Half-Elf on Tech

Thoughts From a Professional Lesbian

Author: Ipstenu (Mika Epstein)

  • Nginx Proxy

    Nginx Proxy

    Will you all quit nagging me now? I kid. Very few of you actually got on my case about nginx.

    Nginx is a HTTP server and reverse proxy, which is a really fancy way of saying “It runs websites.” Most people still use Apache, and Nginx is perceived as being faster with how it serves static files. My issues with it are twofold:

    1. I don’t just run WordPress here
    2. I need my .htaccess for those other things

    Yes, there are older webapps that don’t support nginx. But at the same time, what if I could have my cake and eat it too? What if I could use nginx to serve up the static files and apache for the rest? That would mean I would be able to install nginx on my CentOS 6 box as a reverse proxy.

    It’s actually not that hard, but let me explain why this is a good idea. Apache takes up a lot of server memory, which nginx does not. Nginx is awesome at static files, but not the best at dynamic, and you’ll need a module like php-fpm for that. But… One of the sites on this server has a gallery that takes up 50% of the webspace of all accounts on the server. Stop and ponder that for a moment. While I do have server-side caching (memcached and ZendOptimizerPlus) running, adding in nginx up front means my images would be served faster.

    Speaking of faster, by putting nginx in front, it makes it so only true http requests get passed on, which protects against attacks like DDOS and other brute-force attacks that aren’t nginx-related. I still have (and use) mod security, of course, as well as ConfigServer Firewall. More on that later. Let’s get this sucker installed!

    yum install nginx

    Nginx Community (background image enhanced)Install Nginx

    Oh, sorry? Was that supposed to be harder? It’s not. This is pretty much the simple part.

    Install nginxCP

    Normally my next step would be to configure nginx (see Ben Tasker’s CentOS: Using NGinx to serve static files and Apache for dynamic for details) and apache. Unlike Ben, I have WHM on my server, which means when I build apache it’s with Easy Apache, which means any edits I make to my httpd.conf file get lost when I rebuild, which I do for when I need to upgrade PHP. It’s not super rare, nor is it super common. Still, I don’t really want to mess with it more than I have to.

    So I took the time to research my options, and came up with nginxCP and cpnginx. The real difference is CPNginx comes with a service to help you (yes, it’s pay). Since I’m an Open Source woman, I did nginxCP. The cost ($55 a year) for cpnginx was not a deal breaker, since they had a trial.

    The install directions are quick:

    cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar 
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller install

    A reboot of the httpd service and now all my non-SLL sites are served up on nginx!

    Configure nginxCP and Apache

    I love when I can just slap it on and go, but I run ConfigServer Firewall to save my ass from DDoS, so I knew I’d be getting a slew of ‘Suspicious process’ alerts from my firewall once I added in a new feature. The fix is to add this to csf.pignore:

    # nginxCP
exe:/usr/local/sbin/nginx

    That was all I needed! Emails, by the way, from CSF have plummeted. I was worried I wasn’t getting any emails or logs from my servers for a while. But then I re-checked my logs to see what was happening. See I used to get a lot of emails like this:

    Failures: 5 (mod_security)
Interval: 300 seconds
Blocked:  Permanent Block

    They stopped, because nginx didn’t let them get to Apache and CSF. Mind. Blown.

    Results?

    Some server stats, showing a 0.00 load average for 1minEverything worked out of the gate, so I sat and watched my server load. Per-expected, since an httpd restart flushes my PageSpeed cache, the load spiked at .52 (this is still low). Then it dropped to .31 and then to .20, and it pretty much stuck around the .10 area. Memory, however, dropped for a while. That’s good! Slowly as things settled in, I made sure to post something new on a news/fan site, and watched things not go up very much.

    Nothing is weirder than watching your load drop to 0. The 93% memory is not a bad thing. On this server setup, I want to see somewhere around that at any point in time. The first time I saw it, though, I flipped out and my friend Benny (who is a cPanel goddess) calmed me down and explained how the ‘storm’ server worked. Real memory usage is about 40%, when load is above .40.

    Graph of server load, showing a big spike and then settling down

    The big spike was installing. The normal spikes at 14:00 and 14:30 were posts made in WordPress before nginx was installed. The ones at 16:00 and just after 17:00 are WP posts as well. That’s a nice change.

