General chat (about whatever)

Talk about whatever you want (as long as it is within community guidelines) here!

Examples: Music, Video games, YT videos, Discord, Other discourse fourms, etc.

And speaking of other discourse fourms, I’m in 2 of them! Both have invites below (if you wish to join)

— Cloudflare Community —

https://community.cloudflare.com

— The HEADPHONE community —

Please note that both invites expire after 3 months!

Also, if you want to talk via a PM, you can send me one and we can talk there!

But DON’T think that talking in a PM means that community guidelines don’t need to be followed! Even in PM’S, community guidelines still apply, and violating them can result in moderator action! And yes, you can flag PM’s!

Umm the 10000 users celebration topic is much engaging.

2 Likes

That’s true! But sooner or later, that thread is going to reach the limit of 10,000 replies!

Another few years i guess!

Well, that’s still only a guess, it could be wrong, it could be right! We won’t know until the time comes (and the thread hits the maximum reply limit)

Or admin could increase the limit for a topic such good!

Well, I guess that’s true as well!

1 Like

Wait, there is a limit?

Huh, didn’t know.

1 Like
3 Likes
6 Likes

Hi everyone! Recently, I was thinking of how to circumvent more ways to improve performance, security, and reduce php io / load usage for my soon-to-be web app (still in local). So I was recently found “Blackhole PHP”, a bad-bot blocker written in PHP + .htaccess. The idea was any bots/clients who disobey the rules of sitemap or to access any forbidden “physical/virtual” path in a website will be blocked. The disobeying client’s whois information mainly IP, will be recorded in a .dat file, which was like a “database” for the htaccess to know which it should block and which shouldn’t.

Benefits

I found this will be useful as this will:
• Reduced security risk - although this can be bypassed by using proxy or vpn
• Reduced the usage of allocated resources from free hosting like InfinityFree

Problems & Doubts / Questions

Im dont know much of htaccess, so these are my doubts:

  1. Does Infinityfree allows/have authz_core_module for htaccess? It was actually needed for it to work.

  2. Will this is actually helpful? Considering hackers/bad bots/spammers/brute-forcers just change ip or use advanced VPN/proxies. Maybe useless?

  3. If a user is banned/denied from htacess, does it consider in Infinityfree as successive load? If yes, then its useless

State your opinions guys. Defend your stances. So that we learn on each other.

Sorry for bad english…
2 Likes

Take note max file size is 10mb. May easily hit limit on IF

2 Likes

Oh, I almost forgot, but it can be workaround by splitting the .dat file to many .dat files.

1 Like

Hitting inode limit is also :yum:

2 Likes

Oh! yeap. That’s another problem…

I have thought some workarounds but… they have own disadvanges. So these are the workarounds for inode limit:

  1. Database - Instead of .dat file, put the banned ips/clients into a sql database (could be from Infinityfree or from external).

Advantages will be:

  • No more triggers for inode limit

Disadvantages will be:

  • Can be mishandled
  • Performance Loss
  1. External Storage - use google drive api or something like that to store info there

Disadvantages:

  • Complex
  • Performance loss
  • Google Drive has limits too both for storage and calls…

Cloudflare? And a complex PHP script will slow down loading time as well.

1 Like

I don’t see a lot of benefit in this.

First of all, this script doesn’t seem stop bad bots. The only thing it seems to do is record crawlers that don’t respect robots.txt.

But I’ve never seen a malicious crawler myself. Most bad bots just probe specific URLs that are likely to contain exploitable software, like admin URLs of popular CMS. I don’t know what a bad crawler would hope to get by following URLs on your site.

And remember: robots.txt is not a security feature. If there is content that should not be accessible by people, then you need to implement measures that actually block access to unauthorized people. Like setting up Directory Privacy, only allowing your own home IP address to access a directory, or having a PHP user/authentication system.

This PHP script itself will use plenty of server power to run. If you then go through the data files and block some IP ranges, then requests from those IPs will still be counted as hits on your site.

This system will help to block bots that:

  • Crawl your website and follow links on pages.
  • Use the same specific IPs and networks that can be easily blocked.
  • Don’t spoof their user agent to a known trusted crawler (because those bypass the filtering even though their real counterparts should never trigger this script to begin with - very strange design decision).

And you’ll still have to do the actual blocking yourself.

4 Likes

First of all, thanks for the response @Admin ! I greatly appreciated.

At first, I was actually assuming that I can use this script to block some people/clients that want to overload my website. Once, in my previous experiences, someone has tried to use Google Page Insights and some other web services (which are considered as valid bots/clients), abused them to overload my site resources (daily hits).

They can actually find security vulnerabilities by analyzing urls. A smart one can used it including directory traversal (.htaccess can prevent) , full site and resources downloads (httrack software) and more. In real world, in practicality, there is actually no bullet-proof solution for this :disappointed_relieved: (except for DNS solution Cloudflare provides)

Yeah, im aware of this though.

In general, that script is useless. Phew, at least i never risked implementing it right away. Thats why i asked here for some insights :smile:

This will be off topic but I wanted to ask from you Admin, if you will make a web app, what php architecture can you suggests that is suitable for InfinityFree environment and at the same time very scalable and less maintenance? I mean some architectures i have studied requires too many files or overly complex like DDD (Domain Driven Design) or BDD (Behaviour Driven Design). Full Symfony (though a framework) is unlikely to be suitable here. Smae for CMS, I dont appreciate much of them including Wordpress. Any suggestions?

Are the servers protected against EMP weapons? When not using them, I now keep all my computers and storage devices in metal cases to guard against their chips being fried by electro-magnetic pulses that could be caused by nuclear weapons being set off in space, which could realistically happen now as part of the current conflict if it escalates. I wonder how safe the cloud is: it may be that most of the information stored in it could be lost overnight, while everyone’s backups at home could be lost too if they haven’t taken precautions.

1 Like