Effective June 22, 2016 our packages have changed for new clients. Technology changes as does what is considered the “bare minimum” utility set. Applications built on Symfony assume Composer support. Laravel requires Artisan. Even static sites use SCSS/SASS preprocessors to change look and feel on the fly. Everything is tied back to the terminal, which is now standard on every package. Every package also includes requisite support to run Node, Ruby, or Python utilities from the command-line limited only by available package memory (begins at 256 MB). All accounts prior to June 22, 2016 will be grandfathered into the old rates and specifications.
Along with standardizing terminal support, the baseline $5/month package has been retired in favor of a $10/month Essential package including a doubling of storage to 2 GB. All packages have had monthly transfer doubled as well.
Moving forward, including terminal support on all accounts provides an exciting opportunity to streamline, within the control panel, the development pipeline for clients from source to release of web applications.
A new control panel update has been pushed to the servers incorporating a “Learning Mode” to Fortification available under Web > Web Apps. Learning bridges the gap between known and unknown web apps by taking a filesystem snapshot, opening permissions, then taking another snapshot after a predetermined amount of time (60 minutes). Changes are calculated three ways: creation time, modification time, and size to determine what files the web application has modified during this window. Once a changeset has been calculated, the control panel locks down all files except those files (or directories) required by the web server.
Learning Mode is only available on unknown apps. Common apps (WordPress, Joomla!, Drupal, and Magento) have prescribed Fortification Modes available to each (and Web App Write Mode is always available to allow 100% write access for 10 minutes). Learning Mode is relevant only when an application is installed that does not fit into the big four.
Beyond Fortification enhancements, there is a new API call for unattended commands, pman_schedule_api_cmd(), which powers a significant share of new CP enhancements; scheduled task tagging to prevent duplicate tasks; initial webhook framework; localization (Account > Change Information); and 125 miscellaneous changes and fixes to the control panel!
NEW: NO_WAIT flag, send command to backend without waiting for response (DataStream)
NEW: localization. Feature does not affect CP language at this time, only one-clicks if support
NEW: Joomla! one-click, still need to implement update + extension management (Web Apps)
NEW: Web App Write Mode, a fortification mode that temporarily grants write-access to the web server for 10 minutes, then seizes those files created rendering it secure from future modification (Web Apps)
NEW: add support for non-numeric array keys (Error Reporter)
NEW: add umask support to Util_Process::Sudo()
NEW: schedule_api_cmd_admin()- run an api command as any arbitrary account and any user under that account (Pman)
NEW: schedule_api_cmd()- run an apnscp command as the current user at a given time (Pman)
NEW: add duplicate atd process detection with ID tags (Util_Process::Schedule)
NEW: add WordPress install option to Add Subdomain/Addon Domains
NEW: include recommended preloaded WP stacks
NEW: WordPress one-click module (WordPress)
NEW: normalize_path()- take a hostname + optional path component and return its corresponding docroot (Web)
NEW: support array data types using the format [item1,item2,…] or key-value as [item1:val1,…] (cmd)
NEW: empty_mysql_database() – retain schema structure, but purge all records in db (SQL)
NEW: export databases (MySQL Manager)
NEW: EOL selector on file edit (File Manager)
NEW: Let’s Encrypt multi-domain (SAN) support (SSL)
FIX: typo on path to log files (File Manager)
FIX: allow deletion of directories (File Manager)
FIX: fortify(max) called immediately after web app write mode enabled (Web Apps)
FIX: truncated parameters include markup language (DNS)
FIX: strip quotes if key passed to CLI quoted (cmd)
FIX: bring back addon domain editor (Addon Domains)
FIX: error once if domain -> site mapping fails instead of on each record (tabulateBandwidth)
FIX: email on v4 platforms delivered using LF EOL, parser expects CRLF (parseTicket.php)
FIX: trim randomly generated name if name + prefix exceeds user column max length (Module_Support::Webapps)
FIX: get_directory_contents()- call stat() instead of stat_backend() to take advantage of stat cache (File)
FIX: killing shellinabox left behind children (Service::Terminal)
FIX: encode seen server cookie to prevent cookie spanning multiple lines that would break the Set-Cookie header (Auth::Redirect)
FIX: get_acls()- incorrect caching (File)
FIX: when changing domain, on logout, force an internal proxy redirect to the server. Logging out will clear the temporary proxy location cookie rendering the client unable to login following a domain change (Change Information)
FIX: extract inline attachments (parseTicket)
FIX: get_user_settings() must return array at all times (Manage Users)
FIX: require domains to be selected when creating a subdomain (Subdomains)
Effective immediately, one-clicks are gradually making their return to the control panel after an 8 year hiatus, but in a limited release on version 4.5+ platforms. Specifically, one-clicks are coming for WordPress, Drupal, Magento, and some basic Node/Ruby/Python scaffolding. Webapps may be managed within the control panel under Web > Web Apps or preloaded on subdomain/addon domain creation under the Advanced options dropdown.
Simply noted, the control panel is now mature enough and provides enough internalfunctionality to support one-clicks in a coherent, optimized flow without nasty hacks. These one-clicks are also drastically different from what was once provided in the CP. These rely upon programs developed by the authors of the software to provide functionality. For WordPress there’s wp-cli, Drupal is drush, npm for Node, and gem for Ruby. No, this isn’t reinventing the wheel. It’s taking a perfectly fine wheel and putting it on a vehicle. This is how we are able to bring one-clicks back to the CP in limited capacity.