    Problems?

    SSL. Wouldn’t you know? Now you can use nginx as an SSL revese proxy, but it would obviate my cpanel add in, which right now seems a little smarter for long term sustainability than doing it 100% manually. The less I have to remember when I’m rebuilding apache, after all, the better.

    Still. Part of why I’m looking at nginx seriously is to speed up my SSL site which gets less caching by it’s nature. Weighing the pros and cons, I decided to stick with nginxCP as my theory is that by speeding up the rest, SSL will in turn be faster since there’s less memory being sucked up. Oh and I did check cpnginx about SSL, and they don’t support it either. That’s alright for now. I’m sure the future will change.

  • How to Market Your Blog

    How to Market Your Blog

    I recently had a poll on my ebook store, asking people to vote for what I should write about. Someone suggested this: how to market your blog-best strategies and “no no’s”

    Friends Forever - PeaceFor a while, I looked at the suggestion with Reddit face. I’m not in marketing. I’ve never been in it, I don’t have the foggiest idea how one goes about marketing anything, and I don’t really care to. Why would anyone ask me to write about that? But then again, maybe they’re asking specifically because I don’t normally write about that.

    With that in mind, here’s how I market a blog, and it’s one really simple step:

    Know my audience

    You’ve got to know who you’re writing for if you want to sell it. If I’m going to be blogging about dog food, then I should take the time to learn about how dog enthusiasts act online. What kind of ‘fan’ blogs are there, what kind of official/professional sites are there, what sort of forums. I need to understand who they are, how they act, and what they expect. A blog for tech people will accept different design styles than ones for pre-teen books.

    A side-note to knowing who I’m talking to is knowing what they consider normal. Even if you think the current ‘trends’ on their sites are ugly as sin, you have to aim at them in order to be accepted. Similar but different. People don’t like big changes, and you may find yourself ignored. At the same time, being different is good, you stand out. Find that balance.

    But when I tell people “I know my audience and I write for that” it sounds at once insanely overly simplistic and bloody genius. The fact is that I’m not a marketer, so I don’t ‘market’ my site, I write good content, put it on a theme with good SEO (thank you Carrie Dils for your Utility Theme and StudioPress for Genesis), and the rest magically takes care of itself because what I put into the world isn’t my blog, but myself.

    I said once that Chris Lema doesn’t sell himself, he sells you on yourself. He liked that so much, it’s on his header for his blog redesign. Chris, I suspect, gets what I mean when I say I don’t actually market anything. See, I go out there, I find people who need help, and I help. I spent time without really meaning to building up a rep of being helpful and knowledgable and understanding because I have some skills that were perfect for my audience. Not only do I know them, I am them!

    What’s on this site is essays, how tos, and ebooks. I sell the books based on the attraction from what I do in the world. See, Open Source is weird. We put stuff out there for free, and then people pay us for other things they can’t do themselves. It’s like how I tell my coworkers to ‘sell’ people on our managed hosting. It’s a question of where people want to spend their time. I like playing on the server, my wife doesn’t. If she didn’t have me for hosting, I’d actually tell her to get managed hosting from the start, because it lets her do what she wants to do!

    And that’s what you’re selling. That’s what you market.

    Dog walking another dog on a leashSteve Jobs was right when he said your customers don’t know what features they want. But don’t sell them or market them just because they’re features. Sell them what you are what you use. Tell them the truth. Market by representing what they could be, help them get there, and don’t sell ‘As Seen On WordPress.’

    We build in WordPress things we need. We should market them as that. “I needed this. Here’s how I did it so you don’t have to reinvent the wheel.”

    I’m Mika Epstein, aka Ipstenu. I know things you don’t because I do things you don’t, and I write about them for you to be able to do them even easier and faster. I know what it takes to learn because I learned. I know how to explain it because it’s how I explained to myself. I know who to talk to, because you’re my people.

  • So Your WordPress Upgrade Broke

    So Your WordPress Upgrade Broke

    I’m delving into angry-land here, so hold on to your hat.

    So. You upgraded to WordPress to a major release without testing it first, and broke your site? It’s probably your own fault. Bring on the stones and when you’re done, let’s talk.

