Tag: CloudFlare

Save even more on registry services

On: By: Mark

Some time ago, I mentioned that I moved my domain registrar from GoDaddy to NameSilo. I came to the general realization that registry services were mostly commodities, so there was little point in paying more. GoDaddy charges fees for services that are standard on most registrars, such as privacy protection. They also add a hefty markup to fees charged by the top level domain registrar. NameSilo was a registrar that didn’t, and their markup was minimal. So I switched.

It wasn’t a huge amount of money that I was saving per year as I have only a handful of them; it was more the principle that I shouldn’t reward companies that provide overly costly services. And if you’ve been on GoDaddy, you know that’s their one true talent: marketing. They are constantly looking to nudge you into paying for extra services of dubious worth. Their site is so overwhelmed with internal marketing that doing common tasks like getting into cPanel becomes a multistep process that’s hard to find, probably because they want you to see pages of marketing material first. Obviously, GoDaddy is not subtle, and they seem to cater to web hosting newbies familiar with the brand and often with a deficiency of web administration skills.

It turns out though that by using Cloudflare’s registry service, you don’t pay any markup and popular registry services like domain protection and privacy are free. You don’t even have to sign up for one of their paying services to get the deal. It’s all explained in this blog post. They write:

For instance, Verisign, which administers the .com TLD, currently charges $7.85 per year to register a .com domain. ICANN imposes a $0.18 per year fee on top of that for every domain registered. Today, if you transfer your .com domain to Cloudflare, that’s what we’ll charge you per year: $8.03/year. No markup. All we’re doing is pinging an API, there’s no incremental cost to us, so why should you have to pay more than wholesale?

Some months back I transferred my condo association’s registrar to Cloudflare. For the moment, I’ve kept my other domains on NameSilo as the cost difference between their services and Cloudflare’s is pocket change. But likely at some point at my convenience I’ll move mine to Cloudflare’s registrar too.

Changing registrars can be a pain as it generally takes about a week and there is an exchange of EPP codes between the registrars. But if you are paying too much to your registrar, the time and cost are justified.

Protecting your board from Denial of Service (DoS) attacks

On: By: Mark

There have been many prominent articles about web sites being taken down by Denial of Service (DoS) attacks. A Denial of Service attack is when a machine on the internet sends so many requests to your web server in a short period of time that the web server can’t keep up with the demand. This makes it unavailable to legitimate users and often returns cryptic error messages to users. It’s like your web server blows a fuse. Even after the attack abates, your server may not be able to recover without a reboot or some internal repairs.

In a Distributed Denial of Service (DDoS) attack, a number of machines across the Internet attack your web server at the same time. DDoS attacks tend to be more severe because more requests can be sent at the same time. These attacks become harder to block too, because the Internet Protocol (IP) addresses of attacking machines change.

In this post I’ll look at how to protect your board from both DoS and DDoS attacks using Cloudflare.

What is Cloudflare?

Cloudflare is a prominent company that specializes in implementing content delivery networks (CDNs). CDNs place copies of files on your web sites geographically close to your users, speeding up the rendering of your web pages.

Cloudflare can also protect web sites so that if a DoS or a DDoS attack occurs, the offending machines can quickly be blocked, minimally impacting your site’s availability to legitimate users.

A phpBB board is often part of a web site. Generally, Cloudflare protects domains. I’ll describe how it protects domains. If you want to use Cloudflare to protect a subdomain but not the domain itself, this is a more complex process described here.

Using Cloudflare is not necessarily free, but it often is. You can start with a free plan. If your domain is not used for commercial purposes, you can use Cloudflare for free. If your site is for professional use, the cost is $20/month. Cloudflare can be very pricey for businesses and enterprises: $200/month or more. But if you have this kind of website, you are probably using Cloudflare or a similar service already.

Cloudflare has competitors, so you can shop around if you need to pay for DoS or DDoS protection. Arguably though Cloudflare was the first to master this market and is its industry leader.

Protecting your domain with Cloudflare is generally pretty easy. Let’s look at the steps.

Step 1. Get a Cloudflare account

If you don’t already have a Cloudflare account, you can create one. It’s a simple process that should not take more than a few minutes.

Step 2. Add your domain to your Cloudflare account

Look for the Websites link on the left sidebar. After clicking on it, click on the Add a Site button and add the domain containing your phpBB board. Cloudflare will find your public domain records and show them to you.

Step 3. Change the nameservers for your domain to use Cloudflare’s nameservers

Next, login to your domain registrar and find your records for your domain. Verify your domain records match those that Cloudflare found. Then change your domain’s nameservers to the nameservers Cloudflare provided. Nameservers tell computers the Internet Protocol (IP) address where your site’s content resides. Cloudflare should provide you with two nameservers.

To make things easier, you may want to access your registrar in a separate browser tab so you can more easily copy and paste Cloudflare’s nameservers into the form provided by your registrar.

