Skip to main content

Better Security and DX

· 6 min read
Wildan Mubarok

This January 2024 bring many improvements into security and developer experiences!

Security Enforcement

Last six months has been a roller coaster for us since more users came in and put some resource-intensive background tasks that depletes server resources.

We introduced a background task killer which kills processes that's left spawn detached from main process (coming from PHP-FPM or Passenger Phusion). This task killer runs every 5 minutes and kills all background process running more than 60 seconds. Of course, this exclude users who currently logging in via SSH so things like VS Code server can still run unaffected.

We also running a routine check to make sure that no user-made cron job is running no more than hourly.

Lastly, we made a decision to mandatorily enable firewall for all free users. This effectively disables any ability that leads to spam and proxy bot, keeping our server clean while still continuing to provide a generous free plan.

Experimental Docker Support

Docker support is tricky as it's requiring root access. Now, we're able to utilize docker by using Podman in rootless mode. However, some tricky setup is required to make it work.

Docker feature can be enabled via runner. But in order to do it you need to be in Kit plan or above. This is because we need to disable our background task killer and allows the software to run 24/7.

You can read more about the Docker feature in the documentation.

Deploy key GitHub

Last time we showcased that you can clone project from GitHub to our websites. What about private repositories?

Private repositories are tricky because you need an access before able to read the code. In the past we've used to request Full Access token but it's risky for our users as the whole user's private projects is exposed. We need a way to be able exposing only one private project not the whole private repo.

Enter deploy keys. Deploy keys are public keys which used like SSH logins to authenticate from automatic scripts. When we detect that your repo URL is private during prompting a new website with clone option, we ask you to install a public key into the repo.

deploy key

This public key is generated from a pair of private-public key that's just generated for you. While the public key is inserted into repository, the private key is installed into the server. The key generated is created from this command:

ssh-keygen -t ecdsa -b 256 -C -f $file -q -N ''

Backup System

We all have times where we need to prepare a backup in case things broke our website in future. This is why we introduce a backup system.

Our new backup system leveraged by S3-like storage object which is very cheap in terms of cloud cost. When you create a backup, all website data including files and databases are zipped into one backup file then uploaded into our S3-like storage. You can download the backup or ask us to restore it. Backups will not be removed in case the origin website instance is deleted.

To access backup go the Backup tab in portal. Backup creation can only be done for subscribing users at no additional cost.

Plan Adjustments

We've increased monthly data cap to enable larger traffic within the same plan:

  • Lite: 15GB -> 20GB / month
  • Kit: 50GB -> 100GB/ month
  • Pro: 150GB -> 500GB / month

We also reduce minimum payment from 10$ to 4.5$. This allows you to purchase a Lite plan for 3 months instead of 7 months.

Web Portal Improvements

  • The Web SSH interface is changed to webssh2 enabling secure login using POST.
  • Filestash Web Admin is available for easier web-based file uploads
  • When uploading template files from local folder, binary files is now filtered
  • Our portal email communications is now using fully localized language
  • Our registrar-related email communications is now using english
  • You can create a new template from existing websites
  • You can now change a website's password
  • You can see NGINX and App logs from portal
  • You can print invoices for any purchases
  • DNS is now automatically turned on/off when renaming domains
  • Improved localization coverage, including adding spanish language
  • Improved check connection detection
  • Stroger registration requirement when registering using email

Server Improvements

  • We have enabled three new server locations 🎉
    • Osaka, Japan
    • Bangalore, India
    • Sao Paolo, Brazil
  • Singapore and New York is now upgraded to 2 vCPU and 2GB RAM
  • PHP default upload file size is now set to 512 MB
  • Rocky Linux OS has been upgraded from 9.2 to 9.3
  • NGINX has been upgraded from 1.20 to 1.22
  • PHP 8.3 is available and should be the default
  • Fail2Ban retry limit increased from 3 to 10 attempts
  • Let's Encrypt schedule will stop retrying if fail multiple times
  • Added Discord, VSCode, PayPal, Google SiteKit as whitelisted firewall sites
  • Installed awscli, nvim and btop

Deployment System Improvements

  • Overall script duration limit is increased from 10 to 15 minutes.
  • Rate limit throttles to 60 per day instead of 5 per hour
  • Commands now has dotglob enabled, enabling rm -rf automatically includes dotfiles
  • * and * will use shared SSL to avoid depleting Let's Encrypt limit
  • All user processes will be killed before deleting websites
  • You can now place a .tar.gz file as a source URL
  • In NGINX config, a passenger set_header_list can be set to include custom header info like proxy_set_header
  • Fixed handling root and ssl for subdomain
  • Added ssl self-sign feature to enable self signing SSL
  • nginx handling is now executed first before scripts
  • java install feature is available, we use dotnet build for the binary
  • Another install feature includes zig, bun, dotnet deployment instructions
  • ftp is no longer available. Use SFTP (FTP over SSH) which is always available

That's a lot of improvements in last six months! We hope you enjoy our services, and we'll see you in the next update!