    Ready to talk? Okay, you didn’t test. That’s why it’s at least partly your fault. This triples if the next words out of your mouth are “And my WordPress site is my life!” It quadruples if you say “My client sites broke!” It’s infinite if you broke your company site and you happen to be a WordPress based company.

    Picard and Riker (from Star Trek: TNG) facepalm

    But notice how I said probably? I can honestly say that 50% of the time my site breaks, it’s WordPress, not me, but I happen to run trunk without testing, which makes it my fault, not theirs. Seriously. I’m running trunk on a live site, which updates twice a day. I’m a little reckless. My life is WordPress, which makes me in violation of one of my own cardinal rules, but at the same time, the part of WordPress that is my life is supporting it, or breaking it and reporting it. For me, a broken WordPress install is one that needs my love to fix it, and I embrace that role.

    You’re not me. And in fact, neither is my dad or my friends’ sites that I host. For them, I have a couple options: Let them upgrade themselves, upgrade them automatically, upgrade them myself. I use all of those methods, in different situations and with each of those, what happens when they break? I will say this, for everyone but me, if I have a contract to manage their updates, I test the update first. To the fellow who complained he had 200+ sites to test, I say “Well, that’s your job.” You agreed to manage them, you better do it right.

    Telling people “Your site broke because you didn’t test.” isn’t an answer, though. It doesn’t explain why the site broke. The answer to that is a little more simple. “You have code that doesn’t work with the upgrade.”

    And yes, it’s really that simple. You have a plugin, or a theme, or an add-on to your server, that doesn’t like the newest version of WordPress. Now, it’s a struggle to fix one’s site at the same time as placating one’s customers/clients/visitors, because you’re in a race against time. This is why you have to do that usual testing with plugins off and so on. Complain all you want, there’s no way around it. Point out you’re not a coder all you want, that’s actually why this happened to you and not me.

    Tai Chi HeroWhat do I mean? Well I am a coder, so when I install a new plugin I review it first by looking at all the code. You’re not a coder, I hear, but you can still review the plugin by looking at the updates, the author, their contributions to WordPress, the support forums, and the size of the plugin. The larger a plugin, after all, the more chances to go wrong. I also like to check /wp-admin/credits.php and look for the author. If they’re there, the odds of them not knowing that there was a change in WordPress that impacts their code is pretty negligable.

    And this is how it works. It’s the addition of all things, combined to make a good, educated, guess as to the relative safety of your site. Good plugins that you’ve checked on, good themes ditto. Sure everyone can make a mistake, but good code makes fewer, good coders adapt well, and responsive coders react well. That’s the biggest thing. People will make a mistake and break your site, but if you use a theme were the developer is on the spot with patches and generally responds quickly (say, within 5 days), then you can be pretty sure that this developer knows when WordPress is releasing a new build, and that they should test Betas and RCs. That’s what you’re looking for.

    This is especially important if your site breaks on a MINOR upgrade. If your site broke going from 3.8.2 to 3.8.3, and you find out it’s a theme, stop using that theme. That’s really hard, I know. But it’s really serious. A theme or plugin that breaks on the minor updates is doing something really wrong, or is taking advantage of a vulnerability which makes it dangerous to use. That’s it. That’s the reality. Either code is really bad or it’s really unsafe.

    Neither of those things means the developer is a bad person. It just means they did bad code. We have all done bad code. We have all been the cause for bad and dangerous code, and we will all be so again. But again, it’s how we respond that makes us heroes or not.

    Look for the heroes. They stand out. Use their code.

  • It’s Not Beer It’s Homebrew

    It’s Not Beer It’s Homebrew

    If you’re a rookie getting your hands around all this webdev stuff, and you’re on a Mac, you may have already come to a rude awakening when you find out that, for reasons unknown to man, Mac decided we didn’t need wget.

    Beer bottlesThat’s how I was introduced to Homebrew.

    I love wget, because it’s a super simple and fast way to download something. wget http://wordpress.org/latest.zip is the fastest way for me to download a zip, and I use it regularly. So one day, when deving code, I realized I needed a plugin. I went to wget it and got a horrible message.

    -bash: wget: command not found

    After searching around, I was about to download, compile, and install wget when a comment on StackExchange said “Try Homebrew.”

