Technical features and software versionsBurina.NET Web hosting service is based on Linux platform. All relevant software packages and subsystems are built on most recent, up-to-date stable versions. The most important details are listed below:
Software package | Version |
|---|
| Apache Web Server | 2.2.8 | | PHP (CGI/FastCGI SAPI) | 5.2.6 | | MySQL Server | 5.0.45 | | PostgreSQL Server | 8.2.9 | | Tomcat Java Server | 5.5.23 | | Mono Server (ASP.NET) | 1.2.1 | | GD Graphic library | 2.0.35 |
Why CGI/FastCGI SAPI - PHP security!In most cases, low-budget web hosting services implement a technique known as "shared" or virtual hosting. This means that a large number of web sites resides on the same web server, on both hardware and software levels. Apache web server, like many others, serves all those sites under the same system username and group.
On the vast majority of web servers PHP interpreter is implemented as Apache module (DSO), for optimum performance and the possibility to host a large number of web sites simultaneously. What hosting providers often fail to tell their customers is the fact that in such environment ALL PHP scripts, on the server level, have exactly the same privileges. This basically means that if your PHP script can read a file or perform some function, absolutely all other scripts on all other web sites can do exactly the same, and there's no way to protect any classified information (like your MySQL username/password for example) that might be written there. No matter how strong is the protection of your data from outside, there's absolutely no protection from other users of the same shared server.
Burina.NET Web Hosting service implements additional techniques that allow PHP scripts (just like CGI scripts) to run with their owner privileges, that is, privileges of the username you use to manage your site via FTP. This way we have completely eliminated one of the biggest security issues on the shared web hosting platforms.
To protect your PHP script which contains sensitive information, you need to configure its file system attributes so that only the owner has the right to read or write to it. This can be done in several ways, depending on FTP client you are using. For example, in the command prompt of the text-based FTP client, you'd enter:
chmod 600 filename.php
FTPS (FTP over SSL) - Safe data transferBeside the standard FTP protocol for web site content management, Burina.NET also provides you with the way of doing the same job in more secure way, using FTPS - FTP over SSL. This virtually eliminates any chance of "sniffing" your username and password (or any other sensitive data) in your LAN, or anywhere in the path between you and the web server.
The list of FTP clients that support FTPS protocol can be found here.
In FTPS protocol there are several methods of interaction between the client and FTP server. Burina.NET recommends using "Auth TLS" method.
Password protection of directoriesAt initialization time, a certain directory structure has been already created in your FTP root. Among other directories there's one named ./auth , that already contains a file with an username and password for accessing Web Statistics page. although it's not mandatory, our recommendation is to use this directory to store any password files for protecting certain segments of your web site. As long as the password file resides here, its name is not of much importance. This directory, as well as any other you create in the same hierarchical level, is not in any way accessible via HTTP, and therefore can be considered a private zone of your disk space on the server. If you need to store your password files inside the document root /html directory, make sure its name is ".htpasswd" or similar. Files with names that begin with ".ht" can not be retrieved via HTTP protocol.
If you use Microsoft Windows, you can use the program htdigest to create the password file. UnZIP the archive to some folder on your local disk, and then opet the command window in it. Example: you want to protect the directory "admin" under the authoriyzation name "Admin zone", with the username "adm" and password "test1", and to store that information in the file named admin.pwd . In the command window type the following:
htdigest.exe -c admin.pwd "Admin zone" adm
The program will ask for password twice:
C:\Temp>htdigest.exe -c admin.pwd "Admin zone" adm
New password: *****
Re-type new password: *****
C:>Temp>
If you need more than one username/password pair, you can add them to the same file by starting htdigest.exe again, without using an option -c, entering each time a different username at the end of line.
Finally, the file admin.pwd has to be transferred to ./auth directory on the server, using FTP protocol. - .htaccess file - Apache configuration options for protected directory
All web sites reside in the directory /var/www/sites on the server, with your domain name appended to the end (without "www"). For example, for site www.burina.net , the complete path to the FTP root directory would be: /var/www/sites/burina.net . You need this information for .htaccess file, which has to be created in the protected directory. Continuing previous example, the contents of this file would be the following:
AuthName "Admin zone"
AuthType Digest
AuthUserFile /var/www/sites/burina.net/auth/admin.pwd
Require valid-user
Be careful - choose something meaningful and unique for AuthName value. If you want to protect more than one site segment this way, and you configure the same AuthName value for all of them, successful authentication for any segment will automatically apply to all segments.
Web StatisticsEvery Burina.NET Web Hosting service includes Webalizer web statistics pagethat can be accessed at the following location: http://yourdomain/stats . Username and password for this page has been defined at the hosting service initialization time, but you can change it any time by following the procedure described in section Password protection of directories.
|