What about other apps?
These won’t be supported within the control panel until sufficient trust is established.
There is a lot to say about code quality. Why does an app crash? Bad coding. Why does an app have a security flaw? Oversight, bad coding. Why does an app become abandoned? Lack of dedication by the author, and your output is a product of your inputs, so let’s safely assume there is some bad coding involved in that decision making process. There are thousands of PHP applications out there. There are hundreds of Node and Ruby apps out there too, but they all lack a sufficient level of competency to safely and securely run. Having handled a couple dozen PHP7-specific adaptations for clients migrating to Luna, which uses PHP7 by default, I can say confidently that beauty runs skin deep. Often times, apps with less money behind them simply fail to attract necessary talent to produce software that works today and will continue to work tomorrow. Yes, some apps do some really stupid things, like use continue/break outside of loop structures (SimpleMachinesForum comes to mind as a repeat offender). PHP7 has clamped down on these mind-boggling incorrect uses of programming syntax.
Security is paramount, especially in an era where virtualization has enabled thousands more machines access to the Internet. These machines are often manned by unqualified personnel that remain neglected for so long only to succumb to third-party control through an exploit. Your hosting servers routinely block over 2,000 brute-force attacks per day. These blocks are based on egregious patterns (5+ logins within 3 minutes), but hundreds more fly under the radar trying only a handful of logins ever hour. Consequently, clients with weak passwords eventually fall victim to these drive-by hackings. It’s unfortunate. Clients are charged a service fee for cleanups. My time is often diverted, as an emergency, to clean up residual damage to ensure other clients conduct business uninterrupted. Moving forward, I want to continue to focus on building a secure platform. One-clicks help realize this vision through a few awesome components:
Fortification mode is, by far, the most unique component to web apps deployed within the CP. Fortification bestows a secondary level of permissions through access control lists that permit mutual access by the web server, which runs as a separate user from your account. Before, this was accessible only by opening a ticket. Fortification allows the web server to write and modify files only to which it receives explicit authorization. In the event of a hack, a hacker can only modify files to which the web server has access. Beneficially, if a web site were hacked, the hacker is unable to access your email, SSH keys, and other confidential information. Fortification strikes a perfect balance between ease-of-use and security. Just toggle fortification via Web > Web Apps within the control panel. With fortification on, the web server cannot modify any files on your account. Comments and posts continue to post as normal. With fortification off, you may upload media to posts. Although, you’ll still need your control panel password to install new plugins!
Circling back to a previous topic, crappy programmers beget crappy code. Recovery mode allows you to disable all third-party plugins and access a plain jane installation. Ideally, this will allow you to iteratively enable each plugin until you can safely determine which third-party programmer shouldn’t be a programmer.
Coming soon. All one-clicks are enrolled into automatic updates to protect clients from zero-day exploits. These updates will roll out every night at 3 AM EDT during nightly CP updates. Tentatively, this will also extend to Ruby and Node.
PHP apps run as a secondary user for myriad reasons. The most important reason is auditing; if an account gets hacked, we need to know what may be infected, what is infected, and what’s not. If the web server lacks write-privileges, then it is safe to say no. If the web server created the file within 24 hours of the incident, it’s safe to say yes. And if the web server had mutual write-access, then these require further auditing. Most hosting providers run PHP under your username, which is ludicrous, stupid, and irresponsible. It’s also the reason why major hosting providers bundle SiteLock service (which runs $100/mo plus a cleanup cost per infraction) service, their parent company owns UnitedWeb/IPOWER who in turn owns SiteLock, oh and their stock is (or was) doing very well! I base profit on providing a service, not holding clients who get hacked ransom. A $15 cleanup fee is charged to cover the 10 minutes it takes to do a quick audit and that’s it. We also scan uploads for malware, because once again we are in business to do good, not hold your account hostage due to negligence. In fact, the crux of this release is to make it impossible for you to be a victim. An online presence today is just as important, if not more important, than your physical presence; look at the power Yelp has to create or destroy businesses. Having a prospective client pull up a placeholder to the Syrian Electronic Army is a pretty damning display of incompetence. Look at the Panama Papers hack: outdated WordPress + single-user security. Let’s stop hacked sites. Let’s start by progressively providing secure platforms from the start.
WordPress comes with a couple stacks handpicked by my confidence to provide an uninterrupted and uneventful use of service. The security stack includes WordFence, renown for their investigative eye; XML pingback disabling; and comment disabling. The performance stack includes W3 Total Cache, which is used aggressively on the Knowledge Base and periodic database optimizations through WP Optimize. You can install both, either, or none depending upon what works best for your setup.
Got an existing WordPress app and want to enroll it into the new system? Easy as clicking Detect from within Web > Web Apps > Hostname selection. Got WordPress installed within a folder on your domain name? Click the dropdown menu and select Edit Subdir. Select your location from the filetree.
Drupal support through Drush is coming next (May 14 edit: Drupal is here), followed by Magento, which will include Let’s Encrypt support. We should see that sometime within the next week or so, followed by a lull as Passenger process management is planned for integration. Beyond this, I am always open to suggestions. Drop me an email at email@example.com with any idea whether big or small. After all, this control panel and platform wouldn’t exist without your voice!
Owner & Platform Developer
May 14, 2016: Drupal is now available May 18, 2016: Magento 1.x is now available