    Everyone’s dersive comments aside about how ‘real’ programers don’t install packages (seriously people), I said to myself “Ipstenovich,” I said. Yes, I call myself that sometimes. “You use yum to install packages on your server because it’s easier and safer. Why wouldn’t you use the same thing here?” Over to http://brew.sh/ I went and stared at the installer command like a fish.

    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

    The call ‘ruby -e’ means “run Ruby and tell it to call this URL externally…” And then it clearly was calling github for an installer. It’s tough to decide to trust a new program but after some serious banging around, I trust the Homebrew.

    Homebrew Logo

    Once installed, which doesn’t take long at all, I ran the check brew doctor which told me a couple things:

    1. I’d installed SVN and Git on my own (truth) so I needed to change my .profile (with directions how)
    2. I had a half-baked attempt at installing ImageMagick that needed cleaning (with suggestions how)
    3. I had MacPorts still in my /opt/ folder, that needed removing (with directions how)
    4. I needed to install xcode command line tools (with directions how)
    5. xQuartz was out of date
    6. I hadn’t updated my brew list in a bajillion years

    Most people won’t have that last one. I did once have an older install of Homebrew that I’d never really cleaned up. However the other ones took me about an hour to clean up properly, because I was watching Fargo (the movie) at the time. Once installed and set up, I was able to install wget and upgrade it. Ditto OpenSSL (because Heartbleed, you know). It’s great.

    Homebrew is pre-1.0 which means there can and will be issues. Don’t panic, for most of what anyone needs, this is perfect. It’s also good at upgrading when you need to:

    Output of Homebrew, upgrading a few items at once

    The little beer mug is awesome.

    One of the nice things about Homebrew is that it doesn’t use (nor advocate the use of) sudo. This is really good for security and makes me feel much safer.

    Go forth, rookies, and install Homebrew! It will make your development much happier!

  • Review: Sitespeed.io

    Review: Sitespeed.io

    Let’s get this part out of the way first…

    92131-I-feel-the-need-for-speed-gif-26ny

    Like most people, I have a suite of websites I check when I’m trying to figure out how well a site does with regards to speed. Google PageSpeed Insights, ySlow, GTMetrix (which does both), Pingdom Website Speed Test, Bytecheck… The list goes on and on. We want as many checks as possible in understanding what’s causing sites to be slow and what is not.

    Sitespeed.io LogoWhen I added in nginx I wanted to test everything again, and as I made my way down my list I thought “Isn’t there a way to do this and go make a coffee?”

    Sitespeed.io analyzes my site while I make coffee. It’s Open Source. It’s forkable. It’s easy to install. Since I’m on a Mac, I used Homebrew (which I’ll post more about in two days) but you can git clone, or download the zip, however you like.

    Once installed, you run a sitespeed.io call:

    $ sitespeed.io -u https://halfelf.org

    This takes a little but creates a folder off your home directory: ~sitespeed-result/halfelf.org/2014-05-14-14-59/ and in there will (eventually) be a lot of files including an index.html. That one you open up in the browser. The scan definitely takes longer than a sitespeed check, but it’s also more in-depth in the ways I always wanted from sitespeed. Also since it’s HTML, I can toss it online and share with people.

    What I noted first was a ton of errors. Sad panda.

    phantomjs[88651:507] CoreText performance note: Client called CTFontCreateWithName() using name "Open Sans" and got font with PostScript name "OpenSans". For best performance, only use PostScript names when calling this API.

    It also had a lot of crashes, which was when I wondered if everything was on the right version. Again, checked in with Homebrew, upgraded phantom,js, and tried it again. This time no errors (yay!)

    But then the process finished and I looked at my score. 81.

    So I dug into the results and looked at first my home page.

    You have 2 javascripts in the critical path and 8 stylesheets using 0 extra domains

    […]

    This page has 8 external stylesheets. Try combining them into fewer requests.

    And it showed me what those were. Weirdly, I saw WP was calling jquery on it’s own, as well as the JS I minified and compressed with mod_pagespeed. Interested, I checked three other sites on my server, and they all have the same issue. It blows my mind that no other tool had pointed that out before. The stylesheets I knew were from my fonts. While I minified them all, I did not combine them because it made my font-icons break. I upgraded mod_pagespeed for Apache 2.4 and haven’t looked at that since, so I tried it again indeed, it worked now.

