Thoughts From a Professional Lesbian
I’ll see the East Coast, flying to WordCamp Boston on Oct 25-27th.
Sunday I’ll be speaking about WordPress Managed Hosting on Sunday, and you’ll finally learn what all those Sherlock photos were about!
There are still tickets available for the whole show, so grab yours now and come see me and a pretty damn awesome lineup of speakers.
See you soon!
While I’ve mentioned that I don’t ‘get’ CloudFlare, I took the time to buttonhole the guys at DreamCon and explain my issues. Many thanks to Maria Karaivanova for her presentation at DreamCon, too, which helped me a lot.
Now, in so far as a ‘traditional’ CDN (where they host my images) goes, I don’t need it, but as a Cloud Proxy, I both understand and like it! The deal with a proxy is pretty simple: It’s an extra firewall between your server and users. Why is this faster? Because they have more servers than I do, which means they can handle a DDoS better than pretty much anything on Shared Servers will ever be able to do.
Keep in mind, a VPS can handle a lot of this on it’s own. I could install Varnish and use that for caching, but it wouldn’t give me the ability to have multiple servers serving my content, and that’s what I’m looking for with my experiment here.
It would be remiss if I didn’t note the more well known alternatives: Incapsula (starts at $19.99/month), Sucuri’s Cloud Proxy (starts at $9.99/month), MaxCDN (starts at $9.99/month), and Fastly (starts at $50/month). CloudFlare starts at ‘Free’ but its first paid offering is $20 a month for one website, $5 for each additional.
I use ConfigFirewall (CSF) so I had to add in the CloudFlare IPs into csf.allow and csf.ignore. Yes, both, otherwise I got weird alert. This is pretty easy, though.
Next I installed mod_cloudflare because I wanted to preserve the IP address without having to muck with plugins on everything. This particular site is my ‘Not all WordPress’ site after all. The catch is if I do it all manually, I have to redo it every time I upgrade via EasyApache(Don’t judge me). I already have to do that for PageSpeed. That said, cPanel suggested I read Installing mod_cloudflare on cPanel, so I did that and then ran EasyApache:
So that was easy! By the way, TL Tech is one of my standard resources. They have a lot of tricks, and I’ve bookmarked ’em.
Finally I checked out if there were issues with PageSpeed and CloudFlare. CloudFlare says no, but indicates the redundancy. That’s okay. I did an extra step of telling PageSpeed to not modify caching headers, as that’s something we did for DreamHost and Varnish (DreamPress!). Just add this to your .htaccess section for PageSpeed.
ModPagespeedModifyCachingHeaders off
This was straightforward. Follow their directions and it’s fine. I went for free, and fiddled with my Security Settings a lot. I hate captcha. And I know, I knooooow, the users for this site will cry if they get hit by one, so I turned my security to “Essentially Off” – This is the only way to get rid of Captcha. Sad panda. I also turned “Browser integrity check” on for now.
In Performance Settings, I made Caching level “Simplified” and left the rest as default. Then I set up PageRules for WordPress and my other apps. You only get three rules with free (and 20 with the first level plan) so I made sure to free up the admin tools.
Last up, tackling purging caching. I’m far more familiar with this now, as I support a Varnish plugin that does much the same (and I did consider installing Varnish). The official CloudFlare plugin, for some reason, only serves the same purpose as mod_cloudflare, in that it restores IP addresses. But what I really want is a way to purge my cache with a new post. Pretend I’m saying this in that voice I used at WCSF… there’s a plugin for that: CloudFlare Cache Purge.
Sadly there isn’t a similar plugin/extension for my other apps. And this is why I ended up at my current conclusion…
Sadly, even after letting it bake for a few days I determined it wasn’t quite right for me. Everything worked, and if my site was more static, it would be perfect. But this brought up the same problem I’ve had with all caches: my dynamic content gets hurt.
What is static that I can and should cache? JS, CSS, font files, images. What is not static? Blog posts, comments that are happening all the time, fast and furious. A gallery that needs to update. A wiki that has a deadline. Worst of all, it prevented two of my apps from being able to make their own ‘static’ cache in the background. Now really that means I shouldn’t have to make my static cache at all, but this brought up another issue. Coordinated pushes of content, where four separate apps update 1-3 pages each at the same time means I need to be able to purge those pages, right away. And right now, there aren’t extensions to do that.
