Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm working in a company where we have build a SaaS-application with the PHP/MySQL/Redis/JS-stack.
It runs in our own Google Kubernetes Engine as a hosted/managed service for our clients.
Most of our business logic is placed in the PHP-layer.
Now we want to provide our product as an on-premise solution, so that our clients can deploy the whole product in their own private cloud or maybe even in their own basement.
This also means that the clients get access to all our "business secrets" (business logic) and this worries me.
We are a small business and we are doing business with large companies. Some of them might be interested in doing what we do themselves.
PHP is not compiled and the obfuscaters I have found does not seem to obfuscate the code too much.
We have talked about following solutions:
Trust the customers to not copy/get inspired by our solution and only protect it through law/contracts
Move some vital parts of our logic to our own server and make the on-prem solutions call to our server sometimes. This way we can control licensing etc. But we fear that the customers then will say that it is not totally on-prem. Which is true.
Obfuscate it the best we can and hope for the best. Maybe we are just paranoid?
Do something that makes it possible for the clients to run the code in their private cloud without accessing the source code - we have looked into Google Cloud Marketplace, but as far as I can see, the clients will get access to the VM.
Do you have any good inputs in this regard?
We are looking for creative solutions. The main goal is to protect our business.
It would be best if we could offer our Kubernetes setup as a fully on-prem solution, but if you have good ideas to how we can provide it to client's private cloud (even only in GCP) that is also very welcome.
Thanks in advance!
Your question relates rather to IP than to k8s and clouds.
Solutions are:
Trust and open source
Trust the customers to not copy/get inspired by our solution and only protect it through law/contracts
You are right. And there is a power.
“The best way to find out if you can trust somebody is to trust them.”
― Ernest Hemingway
You can select appropriate license and give your app to the client.
See this answer:
Some parts of a EULA that come to mind:
Limiting your liability if the product has bugs or causes damage.
Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
Giving you rights to audit their site, so you can enforce the licenses.
What happens if they violate the EULA, e.g. they lose their privilege to use your software.
You should consult a legal professional to prepare a commercial EULA.
"EULA advice" on joelonsoftware
"How to Write an End User License Agreement"
Not-prem
Move some vital parts of our logic to our own server and make the on-prem solutions call to our server sometimes. This way we can control licensing etc. But we fear that the customers then will say that it is not totally on-prem. Which is true.
Not the best solutions since it's not real on-prem.
Your client's servers may be located in secure zone under firewall without access to your server.
Anyway, it's popular solutions.
For example, see how Vepp works.
Obfuscate it the best we can and hope for the best. Maybe we are just paranoid?
Solutions are:
ionCube PHP Encoder
SourceGuardian
Thicket™ Obfuscator for PHP by Semantic Designs
Zend Guard
There are some vital examples of php-driven self-hosted applications.
I.e. Self-hosted Bitrix24
Private cloud with ecryption
Do something that makes it possible for the clients to run the code in their private cloud without accessing the source code - we have looked into Google Cloud Marketplace, but as far as I can see, the clients will get access to the VM.
Yes, you can distribute your app as encrypted VM.
VirtualBox: install Oracle VM VirtualBox Extension Pack and enable disk encrytion
VMWare-vSphere You can use virtual machine encryption since v6.5
AWS, GCP, Azure support encryption of your data. If your client agreed with cloud hosting, it might work.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm planning a large PHP project for a commercial website dealing with Bitcoin-related services. This will be an attractive target for hackers.
Besides making the site itself as secure as possible, I'm also wrapping my head around things like: database logins and passwords, public + private keys, secret authentication keys for remote APIs or external services, SSH keys, Bitcoin wallets, etc.
Obviously I need them somewhere within my PHP sources. I usually put all secret or sensitive details in a separate include file (e.g. 'passwords.php'), which I place outside of the HTTP document root. So visitors can never directly access the file itself.
But there's more:
What about the hosting provider? Of course I have to trust them if I'm hosting my server with them in the first place, but is there anything I can do to lower the risk of some employee abusing risky stuff such as Bitcoin exchange API keys?
Git repositories: especially if we are to host git reposities remotely, should I keep the passwords.php file completely out of the git repository, to make sure the data doesn't leak anywhere? (but then how do I go about version control or distribute it to team members?)
Strict communication policies: I will be working with multiple people, and I want to avoid anyone ever emailing or plain-FTP'ing these sensitive details. Some people will only need access to a testing environment, not the actual production server. How do I restrict access to passwords.php (containing actual server logins etc) only to those who really need it?
I have no clear idea yet exactly how to tackle these issues. Would anyone have some suggestions, or an indication how to set this up correctly?
This sounds like quite an undertaking. Lots of risk involved. But props for going after your goal.
As for security, I'm no expert, but your best best would probably be heavy encryption. Beyond that, I think there will always be vulnerabilities to face when dealing with external sources such as ISPs and hosting providers. You just can't think like that, and if you can't help it, you need to find a new host.
