Apologize if this particular problem has been answered already (a search didn't turn anything directly relevant up).
We are developers of a web app that is used to provide community commenting and "social" to our partners websites. Our app uses Javascript and HTML on the front end, PHP and mySQL on the back.
Currently we are running everything through our own servers, which is getting very expensive.
We would like to ask our partners if we can host the app through their servers, with them getting a discount to our monthly charge due to the bandwidth/cpu load they would help us share.
My question is, is there a way to host our app through our partner's web servers in such a way that we can offload most of the CPU time and bandwidth without exposing our source code?
I would greatly appreciate any ideas/help!!
Thank you very much all!
If you also serve static or rarely changing content your clients could run a caching reverse proxy to remove some load from your servers without giving them any source code at all. But you need to implement caching headers for this to work properly.
You may want to look into nginx.
On second thought: Did you try to compile your scripts using facebooks Hip-Hop for PHP? First of all the script should perform way better, second of all, if you still had to outsource the hosting, you deploy a compiled program, no source code involved.
If you put the code on their server they can find out. So that won't be 100% working. Though you can make it difficult but it's still not great.
Most doable solution might be to separate parts of the application and share them. So: You give away a process (so source and other needed data) but it's only part of the total. That way no partner has your total solution but you do outsource the parts.
Related
I have a web based CRM coded in PHP, running off a MySQL database. The server is hosted in the same city as the company HQ but the company's internet connection is average (10Mbps down, 2Mbps up, 30ms ping to the server, all on a good day). The boss is happy with the results but now wants it to 'run super fast in the office' but we still need it to be viewable on the internet.
Short of moving the web server from our host and on to the local office network, which isn't a great option because then it would be super slow for everyone outside of the office, does anyone know a way to achieve this? I was thinking of setting up a local copy of the site and having the MySQL databases synchronise, but this sounds like a logistical nightmare.
Any ideas would be much appreciated! Happy to provide more info if needed.
You can setup dual-master replication with MySQL to accomplish this.
I would not attempt it without a fast, reliable line (which it sees you have). I would certainly setup and load test temporary servers to prove the configuration works.
For more information
http://devel.reinikainen.net/40
http://www.neocodesoftware.com/replication/
I am not joking around here.
Step 1) Have your boss define in written format what super fast means. This could(should?) include page load times for specific pages.
Step 2) Determine where there is a deficiency in speed. You think you know, but you don't. Measure it and record results. Use firebug in firefox to check page load and transfer times.
Step 3) Identify how you can speed up the app based on SPECIFIC measurements you looked at.
I've done a LOT of research on my following problem, but it all ends up pointing to Websockets which I can't use because my host doesn't allow command line or ssh. I've also tried the postMessage(data, targetDomain) technique, but that's not entirely where I want to go either.
Here's what I want to do:
Execute javascript from one person to the other users that are on that page without reloading it or anything.
Example: A user clicks a button on the page and it sends a javascript code that automatically executes a function on every other listeners page. Kind of like a chat feature you could say, but less dense maybe?
This is my first time exploring this field so I'm a bit confused over the concepts. I've read multiple documentations of programs that offer socket like usage, but not really any luck here. (Like I said, I can't really use sockets because of my host).
Any help is appreciated, thanks!
If you are on a hosting platform that doesn't allow WebSockets then you can outsource the realtime communications layer to a hosted realtime service (I work for Pusher which is one such service).
Hosted services tend to have a free tier so depending on what you are trying to achieve that may be enough. If not, then contact them, explain your app and your situation and they may be able to help.
If you want to use a self hosted solution then you may need to go with something HTTP-based. But, again, if you are on a small shared hosting platform this may be quite resource intensive and your hosting provide may tell you off.
If updates aren't all that frequent they you could use standard AJAX polling at reasonably long intervals. It sounds like you'd like to avoid this though.
Personally, I'd recommend using a hosted service as what you are trying to achieve is inherently difficult with PHP as it was built with request/response in mind.
Related: Realtime websocket-like behavior possible on Heroku?
I am currently creating a website in php that has a database backend (can be either MySQL or SQL Server) and I realized recently that if my database crashes at any time, my website will not run properly and probably cause some headaches.
So what is the proper thing to display on the website if my database (or any crucial outside component) goes down? My particular website relies heavily on its database and will be almost useless without it.
One option I have been told is to email the website admin and display a Error 500 page that says something is wrong with the server and basically make the website unusable till the issue is fixed. Is there anything else I could do to work around this problem? Are there any ways to design a website so that the database (any crucial component) crashing isn't an issue?
