Mar 28, 2007

As I expected in the previous post, all the shouts of the journalists that people downloading tons of video will overload bandwidth capacities of Internet Service Providers are ungrounded.

IBM presented a new fiber optical chipset that allows to transfer 160 Gigabits (20 Gbytes) per second.

There is also a nice article from Reuters about Web 2.0 startups funding.
They writes that investments in web 2.0 startups are not high, but doubled last year: $844.4 million for 167 firms in 2006, up from 95 companies year before and just 35 in 2004.

Mar 18, 2007

new york times for lamers

A customer of mine sent me an article from New York times: "Popularity Might Not Be Enough". Along 3 screens of text they chew that life is hard, internet is not a place where money fall for doing nothing, and "for a general-interest site to generate $50 million" per month the site has to have "billions page views a month". Did I miss something or they are just comedians?

Especially I laughed over "new technologies that could allow I.S.P.’s to identify the biggest bandwidth users". Technologies to track statistics of traffic consumed per user is something new?
If ISP sells "unlimited traffic" package - it is not bound to bandiwidth. If it's "to identify the biggest bandwidth" - it is not "unlimited". In the worst case unlimited packages will become more expensive and ISPs will offer the "per-GB" packages again.

Why do people waste so much time for freebie hunting and fake fears ... infantility?

Mar 11, 2007

PHP security settings

Sometimes there is a need to set up a 3rd party script, like a forum, on the dedicated server I am responsible for.

Maybe you remember, a couple years ago a serious security issue was discovered in PHPBB, a very popular forum software at that time, and hundreds of thousands of servers all over the world got infected by a worm. I do remember that case.

So there is a question - how to use a 3rd party script that you don't trust in full?
There are several options I recommend to use upon compilation of PHP, in php.ini and in the VirtualHost section (for some sites).

Here are some settings I personally use in VirtualHost (configuration of Apache web server) to run the potentially unsecure application:



<VirtualHost *>
...
php_admin_value upload_tmp_dir "/path/to/upload_tmp"
php_admin_value open_basedir "/
path/to/forum:/usr/local/lib/php"
php_admin_value disable_functions "shell_exec,exec,system,
passthru,proc_open,popen,curl_exec,pcntl_exec, socket_create,socket_create_listen"


</VirtualHost>

(Note: I have the disable_functions value written in one line without spaces)

There are some security-related settings I have in php.ini on the production servers (PHP 5.2).

;turn on for the sites I need in the per-host config
register_globals = Off

;does not really safe, but too restrictive IMHO
safe_mode = Off

;notices almost always tell about more serious problems
error_reporting = E_ALL

;it doesn't save from the SQL injections anyway
magic_quotes_gpc = Off

;don't allow to execute arbitrary code as a loaded module
enable_dl = Off

;Anti-DOS settings
max_execution_time = 30
memory_limit = 16M
post_max_size = 8M
upload_max_filesize = 6M

;before PHP 5.2 (when allow_url_include was not available) I had it "off"
allow_url_fopen = On
allow_url_include=Off

;Never use /tmp, critical projects may need a completely separate storage
session.save_path = "/home/www/sessions"

;I don't allow session id in URLs
session.use_only_cookies = 1


When I set up (compile) PHP on the server, I compile the web server module and the CLI module separately with the different options of the ./configure command.
For the web server module I add "--disable-posix --disable-sockets --disable-ftp --disable-sysvsem --disable-sysvshm --disable-shmop --disable-pcntl"
For the CLI module I have these options "--enable"d.

These settings provide me with almost unlimited flexibility of the the dedicated server environment and good security while running my code (not recommended for the public hosting).
The untrusted code I run as the separate sites, adding the "disable_functions" setting you can see above in the VirtualHost section.

Mar 5, 2007

spring flowers

Today I bought flowers! It is unusual - yet very exciting :)
Here they are - images of a web cam quality, but I enjoy them!