I would suggest hosting your application using Amazon Web Services. They provide easy to manage, secure, reliable web services. Once you start segmenting your application out (db servers, cache clusters, media servers, etc) it will become less of 'I hope I don't get hacked' and more of 'I hope I can manage all this crap by myself!'.
I suggest you seek a seasoned full stack developer, or even a small team, with an emphasis on security and encryption. With all the MtGox stuff that went down you are treading down a very serious road, so be very cautious and diligent. Best of luck.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
So I've always relied on more traditional hosting when it comes to hosting my websites - either with shared or dedicated hosting. The time has come (or maybe it came long ago) for me to consider the cloud. But with the cloud come a few concerns (all arising out of my own ignorance) and I'm hoping StackOverflow can put my fears to rest.
While I've heard some answers to my questions in the past, I'm hoping to get enough feedback, and also hopefully provide a valuable resource to any others out there like me.
1) First off - how does it all work? I mean, I get the network of clouds, spinning them up and down as I need it. But until now, I've always opened up an FTP client, connected to my server and uploaded my website. My guess is this all works the same way with the cloud, but how is it all managed? How do I update files and how would I delete them? Would an FTP client suffice for the simple file-management of a website?
2) A lot of shared hosts use PHP4, and allow PHP5 with the right extension - how does this, and all the PHP extensions work? How would I turn on the mod_rewrite extension, for example? How would I select my version of PHP? Can I curl?
3) What about things like cron jobs, or administrating a mysql database? Can I access my database via a phpmyadmin interface, or via the MySQL Query Browser?
4) Lastly, how does the cost really compare to shared hosting? I know it all depends on traffic, so to phrase my question differently, where do the cost lines intersect (if at all?) For example, if I pay $100/month for a dedicated server, and can support 300,000 page visits, or 2-3 page visits per second, what would the cost be for similar usage?
As always, I appreciate the help, and hope it's enough to encourage me to use the cloud. It's so fancy!
I'd vote for Cloud Sites http://www.rackspace.com/cloud/cloud_hosting_products/sites/
I'd imagine the methods used to manage your site (in the case of Cloud Sites) would be very similar to that of your traditional shared hosted with something like Plesk or CPanel installed.
The term "Cloud" is used in many ways... What you describe is more likely a virtual root server - which you can freeze or unfreeze at will (EC2, JiffyBox (Disclaimer: I am not affiliated with any of these :)).
If you have good LAMP/Linux knowledge you do not have to worry about things like mod_rewrite etc. because you have the power to change it to your liking.
If your knowledge about root servers is limited - you can install free/open-source tools like webmin.
If your are not to enthusiastic about running your own server - a managed hosting ist probably better.
Sorry - I cannot comment on the costs.
You should be afraid...very afraid.
For offloading multiple long running tasks, clouds are fine.
However, when every web request to build a page has to go through a boat load of algorithms to find the resource, performance will suffer. (In my limited experience).
Do testing before committing to anything.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I am a .net developer. A friend of mine is planning to outsource a website. He is getting quotes which are very cheap but the sites will be in php/msql.
At this point he is not having any resource and that includes no development machine, no programmer or whatsoever (he only has some money to invest :)). Now he wants me to get involved in this project and manage the website once the outsourcing company hands us over the application (including source-code).
Till now I have worked with VS / ASP.NET / IIS and VSS. I haven't worked a bit with php/mysql but given google / SO and little time I will be able to manage.
So I need help on identifying:
1: What and all I need on my development machine. Because after the application is handed over to me, I will be responsible to fix minor bugs and minor modifications. For major addition of new features we might go back to outsourcing(same or different company).
2: Anything specific to web-hosting I need to be aware of because ultimately I will be responsible to find host provider and manage the website.
3: Anything that can help me get going fast on php.
Editor: PHPStorm or Eclipse are popular choices.
Test Server: XAMPP which you can install locally on windows.
Version Control: Subversion (choose whichever client and server you find free).
Hosting: I like site5 for cheap shared hosting. Depends on the site's needs however.
Learn phpMyAdmin. It's a simple to use MySQL database administration tool that's already included on most lamp stacks. Allows you to set up tables, run queries, backup, etc.
I like XDebug for remote debugging and profiling. Most major IDEs are integrated with it.
To learn the code, just use the PHP online documentation. It's pretty good.
Make sure you have a similar setup as to what the outsourcing company used. Mainly: OS, Webserver/version, PHP version, MySQL version. Differences are minimal but they do crop up every now and then.
Don't skimp on price. If your hosting plan is cheap you will get exactly that.
Read their code and try to understand it (PHP is very easy to read). If you can't understand it they probably did a very bad job ;)
Suggest hitting godaddy.com for your hosting needs for most small-medium solutions. While it's true that you can host a server in your basement, it's generally more trouble than it's worth; you can buy a domain name and a year of hosting for a hundred dollars and save yourself dozens of hours of headache and downtime. While there are places that will host your site for free, a lot of times you get what you pay for.
Once the site is developed it's a (relatively) simple matter to copy-paste the site files and database; your outsource company can probably deploy their product to your godaddy server in a matter of minutes.