Of note: I noticed the exact same problem with Fastly and Varnish, so it’s not just CloudFlare, it’s a function of how these things are supposed to work.
What would I need to make these desirable? Basically I need a way to purge my cache on the proxy efficiently, quickly, and selectively. Now that I work on the Varnish Cache at DreamHost, I’ve seen how deep the rabbit hole can go with this, however, and I know fully how hard this is. Proxy Caching is not for everyone. When you have dynamic content that changes for logged in users on the fly, it’s a pain. I mean, I use PageSpeed to compress and cache CSS and JS, and I have to flush it when I update my site design. Caching your caching is always going to be tricky, unless there’s a simple, one click, way to say “I’ve updated these pages, please purge them.”
We’re not there yet.
CloudFlare is pretty awesome, actually. If you’re ‘just’ running a blog on shared hosting, I would seriously consider using it, especially in light of the various DDoS attacks out there. A cloud proxy will help you, if you don’t have server level access to tweak mod_security. The fact that CloudFlare gives you a ‘free’ option to test with, without having to give anyone your credit card info, makes it great for experimentation and puts it above the other proxies right now.
But with all things, keep in mind your personal usage. It’s not just “Does this make my site run faster?” but it’s a lot of “Does this make my usage of my site better?” For me, they win on the first and fail on the second. Maybe one day I’ll change my workflow so cloud proxy, or Varnish, can be the answer, but that’s not today.
Not everything to do with technology means code. Curating a website means, often, you have to edit your content and your comments in order to foster the sort of relationship with your visitors that you desire. In doing so, are we censoring? How do you decide how best to handle comments that make you uncomfortable, and how do you allow yourself to question your ever-changing personal morals (because they are), while keeping the right ecosystem on your blog?
From time to time, I make people upset. This happens, and while I don’t go out of my way to piss people off, it’s just a part of life. No one agrees with me 100% of the time (heck, I don’t agree with myself from last year all the time). It’s just what it is. We grow, we evolve, we look at things differently. When people get upset with me they tend to act like assholes on my websites, insult me, call me names, or basically try to take over all the comments here. When they do, I block them out of my life.
Seriously. When people start that crap, I block them from commenting here, I block them on Twitter and Facebook and Google+, and blackhole their email. End of story, no chance to come back. If you’re the kind of person who’s willing to go that far and call me a “man faced dyke” then you’re not the sort of person I care to associate with, goodbye.
Most people don’t get that far, though. I’m all for hearing dissenting opinions, especially the thoughtful ones that point out fallicies in my logic. I would much rather people post replies to my blog posts as comments (not Twitter guys), because that removes the oft-crippling 140 character limit, and thus takes away much of the problems with discussing complex topics. I like long replies. I leave them often. This means that the vast majority of the time, even if you want to shout at me and say my understanding of XYZ is wrong, as long as you’re not being personally insulting, I’m going to leave the comment up. When you start belaboring the point (beating the dead horse, as it were), and refuse to agree to disagree, then I start moderating your comments and possibly deleting them.
At some point on Twitter I said “Deleting your comment on my personal site may be censorship, but it’s not against any law.” And my friend replied:
@Ipstenu There's a big difference between gatekeeping on your own private property and censorship.
— Jinx Mylo (@jenmylo) July 9, 2013
The reason I used the word may is that, for an off-the-cuff Tweet, I had not done any research into what is and is not censorship. I know that we use the term ‘Self Censorship’ when we’re trying to stop ourselves from enjoying a foot-in-mouth moment, but are we using the word wrong? When I decide to remove a post that I feel is detrimental to my site, how is that different from Google censoring your results from a search, or Facebook deleting your comments?
My rule of thumb for comments is this: If what you just posted is something that would prompt me to get out of your car, leave your house, or ask you to leave my house, it’s getting deleted. It’s pretty cut and dried, and if my hand ever hovers over the “Well, maybe this is okay” button, I tend to leave it alone. But, like Gunnar de Winter posited in 2011, I don’t know if I’m censoring or not anymore.