I am looking for general rules of thumb as well as specific examples of how people have worked around this in the past. Also, these examples don't just have to be for my website example.
If you only have one database server, and the website cannot work without it's database, there is no magic : you'll have to display some sort of nice error page, informing the users there is a technical problem and that the website will come back shortly.
Generally speaking :
Chances of such a problem are pretty low
If your website is a normal one, people will tend to accept a problem once in a while, especially if you communicate about it.
If you can afford it (and have the technical knowledge to set this up), you could use two database servers, with replication (MySQL supports this) between them : one master, which you use, and a slave, that's considered as a backup.
Then, if the master falls, your application will use the slave.
Of course, this will greatly reduce the risks of a database-related problem (having two servers crash at the same time is quite unlikely), but you'll still have problems with all other components -- like your webserver : if you only have one, you might want to consider using two, with the second one as a fallback.
After that, if you still have money (and think you need an even better uptime for your website), you'll want to think about the case when your datacenter has a problem -- setting up server in two separate locations...
The proper thing to display is a simple "oops" error message that gives away no information that would be helpful to hackers. Something along the lines of "We're experiencing technical difficulties" or "website unavailable". This is for security purposes.
It would be good to have an error logging and notification system in place to notify an administrator in case of a crash. That would be fairly simple to write, but I'm sure there are already libraries that handle this. (There's a tutorial with code samples at http://net.tutsplus.com/tutorials/php/404403-website-error-pages-with-php-auto-mailer/ and a simpler example at http://www.w3schools.com/php/php_error.asp)
There are ways to design the architecture of your web site to handle a database component crashing. It's not architecting your website, it's architectin the whole environment. For example, database clustering for high availability (http://en.wikipedia.org/wiki/High-availability_cluster). It's not cheap.
Overall, you just need to ensure that you're doing your error handling properly. A database crash is a classic example ofr why we need error handling. There are plenty of resources and guidance for this.
http://www.google.com/search?q=Error+Handling+Guidelines&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
Edit
I found this and thought it was a very nice resource for answering how to handle the errors:
http://www.nyphp.org/PHundamentals/7_PHP-Error-Handling
It is considered best practice to return a HTTP 500 status code in the event that your database being down, or any other crippled service, prevents your website from functioning properly. Depending on your websites functionality, this could be on a page by page basis or site wide. For example, your "About Us" page may not need database capabilities while your search page would. You could thus keep the "About Us" page up and running but return a 500 status code when someone goes to your search page.
Do not give any technical information about why the site is not working to the end user. This could be a security risk.
If you are using apache, this document will tell you how to setup custom error pages:
http://httpd.apache.org/docs/2.0/custom-error.html
I recommend you use plain HTML for your 500 status code pages. You can also have your PHP pages send a 500 status code via the header() function, documented here:
http://php.net/manual/en/function.header.php
This question already has answers here:
Closed 12 years ago.
Possible Duplicates:
How to protect your software code?
Protect my PHP App
Hi, I have a framework that I am wanting to be able to sell licenses for. I want people to be able to edit the code if they choose to (to a degree) but also I want to try and stop someone paying for the code and then just putting it up for download.
Is there a way that I can keep part of the code ( small piece of code that is ) on a server which each site using my framework will need to connect to use?
any help or ideas much appreciated.
You can... But do you want to?
PHP scripts are not Java servlets. They're not always running; they start when a request commences and they finish when the request stops.
So, which functionality would you put that requires calling home? It must not be in every page, because it would significantly slow down both the client application and your servers. If you have some page that is rarely used (e.g. some configuration page) you could defer some of its functionality to your server. But even then, consider that your client may not want to run code that depends on some server of yours – you may not be able to guarantee it's always online; the client may have its server behind a firewall that doesn't allow outgoing connections, etc.
Zend Guard seems to be the de facto standard. However, a quick google search revealed a couple others:
SourceGuardian
PHP LockIt
PHP Cipher
In the long run, though, all of these just end up pissing off the people who have to make modifications to their server to run a script. My advice, as someone who has both used and released scripts with this type of encryption, is that you not bother, because someone will (given enough time) decrypt it anyways.
That's the problem with script-languages. You can't protect the code in the way, that a user doesn't see it. However if you plan to provide a license and a customer has to buy it, that's the best way I think. If he would upload the code for others to download, you can go to your lawyer.