For your dev machine, I recommend Eclipse with the PDT plugin as your editor (download the "php version" of eclipse). I strongly recommend svn or some other source control. It's very useful to have apache and mysql installed on your dev box along with your site and db so you can test changes locally. When developing, it's good practice to test on at least IE, firefox and chrome as they're the most popular browsers at the moment.
php.net is the equivalent of the java.sun.com/reference/api/ and is searchable by function name. It also has a manual; start here http://www.php.net/manual/en/ but for small edits, if you're familiar with any c-syntax language and html you shouldn't have a problem. Just don't forget your dollar signs and semicolons.
We have a custom software project that's database driven (MySQL) and is built with php and some public and custom libraries.
It's currently being hosted on a VPS, and being the intern, I've been assigned the task of researching how we can transition it so it can be hosted in a cloud.
My research so far has led me to providers such as Amazon EC2, but they don't say much about the software side of things. Some of the literature suggests that it's not a simple matter of just moving the software to the cloud. It looks like modifications to the software need to be made. I'm not sure like what (do I need wrappers around it, or something like that)? I need some clues to get started in the right direction.
I'm planning to pick up a book on this topic, but I'm interested in hearing from others what standard changes we're likely to need to make for this use case.
This sounds like another case of the business heres a new tech word and says well why are we not doing that? This boils down to what do you want to benefit out of moving to the cloud? What type of application is this? Being you mention php and mysql I am assuming this is possibly your companies web application or intranet of some sort. The benefits of the cloud lie in scalability and computing resources provided on demand with additional abilities for redundancy in your data store.
Long story short though, with a web application you will not be much concerned with any of this when moving to the cloud as your scripts will run on your instance in the cloud and the cloud will handle resource allocation and what not.
"cloud" is a fancy word for VPS with some extra features like performance scaling without reboots and seamless migration from one hardware box to another. If your application works fine on VPS, I would not envision you will need to change anything.
The providers don't say much about the software side of the things, because from such a high-level environment like PHP and MySQL it makes no difference if you run it in VPS, bare iron or the cloud.
The only issue you may have is MySQL performance, but again, if you were fine with VPS you will be fine with the cloud.
Unless your software is very poorly written, there should be no concern about whether it runs on a VPS or in the cloud. In fact, your software likely wouldn't know the difference.
I've been assigned the task of researching how we can transition it so it can be hosted in a cloud.
You've jumped straight into questions about transitioning of software, which won't be an issue. Your boss may actually be more interested in finding out if a move to EC2 will impact: security (maybe), processes (maybe) and admin access to the box (maybe). It's hard to answer these questions, because they're usually dependent on your corporate policies.
This question already has answers here:
Best solution to protect PHP code without encryption
(11 answers)
Closed 3 years ago.
I was thinking of making a commercial application to sell to customers to install on their servers but I wanted to do it with PHP & MySQL.
what should i do to ensure that the source code (& Database) will not be opened nor copied.
The most important thing is the code will be hosted on the customer server.
And also how to ensure that the customer will not resell the web application (like copying the code & Db to other people)
Thank you
There's a lot of question around PHP code obfuscation / encryption / compilation on SO. Check them out.
There is a number of products to protect PHP code like Zend Guard, ioncube encoder and others.
Related SO questions:
Minify / obfuscate PHP code
Best solution to protect PHP code without encryption
PHP Source Encryption - Effectiveness and Disadvantages
How can you make a PHP application require a key to work?
Can I encrypt PHP source or compile it so others can’t see it? and how?
How to prevent resale of PHP source?
As long as the software is distributed in source code form (versus binary), there are no way to prevent the customer opening / altering it. Even binaries can be more or less reverse-engineered by decompiling them.
One can obfuscate the code in order to make it difficult to read / understand how it works, but as every countermeasure, it won't stop piracy – sooner or later someone with enough motivation will bypass it.
You have few options:
Sell your software as a service (SAAS).
Just don't care about piracy, high-profile / most users will probably pay anyway if the price is reasonable.
Licence it as free (libre) and profit by selling support etc.
You can use Zend Guard and some controls inside your applications to try to mitigate piracy on your PHP WEB applications.
DataBase will probably remain open.
I think the most you could do is encode it but if they are savvy enough to notice they can just decode it... PHP is a scripting language that is interpreted at run time.
Your customers should be signing a contract saying they won't be handing it out, you could work some sort of licensing check into the software to verify that no one is using it illegally... vbulletin is an example of a commercial PHP web app, you may look into the way they go about business.
Not possible, IMO, without a fully hosted environment. Once on the customer's server, they have access, then it is a matter of determination and resources. I say this because even powerful, native code licensing protectionss are subverted all the time, just Google to see all of the cracked keys.
If you DO want to protect your code, use of native languages or obfuscated verions (at least) will only change the magnitude of difficulty, but not alleviate the risk.
Protecting the database is even tougher. Even engines that allow full DB encryption require the key to start / connect to the db. If that is part of your web app, or in the customer's hands, they have full access. DB Encryption is really for protection against hackers, not against your customers.
Piracy becomes a legal issue, not a technical issue.