A generally accepted definition of censorship is along the lines of this: “the surpression of a text, or part of a text, that is considered objectionable according to certain standards.” One can argue that my site has my standards, and thus my suppression of a comment I find objectionable is censoring you on this blog. I’m inclined to feel that it is censorship, but I don’t think this is a bad thing.
There is a difference between gatekeeping and censoring. If I make a political agenda post about a hot-button topic, and then proceed to delete all replies that promote the opposition, am I gatekeeping or censoring? What about when I delete (or edit) comments left by people who are insulting? Is that inherently wrong? Where’s the line between “I don’t like it” and “I’m offended by it”?
One thing to keep in mind is that this is not violating freedom of speech. Or rather, it’s not violating your protected freedom of speech. Look. You have the right to say whatever you want. I have the right not to listen. In the US, the amendment is pretty clear in that the freedom of speech applies to talking about the government. So I can talk about how much I hate Obama if I want to, and the government has no law to stop me. At the same time, this does not give me absolute freedom of speech, it just means that I have certain protected rights. In 1996, the Supreme Court extended the full protection of the First Amendment to the Internet (it was a 9-0 vote, too).
So why doesn’t this cover your right to say what you want on my blog? My blog is a ‘private’ entity. So is a newspaper for that matter, which is why your letter-to-the-editor may never see the light of day. Neither the NYT nor I am obligated to publish your words. Besides, it’s not restraining your expression when I do it here, as you keep the right to go talk about me and how much I suck or I’m wrong to your heart’s content on your own blog. I tend not to comment on those posts anyway, so don’t worry about me.
If I said “Censorship isn’t all bad” I’m sure a lot of people would shout me down. But … it’s not. We censor pornography, private information, details of bomb creation (see Mythbusters) and so on. None of those things are really objectionable uses of censorship. In a perfect world, people wouldn’t break the law in the first place, so we wouldn’t have to censor anything (because we’d all be trustworthy). Sadly, that’s just not the case. In general, when applied fairly and justly, censoring might not be terrible. When it’s abused, though, and someone goes to the point where they block you from posting on the Internet as a whole (just pretend that’s possible), then we’re into a problem. Which means it’s not necessarily that censorship is wrong, but abuse there of is wrong.
So back to Jen’s point, it’s not really censorship, is it?
I do oppose blanket censorship. But I also believe that protecting my blog’s community, as well as my own mental health, means sometimes I have to make the choice to close the door on some people. As someone who runs community sites, the health of the community trumps my personal feelings, but that doesn’t mean I ignore them. Finding that balance, in yourself and on your sites, is not easy. It’s an ever changing landscape to navigate, and no one can tell you what’s 100% right or wrong.
Just as I finished writing this, Andrea Middleton sent me a link to a TED video of Margaret Heffernan: Dare to Disagree. It’s hugely important, when you decide to censor any comments on your site, that you not stifle constructive conflict. The importance of being challenged and letting yourself grow because of it cannot be expressed often enough.
[ted id=1533]
So Jen’s right. It’s not censorship, and I’ll keep on gatekeeping comments as I feel appropriate.
This is a fairly rare file, and one I never would have found had I not needed to run a standard SQL process via cron.
Names have been changed to protect the innocent.
As the story goes, no matter what I did, I could not get this one app to stop spewing out ‘smart’ quotes. You know the fancy apostrophes and quotes that curl? Well, that’s not normally a problem, like in WordPress I’d just filter it out, but in this locked down system, I didn’t have that option. I called the vendor, and they said “Make sure you don’t paste in smart quotes.”
That was all fine and dandy for me but I’m not the master of the universe like that. Well, not all the time. I had people to input data for me! They were going to have to manually take the forms (Word Docs), filled in by non-techs, and copy the data into the right places in the app. And you want me to tell them they have to fix this for the non-techs? I thought about how much time that would take, and decided the best fix was to change the forms! Right?
If you’ve ever worked for a major company, you know why this was about as effective as aspirin for a root canal. No deal. So I decided to get inventive.
The only time this was a problem, these ugly quotes, was when we ran our weekly reports. This was how I found out about it, a manager complained that there was garbage instead of quotes on the form titles. Ergo: All I need to do is script something to clean them out!
