We have developed a web application for an office management, the plan is to provide a hosting server.
Therefor due to some circomstences an important part of our targeted portential clients, wouldn't want there work online on the web (even if many security measurment are to be implemented), so we offer a LAN installation for these clients.
This is causing a real headaches for the team, since we don't want someone with enought skills to access our sources code, since if they do, they can try and find a way to hack our online sytem.
So, the question is how can we protect our work from beeing accessible, and only allow its execution, obfusticating the PHP code is one way, but its not enough, while seaching I've come accross a way where we can make a Vitrual machine, but this is not the most optmal solution since it will require some hardware configuration (memory and other stuff)
Does anybody know a way out from our misery ? It would be wonderful if its a free solution, but if not, it can be okay with a cheap one :)
This is a FAQ here and the received wisdom is that you can't do anything. This makes sense if you think about it as ultimately there is nothing you can do to stop someone reading what their computer is doing. If your computer is going to run code, it must be in a computer-acceptable format which means that no matter how you try to hide it, it can be decoded and displayed as in order for your computer to understand it, it must meet certain inviolable standards which are published and well known.
You can make if difficult for people who would not know what to do with the code anyway, but anyone who could use your code will be able to get it if they want to.
Is your stuff so remarkable and innovative that you really think it is worth stealing?
For instance, it took me almost 10 minutes to work out how Google did it's nifty suggest thing and another 20 to replicate it. By SO standards that is extremely slow. I use the idea along with almost everyone else but I have never seen their code and it would be boring if they showed it.
Why not just bind users with a non-reverse-engineering contract? This, after all is how MS protects its IP. Windows is easy enough to copy if you want to. MS makes it worth paying for their product by providing updates only to licenced users. Perhaps you could do the same.
Ask yourself if it is REALLY necessary to have the code hosted locally. When did the internet last fail you? 3 years ago I experienced a major earthquake. No power, water or sewage for 2 weeks but the internet both wired and mobile kept working. My computer didn't as I had no power but 3g was just fine. The infrastructure is incredibly robust and there is really very little need for local data duplication. My experience has been that anything that knocks out the internet more than transiently is more than likely going to knock out any local solution too.
Finally, if your clients want a locally hosted solution, ask yourself if they are worth the trouble. The best way to help them to mature is to let them see what they are missing.
Caveat - I do actually duplicate some data on some local systems but this is a useful feature of backup - I allow clients a view of the backed up data in the event of catastrophic internet failure, but I don't allow them to modify the locally held data as it negates the 'one true record' principle which is why we use the cloud in the first place.
Related
I'm working on a small private site for a group of 10 people. It's essentially a tiny social network just for us. We currently also use Windows Live Messenger for real-time chatting but we're looking to create an alternative since the MSN clients out there for Mac, Linux and smartphones do not support the recently added group features in MSN, which we use.
I've been reading up a little on push technology to see how I'd go about creating a web based chat room that suits our very limited needs. I gather that Apache is not really suited for long polling at all, and that using something like APE would be a better idea. However, we're running on a fairly cheap but very good shared host so we simply don't have the ability to install any server side software.
To my question.
Since we are, after all, just a handful of users, and most of the time only half of us will be online, is is likely that simple PHP long polling could work? The chat is going to be open pretty much every day from early afternoon to late at night, but not all users will be active all the time. Still, on average probably five or six users will be online without leaving for a whole day, every day. When we're the most active, there will be times when a lot of messages are sent in a short period of time, but it's hard to estimate how many.
Would it be worth looking into the use of Websockets using the PHP server implementation of those and with a Flash fallback (for desktop use we're fine since we all use Chrome, basically, but we'd be happy to be able to use Android devices as well).
I also stumbled upon www.pusher.com and their free alternative looks quite suitable, with 20 connections and 100 000 messages per day (we won't nearly reach that much even in a week). Would you recommend we simply go down that road instead?
I know there are loads of questions here regarding push technology with PHP and Apache, but I haven't found anything addressing a situation where there will be such limited use of the application. Any tips and suggestions would be greatly appreciated. I pretty much know how I'd write the chat itself, I just need to know the best method to use, and if any of the above will work.
