Johnvh.com - online home of John Van Horn » Web stuff http://johnvh.com Online home of Dallas, TX based web developer John Van Horn Fri, 13 Nov 2009 05:42:05 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Note to self: Minimum requirements for hosting http://johnvh.com/2009/11/12/note-to-self-minimum-requirements-for-hosting/ http://johnvh.com/2009/11/12/note-to-self-minimum-requirements-for-hosting/#comments Fri, 13 Nov 2009 04:53:42 +0000 johnvh http://johnvh.com/?p=263 While it would be nice have my own fancy server, a private server, or a private vm, I really don’t need it. I’ve always opted for shared hosting, because anything else seems like overkill. I currently have a shared plan with Dreamhost and they have served me quite well and meet all my needs. Recently though, while working with another hosting company, I realized there were some things missing that have become absolutely critical to my workflow. So here is my list of bare-minimum requirements for hosting:

  • LAMP

    Linux, Apache, MySql and Php. No Windows please. Not because Windows sucks, but because Windows has no shell access. Cli’s for mysql and php are a plus.

  • Shell access

    For me, there is no better way to work than through ssh and scp. Working through ftp is balls. Also required is easy-to-set-up shell access. Let me check a box on a control panel somewhere and wait at the most 10 minutes. Please do not make me enter my phone number, wait for a call, get a confirmation code from the call, enter the code somewhere in the control panel, and then wait 72 hours for my shell access to be “activated”.

  • Source control

    Binaries. At least Subversion. Git would be ok too. Repo hosting is a plus.

  • Vim

    The ultimate editor.

  • Other binaries

    Curl and/or wget. Ant would be nice too. Xmllint and tidy.

]]> http://johnvh.com/2009/11/12/note-to-self-minimum-requirements-for-hosting/feed/ 0 Wordpress, mod rewrite, and htaccess nightmare http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/ http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/#comments Wed, 18 Feb 2009 05:08:40 +0000 johnvh http://johnvh.com/?p=157 So I recently blogged about using digest authentication instead of basic for securing your wp-admin directory. When implementing this myself, I had it all set up and working on a subdomain. But, I had the authentication directive in the root .htaccess file as well as the wp-admin/.htaccess file. This made it appear to work just fine. When I went to implement this on here on my live site though, I ran into an issue. The rewrite was being applied no matter what! This resulted in requests to /wp-admin being rewrriten and handled by index.php, and 404'ing.

So save yourself some headaches and searching, and put the following in your root .htaccess file:

PLAIN TEXT
CODE:
  1. ErrorDocument 401 /error.html
  2. ErrorDocument 403 /error.html

Just make sure those files (error.html) actually exist.

I don't exactly know why this works, but it does. I also don't know who is to blame. Textpattern blames Apache configurations for not having valid error documents to serve (they also have the solution). Dreamhost blames overly aggressive rewrite conditions, but I don't know about that either. Seems to me the rewrite conditions are being used correctly. Sure, the requested uri needs authentication, but it exists on disk. Props to other folks too for other ideas, and the final solution.

]]> http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/feed/ 0 Use digest authentication http://johnvh.com/2009/02/11/use-digest-authentication/ http://johnvh.com/2009/02/11/use-digest-authentication/#comments Thu, 12 Feb 2009 03:08:18 +0000 johnvh http://johnvh.com/?p=153 I've seen several articles that discuss Wordpress security - just search for it - say that you should password protect the wp-admin directory. You can do this easily with Apache by using authentication directives, which allow you, per directory, to require a valid user name and password from a client before serving up any content. As of right now, there are two types of authentication that are prevalent out of the box: basic authentication, and digest autentication.

All the security articles I've read recommend setting up basic authentication. I understand that the point is to have password protected access, but basic authentication is not secure. When your browser is challenged with the basic authorization protocol, the user name and password you enter is just base 64 encoded. If someone intercepted a request header on the way to your server after you've authenticated, there would be virtually no work at all involved in decoding your user name and password.

Alternatively, and just as easily, you can use digest authentication, which is considered to be much more secure than basic. It uses MD5 encryption, and other techniques to make the output nearly one way.

Consider the following exceprts from a .htaccess file:

PLAIN TEXT
CODE:
  1. #Use digest authentication
  2. AuthType Digest
  3. AuthName "private"
  4. AuthDigestFile /home/yourusername/.htdigest
  5. Require valid-user

PLAIN TEXT
CODE:
  1. #Use basic authentication
  2. AuthUserFile /home/yourusername/.htpasswd
  3. AuthName "restricted"
  4. AuthType Basic
  5. Require valid-user

Both should be fairly easy to setup with the Auth directives, and Apache ships with CLI tools for easily adding users and password files: htpasswd, and htdigest.

]]> http://johnvh.com/2009/02/11/use-digest-authentication/feed/ 1