Enter SQL!
# REPLACE SMART QUOTES WITH STUPID ONES # FIRST, REPLACE UTF-8 characters. UPDATE `secretapp_table` SET `formtitle` = REPLACE(`formtitle`, 0xE2809C, '"'); UPDATE `secretapp_table` SET `formtitle` = REPLACE(`formtitle`, 0xE2809D, '"'); # NEXT, REPLACE their Windows-1252 equivalents. UPDATE `secretapp_table` SET `formtitle` = REPLACE(`formtitle`, CHAR(147), '"'); UPDATE `secretapp_table` SET `formtitle` = REPLACE(`formtitle`, CHAR(148), '"');
In my testing, if I ran that on formtitle, it cleaned it up for the report. This was a default report in the app, by the way, not something I had any control to change. And you wonder why I love open source? Anyhow, once I knew how this would work, I sent about scripting it. I couldn’t hook into any triggers on the app, though, because they don’t like to make it easy.
Fine, I decided. A crontab time it is! I made this simple script to run at midnight, every night, and clean up the DB:
#! /bin/bash mysql -h "dbname-secretapp" "secretapp_db" < "quotecleaner.sql"
It worked when I ran it by hand, but it failed when cron’d. This took me some headbanging, but after reading up on how SQL works, I realized it worked when I ran it as me because I’m me! But cron is not me. I have permissions to run whatever I want in my database. Cron does not. Nor should it! So how do I script it? I don’t want the passwords sitting in that file, which would be accessible by anyone with the CMS to update it.
I went around the corner to my buddy who was a DB expert, and after explaining my situation (and him agreeing that the cron/sql mashup was the best), he asked a simple question. “Who has access to log in as you?” The answer? Just me and the admins. The updating tool for our scripts was all stuff we ran on our PCs that pushed out to the servers, so no one but an admin (me) ever logged in directly.
He grinned and wrote down this on a sticky “.my.cnf”
Google and a Drupal site told me that it was a file that was used to give the mysql command line tools extra information. You shove it in the home directory of the account, and, well, here’s ours:
# Secret App user and password user=secretapp_user password=secretapp_password
The only reason I even remembered all this was because an ex-coworker said he ran into the documentation I left explaining all of this, and was thankful. He had to have it scan the body of the form now, because the managers wanted that in the report too!
One of the things I hate in the world is people who don’t give back.
I call myself a software socialist because I strongly believe in giving back to the things that make me successful.(This is, in no way, a blanket approval of everything Socalist. Snarky political comments may be deleted.) This is why I give back to WordPress, spend so much time on it, and so on and so forth. Thus, it’s logical (or at least internally consistant) when I say that the part about WordPress that I hate is people who take and never reciprocate. More than this just being a pet peeve, though, people who do this with Open Source code are biting the hands that feed them, and it’s terribly frustrating to watch.
Look. You get this totally awesome software for free. People volunteer (sometimes we’re compensated, sometimes not) to make it better, safer, more secure. And we give these updates, again for free, back to you to make a living from. That gives all of us ownership in the software and a responsibility that I see a lot of people dropping the ball on.
So let me state this for the record: If you use a product that is free that enables you to make your living, and you do not give back in some way, you annoy me.
I’m going to use Mediawiki as an example here. I cut my teeth on it, which is something few of you know. I’ve been using it longer than WordPress, as a self-hosted Wiki install. I learned about caching tools not because of WP, but from Mediawiki. I learned about config files and extensions, and why you never edit core files, and theming all from Mediawiki. It’s safe to say that had it not been for my foray into that world, I’d never ever have been the WordPress Guru I am today.
At the same time, I have never once given a single line of code back to Mediawiki. I’ve probably reported no more than 5 bugs in my lifetime, and it’s not because they don’t exist. I actually do know how to do more than just theme in Mediawiki, I know how to trace a bug and fix it, but given my use-case of it it’s been pretty rare that I’ve even had to report it, because every time I’ve found it already handled in the next release.
By the way, the whole reason I mastered Git? Mediawiki. I needed an easy way to upgrade and keep up with a trunk release that fixed a critical bug for me.