Step 4. Wait for the DNS to change

It can take up to 48 hours for your DNS changes to propagate across the Internet, but is generally quick with most ISPs getting updates in one to 2 hours. While it happens, your domain should still be accessible, but may be briefly inaccessible.

Your domain may still be affected if a DoS or DDoS attack during the nameserver propagation process. You can get a sense of whether the DNS changes are complete by using a tool like Who.Is to check your domain and the nameservers it finds for your domain. When complete, the nameservers should match those provided to you by Cloudflare.

How it works

Most attacks attack a domain. DNS resolution is the process of translating a domain name (myspecialboard.com) to an IP address, ex: 123.45.67.89. Attackers will query Cloudflare’s nameservers to get your IP address. Because Cloudflare constantly monitors the web, it generally knows the IP addresses of attacking machines. It won’t provide your server’s correct IP address to these machines, insulating your web server from most of these attacks.

Attacks may still occur, but are unlikely

Targeted DoS and DDoS attacks can still succeed if the attacker knows or randomly picks the Internet Protocol (IP) address of your web server and attacks it, rather than your domain. As your web server’s IP address won’t be generally known, these incidents should be few and far between. If they occur, it is likely due to an attack on a random IP address.

If you detect a DoS or DDoS attack after being protected by Cloudflare, Cloudflare can still help. Click on your website on the Cloudflare web page and set the Under Attack Mode slider control to On. More details are here. Cloudflare will examine the machines hitting your domain and do its best to block them.

If you use shared hosting, you may still be subject to DoS or DDoS attacks you can’t control. This is because the attack may not be happening to your domain directly, but to another domain on the same server using the same IP address as your web server. Such a scenario though is pretty unlikely.

Session hijacking: what’s (probably) going on

On: By: Mark

Over the last couple of months I’ve had a number of clients come to me because of mysterious things happening on their forums. Going to a forum they find that they are logged in as someone else and can see things they definitely should not see, such as private messages and forums they don’t have privileges to see. I’ve spent a lot of time trying to figure this out talking to client’s web host support teams and scouting phpbb.com for a solution.

The good news is that this is not due to some deficiencies in phpBB. The bad news is that this is due to the way your web host has configured their servers and it’s affecting phpBB.

phpBB is the #1 forum solution, with something like 70% of the market. But as a percentage of popular software installed on websites, phpBB is tiny, on about 1% of websites. What’s the 800 pound gorilla? It’s WordPress, which runs 27% of websites. So web hosts will meticulously tune their servers to optimize for WordPress, giving short shrift to much of the rest of the open source software out there. Most web hosts now say they are optimized for WordPress and market WordPress-specific hosting. phpBB is being left behind along with lots of other software. Because phpBB gets most of its content from a database to be presented on the fly, more than most open source solutions it is not amenable to static content.

The problem is most acute if you have Bluehost shared hosting. The underlying issue is some software called Varnish, more specifically Varnish HTTP Cache. Varnish helps dynamically driven sites perform more efficiently by caching content in your server’s virtual memory. Web hosts can make more money if they can get more utilization off one one web server. Varnish is one way they keep costs down as it allows them to stuff more websites on one machine.

Varnish is kind of pointless with phpBB since phpBB already has its own cache, which you can find in your forum’s cache folder. Essentially phpBB programs, templates, stylesheets and SQL calls are all compiled into .php programs in the cache folder so they can be executed more quickly. So it’s duplicitous but more importantly interferes with phpBB’s default behavior. So if you have the issue, contact your web host to find if they are using Varnish and if so have them turn it off. As for Bluehost, as of this writing they will tell you they can’t turn it off. You have shared hosting so one size fits all. They will however be happy to move you to their cloud product. Varnish is not installed there, so you won’t be affected. However you may have to pay a higher hosting fee.

It’s unclear if Varnish is the sole cause. Other potential problems may be due to Content Delivery Networks (CDNs). This is most typically CloudFlare, since it is bundled free by most web hosts. CDNs attempt to move content closer to the user by having it fetched from server farms geographically close to the site viewer, thus speeding up page load time. This is usually fine with phpBB since CDNs generally only store static files like images. So a CDN shouldn’t cause issues like this, but if you have a CDN you might want to disable it to see if the problem goes away. Note: the one time you do need to do something with your CDN is when you add a style or significantly change the look of your site. Then it’s a good idea to tell the CDN to delete all its cached content. Otherwise, the experience by end users might be mixed or odd.

I also suspect that ModSecurity may be causing issues like this, but I don’t have enough proof yet. If it is enabled, disabling ModSecurity may make your problem go away. As I blogged recently, disabling ModSecurity in general tends to solve a lot of weird phpBB issues, while it may introduce others by potentially making it easier for your site to propagate malware and viruses.