    I slowly worked my way down the list, noting things that I could easily fix. One thing that would ding me hard was my use of webfonts. Also not using a CDN still dinged me. Still, by using Sitespeed.io, I was able to see more exactly what was slowing my site down and why, and what I could sacrifice. Some things are going to be unavoidable (like “You are using an old version of JQuery: 1.11.0 …” ) and the multiple domains (google.com, wordpress.com, etc), but really the fact that I can narrow in with specific issues is perfect.

    There are a whole mess of options, like I can take screenshots with each page, restrict the scan to specific pages (or exclude others), check in mobile, test in specific browsers (note: this is more complicated!), and much more.

    So welcome, Sitespeed.io, you’re in my toolkit now!

  • Mailbag: I want to make WordPress.com

    Mailbag: I want to make WordPress.com

    Justin is not the only person who’s asked me this one, and it boils down to “How do I run my own wp.com?”

    I wouldn’t. It’s insane, and if you want just an inkling as to how frustrating it is, spend 8 hours a day, for 2 days, doing free support in the WordPress.com forums. That’s going to be your life. If you hate it, don’t do it. And more to the point … I don’t feel we need more generic ‘Anyone can host here.’ sites. The most successful modern one is Medium, which doesn’t give you a site like ‘ipstenu.medium.com’ but instead just share-posts everything. I’m personally not sold on the efficacy of it, but my point is I feel these gateway blogs are less and less necessary, the better we make WordPress software. We’re lowering the bar for people to own their own sites.

    If IF I was going to consider it, I’d be looking at it from the aspect of a small group of people. For example “A network for small town newspapers.” I take care of the servers and code, they just write. That’s a smaller, niche, market, but also one that probably can’t afford VIP WordPress.com. You can always expand, after all.

    But Justin actually has a security concern. Let me share in his own words:

    I want to build a service like wp.com, blogger.com but with free and commercial themes and plugins. Drag and Drop themes (Headway, Ultimatum), plugins (Visual Composer). If my site is feature-loaded, people will come, is’t that right? But I wonder why people don’t use all those nice software to build better than those companies. I want to ask, is it because people can insert malicious codes in css and javascript code editors?

    Yes and no.

    Its not the malicious codes in CSS and JS, though that is a concern. WordPress.com has a CSS editor that you can pay extra for, and the question many people ask is “Why isn’t that free?” The issue isn’t with security, it’s support. Frankly, people who need (note the word ‘need’) a managed site like that generally haven’t a clue what they’re doing in CSS for design. They need those baked and locked themes because they’re not ready for the rest without a conscious choice and a monetary investment. You’re paying more for something, ergo it’s worth more.

    But JavaScript? Well that would be security but also support. I certainly don’t want people messing with JS because it’s easier than CSS to break your site with it. Don’t believe me? Go look at everyone’s whose visual editors broke after upgrading to WordPress 3.9 because of plugins that don’t work well with the new JS settings in TinyMCE. Those are plugins, written presumably by people who know what they’re doing. And they broke.

    Is there a security risk to letting people edit CSS? No.

    Is there a security risk to letting people edit JS? Yes. And worse on Multisite (which is what WordPress.com is running) as that could break the entire network, not just one site. A bad CSS call will only break your own site on the network, after all.

    A lock on a locker

    But I think the question may be “What’s so dangerous about JS anyway?” and the answer there is “Cross Site Scripting” (aka XSS). XSS is a vulnerability that will allow hackers to inject scripts from their computer into your site, which is normally (in WP land) used to bypass the requirement to be logged in, dump garbage into the database, and then log in and create merry havoc on your site. I’ve been told up to 84% of all vulnerabilities in the web are XSS related. This may or may not include CSRF (Cross Site Request Forgery). The XSS article on Wikipedia is pretty good.

    Based on that alone, I would not allow users to make their own javascript edits. I would perhaps provide plugins to allow them to make certain adjustments, but not anything they wanted, any time they wanted. If they need that, then they need to get their own hosting on their own server, so they only blow up themselves.

    Oh and whatever you do, don’t try to become ‘the next…’ anything on your own. That way lies madness. Get some help.