Apologize if this particular problem has been answered already (a search didn't turn anything directly relevant up).
We are developers of a web app that is used to provide community commenting and "social" to our partners websites. Our app uses Javascript and HTML on the front end, PHP and mySQL on the back.
Currently we are running everything through our own servers, which is getting very expensive.
We would like to ask our partners if we can host the app through their servers, with them getting a discount to our monthly charge due to the bandwidth/cpu load they would help us share.
My question is, is there a way to host our app through our partner's web servers in such a way that we can offload most of the CPU time and bandwidth without exposing our source code?
I would greatly appreciate any ideas/help!!
Thank you very much all!
If you also serve static or rarely changing content your clients could run a caching reverse proxy to remove some load from your servers without giving them any source code at all. But you need to implement caching headers for this to work properly.
You may want to look into nginx.
On second thought: Did you try to compile your scripts using facebooks Hip-Hop for PHP? First of all the script should perform way better, second of all, if you still had to outsource the hosting, you deploy a compiled program, no source code involved.
If you put the code on their server they can find out. So that won't be 100% working. Though you can make it difficult but it's still not great.
Most doable solution might be to separate parts of the application and share them. So: You give away a process (so source and other needed data) but it's only part of the total. That way no partner has your total solution but you do outsource the parts.
I am developing a server application that is mostly used to registered users and gives services upon request.
It was built from scratch, and I am not fundamentally a PHP developer.
I must say that this is the first time I am deploying a production to the web.
The end of phase 1 is drawing near and I would like to know what do you think is the best approach to deploying this server.
How do I debug on a production server ? how do I log all my actions to log files ?
How should I handle the resources and traffic? how would I know if the server is reaching its limits ?
Any approaches to evening out the load ? I have one DB, is it possible to let another server use the same DB to take off the load from the first one ?
(Of course these are general and long shot questions, but I'd like to have a bigger picture of what I am doing here)
Is there anything I should know about security measures other than my own code ? like if I can trace down a hacking attempt for example?
If you are asking all these basic question, then you should not be deploying a production server. But needless to say, you are.
It's usually never a good idea to debug on a Production server, that is what QA or Development or Testing servers are for. If you are deploying a combination of Apache, PHP, MySQL, usually for PHP, there is a php_error.log file for you to look at. The location of that is base on your httpd.conf
Handling resource traffic is based on your volume, you have to answer that question yourself. Google MySQL configuration optimization and you'll find many helpful tips to correctly configure and optimize it's speed, and when you hit your limit, you'll know.
Security, that is another very vague question, security differ base on your needs, such as a bank vs a mom and pop website. I guess research network secure, and always keep in mine this, don't over kill, security is good enough when it accomplish the task.
As mentioned you shouldn't debug on a production server, all testing should have been completed in your development environment. However, of course you should thoroughly test everything once it is on the production server and fix any issues that may appear. By making sure your development environment is as close as possible to the live one in terms of settings etc you can mitigate the risks but you can never totally eradicate any potential issues.
Depending on your server you can try running a command such as "top" or "topaz" at the command line, this works on a Unix box if it has the correct installation and will tell you how much CPU is free and how much is being used. This would give a rough idea if it can handle the traffic you are throwing at it. Handling traffic and managing resources is a huge area in itself, there's a lot that can be done such as load balancing for example if you have multiple servers, you may find VMWare is helpful here also. There are also call-gapping techniques that can be employed depdending on what your application is for and who is using it. And yes you can have one database shared between more than one server.
There is professional monitoring sofware you can buy to show how busy your servers are that may help, just search for "monitoring software" for example.
Security is another huge area and the solutions would depend on what you are deploying and who is going to use it. You should be aware of all the likely methods of attack that your application is likely to be subjected to and have planned your code to cope with this, for example SQL injection, session hijacking etc.
You need contingency plans in case hackers compromise your site and ideally disaster recovery plans as well, depending on how critical your application is.
Best advice is to plan everything thoroughly before you start and get your bosses to approve the plans to cover yourself.