The way you mentioned, that everybody has to connect to your server is also a solution. But therefore I would not store the framework on your server, but give the framework to you customer and let him register this framework for one domain for example. Then the framework connects to your server and checks if it was called, from the correct domain.
Sorry, my english it not that good to express myself this good, but I hope you get the idea :)
I asked a recent question regarding the use of readfile() for remotely executing PHP, but maybe I'd be better off setting out the problem to see if I'm thinking the wrong way about things, so here goes:
I have a PHP website that requires users to login, includes lots of forms, database connections and makes use of $_SESSION variables to keep track of various things
I have a potential client who would like to use the functionality of my website, but on their own server, controlled by them. They would probably want to restyle the website using content and CSS files local to their server, but that's a problem for later
I don't want to show them my PHP code, since that's the value of what I'd be providing.
I had thought to do this with calls to include() from the client's server to mine, which at least keeps variable scope intact, but many sites (and the PHP docs) seem to recommend readfile(), file_get_contents() or similar. Ideally I'd like to have a simple wrapper file on the client's server for each "real" one on my server.
Any suggestions as to how I might accomplish what I need?
Thanks,
ColmF
As suggested, comment posted as an answer & modified a touch
PHP is an interpretive language and as such 'reads' the files and parses them. Yes it can store cached byte code in certain cases but it's not like the higher level languages that compile and work in bytecode. Which means that the php 'compiler' requires your actual source code to work. Check out zend.com/en/products/guard which might do what you want though I believe it means your client has to use the Zend Server.
Failing that sign a contract with the company that includes clauses of not reusing your code / etc etc. That's your best protection in this case. You should also be careful though, if you're using anything under an 'open source' license your entire app may be considered open source and thus this is all moot.
This is not a non-standard practice for many companies. I have produced software I'm particularly proud of and a company wants to use it. As they believe in their own information security for either 'personal' reasons or because they have to comply to a standard such as PCI there are times my application must run in their environments. I have offered my products as 'web services' where they query my servers with data and recieve responses. In that case my source is completely protected as this is no different than any other closed API. In every case I have licensed the copy to the client with provisions that they are not allowed to modify nor distribute it. This is a legal binding contract and completely expected from the clients side of things. Of course there were provisions that I would provide support etc etc but that's neither here nor there.
Short answers:
Legal agreement, likely your best bet from everyone's point of view
Zend guard like product, never used it so I can't vouch for it
Private API but this won't really work for you as the client needs to host it
Good luck!
If they want it wholly contained on their server then your best bet is a legal solution not a technical one.
You license the software to them and you make sure the contract states the intellectual property belongs to you and it cannot be copied/distributed etc without prior permission (obviously you'll need some better legalese than that, but you get the idea).
Rather than remote execution, I suggest you use a PHP source protection system, such as Zend Guard, ionCube or sourceguardian.
http://www.zend.com/en/products/guard/
http://www.ioncube.com/
http://www.sourceguardian.com/
Basically, you're looking for a way to proxy your application out to a remote server (i.e.: your clients). To use something like readfile() on the client's site is fine, but you're still going to need multiple scripts on their end. Basically, readfile scrapes what's available at a particular file path or URL and pipes it to the end user. So if I were to do readfile('google.com'), it would output the source code for Google's homepage.
Assuming you don't just want to have a dummy form on your clients' sites, you're going to need to have some code hanging out on their end. The code is going to have to intercept the form submissions (so you'll need a URL parameter on the page you're scraping with readfile to tell your code that the form submission URL is your client's site and not your own). This page (the form submission handler page) will need to make calls back to your own site. Think something like this:
readfile("https://your.site/whatever?{$_SERVER['QUERY_STRING']}");
Your site is then going to process the response and then pass everything back to your clients' sites.
Hopefully I've gotten you on the right path. Let me know if I was unclear; I realize this is a lot of info.
I think you're going to have a hard time with this unless you want some kind of funny wrapper that does curl type requests to your server. Especially when it comes to handling things like sessions and cookies.
Are you sure a PHP obfuscator wouldn't be sufficient for what you are doing?
Instead of hosting it yourself, why not do what most php applications do and simply distribute the program to your client with an auto-update feature? Hosting it yourself is complicated, from management of websites to who is paying for the hosting.
If you don't want it to be distributed, then find a pre-written license that allows you to do this. If you can't find one then it's time to talk to a lawyer.
You can't stop them from seeing your code. You can make it very hard for them to understand your code, which is a good second best. See our SD PHP Obfuscator for a tool that will scramble the identifiers and the whitespacing in the code, making it much more difficult to understand.