hosting but they were outside anyone's control. One of the servers I was managing was being constantly hit by extremely large DDoS attacks that were not only affecting the physical host my server was on but the entire data center when they hit. The company worked with us for a few months to null route when it occurred, move us to new IP addresses to hide from the attacker, and so on but after about 6 months of on and off attacks they told us to take a hike. (before anyone replies about "why didn't you get DDoS protection" in the end we did but it was extremely expensive... we're talking multiple thousands per year so it wasn't an immediate option.)

 

Super high traffic sites are also not the purpose of shared hosting. You're sharing the computing power of the server and the bandwidth with other users so you're not going to be able to run something like reddit.com on shared hosting. Temporary spikes in high traffic (the "slashdot effect" for example) will generally result in temporary suspension which is the server attempting to protect itself. 

 

Ongoing management involves monitoring, backups, performance tweaking, updating, and so on... As an example, if you're monitoring disk i/o and notice some odd spikes you might want to run iotop for a while and attempt to isolate the problem and rectify it..

 

Having used DreamHost, Netfirms, Bravenet, and currently using HostGator, I can say they've all been pretty good in terms of bang for buck, but as @omniomi has said above, be wary of shared hosts. Research, research, research! Oh, and be very careful of any hosting provider recently bought by Endurance International Group. (HostGator, Netfirms, and BlueHost are all part of the group.) Most of the companies EIG buys become extremely price competative, which is really good, but on the flip side have their cons regarding data centre reliability, customer support, and billing.

 

I'm not trying to attack any of these companies in particular; in fact, my current host (shared account with my friends hosting package) is still Hostgator and both my friend and I have had no problems with their support personally. Netfirms on the other hand... Don't even. A marketing firm I work at uses them for domains and hosting; the domains are fine, I have a few .ca's through them myself, but hosting is atrocious. They make directory brochures (think wedding planner, or sightseeing brochure) and have corresponding websites for each: 2 Wordpress CMS's, 1 Code Igniter project, and 3 Good Old Fashioned Hand Written Code sites. The hand written code sites work fine most times, save for the one using a < 20MB MySQL database, but the Wordpress sites (paired back to 4 plugins for speed's sake) operate slower than Wordpress.com's free blogging service. I suspect they have code or some triggers that detect Wordpress code and throttle the server back or something.

 

Currently I'm halfway to switching over to Crocweb.ca for hosting simply because of all the positives I keep hearing on Twitter regarding their service and support. They co-locate with Netelligent in Canada, and although you don't get "unlimited' packages, their prices are not too shabby.

[wolfsinner]

I've used Dreamhost in the past, and wasn't particularly impressed. If you use shared/managed hosting, you don't need to worry about the server itself's security.

 

I personally use DigitalOcean, it's a really fast VPS provider but it would require that you configure a web server. If you're willing to put in the time to understand a little security, I'd recommend it. I love it.

[LukeTim]

Another recommendation for DigitalOcean. Fast and cheap. You can have the VPS setup install LAMP (or LEMP - Nginx instead of Apache) automatically for you, and then it's just a matter of a little configuration... Or, if you prefer it can automatically install everything needed for a Ruby on Rails or Django project for you.

I have LAMP set up on my VPS, and then I use bare Git repos + Git hooks to easily push my project changes to my live server.

Great thing about a VPS is that you can use it for more than web stuff, too. I have a Mumble (VoIP) server and Minecraft server running on there too. And because DigitalOcean is so cheap I can afford a fast machine that can handle all of that with ease.

[TheProfosist]

Finish what you start. I should really do that...