But if I don’t give back code, do I annoy myself? Nope! Much like WordPress has a WordPress Foundation, Mediawiki has a Wikimedia Foundation. And yes, I donate money.
And this is my point. We’ve already proven that sponsored software can work. At the time I wrote this, Aaron Jorbin’s charge to raise money so he could work on Post Formats was a couple hundred from goal. I’m confident that by the time this is posted, it’ll be met. (I’m also confident the Indians will sweep the White Sox, so Aaron, you can do your ten support tickets for Post Formats if you want. If they lose, I’ll patch something for your plugin.)
The point is simple. Giving back is not just code. I talked about this at WordCamp Portland, and I talk about it all the time. You don’t have to code, or file bug reports, all you have to do is be here and do something for the community at large. Heck, if you want to help clean up after a meetup? You gave back!
So please, don’t be greedy. Give back to open source. Don’t just take and take and then complain it’s not everything and more. Do something, anything, that helps someone else. Even if you’re doing it altruistically, you’re not living in a vacuum.
When you create a new domain on DreamHost, you can chose to make a ‘new’ user to ‘own’ the site, or use an existing one. There are pros and cons to both, but for anyone who comes from the cPanel world (where separate accounts are de rigueur), it’s pretty normal to expect your separate site to have a separate login name and password.
Explaining how all this works on DreamHost is a little different, because we have users and then we have users and … well let me explain.
The first type of ‘user’ you have at DreamHost is your panel user. This user is the one you make when you sign up, and it’s usually your email. Don’t share this password with anyone, okay?
Next we have your ‘users’ which you can find in your panel. Those users are the ones who have access to things like ‘shell’ and ‘sftp’ and so on.
Then there are also those ‘other’ users you think of, like the login accounts on your blog, or your email, or maybe even the billing account for DreamHost.
When I talk about separate users, I’m only talking about the ones who have access to shell and stuff.
Those user accounts own sites. That means I have a specific user who ‘owns’ the folder on the server where all my web code lives. And you can see it’s that user because there it is, in the path: /home/USERID/domain.com/
Only one user can own, and access, a domain. However a user can own multiple domains.
So here’s what this looks likes. One user owning multiple domains:
And only one user can access the domain, user two cannot:
This is cool because if there’s a domain under User 2, and it gets hacked, there’s no way for User 1 to get hacked, even if both users are you!(Unless there’s a server wide security flaw, which yes, can happen, but we spend a lot of time trying to prevent that.)
If you own 50 domains (and I’ve seen users with 200!), having them all owned by one user sure seems easier, but it means if that user gets hacked, they’re all vulnerable, and you’ll probably end up having to de-hack 50 domains at the same time. Instead, it’s wiser to group your domains ‘logically.’ For example, my elftest.net domains have subdomains, all of which are owned by the same user. However my other top-level domains are each owned by their own user. But that doesn’t work for everyone.
Recently I was helping a customer with a hacked site, and he complained that the sites he hosted for his clients were being hacked, and his clients were pissed off. I took a look and saw that all his client sites were under one user ID. I asked him if the clients had more than one domain, or if they all had their own, and he replied that each client had 4 or 5 of the domains. After cleaning up the hack, together we made new user accounts, one for each client, and moved the domains to those accounts. If possible, I always clean before moving, but in one case the customer had 75+ hacked sites, so we moved and then cleaned each one, prioritizing the accounts on the way. It took a very long time.
The extra benefit to this is the clients can now have FTP access to their domains and do wild and crazy stuff! But we don’t want them to have FTP.
Obviously first you need to setup users. When I set up a new user, the first thing I do is make it secure. That means I turn off FTP, forcing SFTP only, and if needed, give them Shell access. Personally? I love shell access, so I always leave it available. If you’re using DreamPress, we have Shell turned off by default, but you can activate it.
There is a downside, which is that the WebFTP app won’t work. Personally? I find 99.999% of WebFTP apps to be total drek. They’re messy, kludgy, and there are some great free apps like Cyberduck which even let you connect with DreamObjects!
Now that you have the user, we want to move the domain. This is so easy, anyone can do it. Go into Panel, click on domains, click on edit for the domain. Go to “Users, Files, and Paths” and change the user in “Run this domain under the user:”
Really, it is that simple.