If you have more precise questions I can give more precise answers, I used to work for a global bank and have experience of releasing critical code to production servers with all the red-tape that goes with that
;-)
In the next few weeks I'll be taking my site from the localhost (WAMP) and puting it on a new server. This will be the first site, on my first server, so basically...i'm a noob!
This must be an important moment for any independent web developer / small business so i'd love to hear about some experiences, mistakes and system default security holes that one should fix straight away...
I'm using php, mysql, cpanel and WHM, and looking for tips like "Turn off error reporting in PHP"
First and foremost if you are worried about security then you should use LAMP. As long as the Linux platform is using AppArmor or SELinux (Ubuntu and fedora respectively), then you are much better off than any version of Windows. I know this from first hand experience of developing exploit code for the two platforms.
Before you lock your system down, test your code for vulnerablites using Wapiti. Acunetix is also good, but expensive. This type of testing, especially sql injection testing must be done with dispaly_errors=On set in your php.ini
There is a lot that can go wrong with PHP Configuration that makes your system less secure. You should run PHPSecInfo and remove all red. dispaly_errors=Off is what you want, and phpsecinfo tests for it.
You should also use a web application firewall like Mod_secuirty.
It's actually quite a huge undertaking, but well worth the experience. Here are just one or two suggestions...
Site security also means being heavily involved in managing your sometimes scarce resources. Just as important is obeying any limits your host has, and guessing all possible ways your site users can push you over those limits, leaving you responsible to pay a hefty bill. IE downloading or uploading large files over and over, spamming email lists, repeatedly requesting pages using too many database connections and queries, etc. Get overusage limits and fees in writing from your host before you begin, and have response plans ready. Really, this part is like buying a cellphone service.
A lot would also depend on what features you'll have on your site. File uploads? Forum? Logins? Email? Etc? For example - If you're running a file-sharing site: along with upload/download rate limiting, I suggest you first check available disk space before permitting any file to be uploaded, or do regular audits so you're prepared to archive or delete old and unused files. It's a quick check just to make sure you're not caught by surprise a year down the road when you suddenly start getting disk full errors or get shafted by your host with a large bill.
There are literally a hundred more issues to consider. Gather up a complete overview - an itemized list - of all features and functions of your site. Google each one to get more ideas on handling security. Your host should also publish their own security considerations and have a handy manual for operating with all of their services. If they don't, well, I wouldn't personally feel comfortable with them.
Online chat is deceptively difficult due to the stateless nature of http and the web in general, causing such hurdles as session timeouts, users opening multiple windows and different accounts being signed in on one browser window. There is also the problem of users closing the browser window and logging out and such things, which make dealing with undelivered messages quite tricky.
Are there any good articles that describe how others have solved these problems elegantly?
Please feel free to write your own thoughts on how an IM like facebook or gmail's can be achieved with maximum robustness.
Is there any decent code base / writeup for integrating with a locally hosted jabber server to achieve this?
Edit:
The site will be one on one chat between any member of the site - as in bob can talk to carol and bob can talk to jim at the same time in a separate chat popup. This does make it a good candidate for jabber/xmpp.
I will gladly accept the answer that is most helpful within the next 4 days.
I'm curious what sort of system you're planning on using this for. Is it for a small-scale chat system between users on a tiny project, or are you envisioning a BIG system? The biggest problem with online IM systems is reliability — take facebook, for example. Their chat system is notoriously buggy, and it's maintained by a large fleet of professional developers with tons of resources at their disposal.
You might want to start by looking at the XMPP organization's list of XMPP clients; there's a section for web clients. If there are any which are open-source, you could probably work with that some. Again, it's hard to say without knowing exactly what the system is intended to do. One possibility could be using Google Apps for your Domain if it's an internal sort of thing. If worse comes to worse, and you have a LOT of time on your hands, maybe you could write your own implementation of the LibPurple library for web use (google it; I don't have enough reputation points yet to post a second hyperlink).
Hope that gives some ideas of where to start. I've never done this before, just giving some hopefully helpful tips. Good luck!