Home » Forums » Ubercart » Support
4 replies [Last post]
Thu, 07/31/2008 - 17:00
esmith
esmith's picture
Offline
Joined: 07/31/2008
Juice: 3
Was this information Helpful?

Hello. I am setting up an Ubercart system on a site hosted by a popular hosting provider. During development we are using a shared hosting account. So far things are going well, but I have some concerns about the possibility of a php-based directory traversal exploit exposing our encryption keys in this type of environment. I am not sure how reasonable of a concern this is, but my gut says we should go with a VPS for the added layer of security. My client would rather not pay the considerable extra cost if it isn't necessary, but will if they have to.

I was wondering if anyone had any thoughts, experience, and/or advice on this matter. Links to articles, source files, and UC documentation are also highly appreciated. I've done a fair bit of searching but I am not finding what I need.

And, on a side note, I've modified the securepages module to support redirection to and from a subdomain (e.g., http://www.example.com to http://cart.example.com). If anybody is interested in reviewing the code and helping me get a patch ready, drop me a line.

Top
Wed, 08/06/2008 - 06:42
#1 View page
acgarcia21
acgarcia21's picture
Offline
Joined: 08/06/2008
Juice: 5
Shared Hosting For Secure Transactions.

I am also building a site on a shared host. My client has the same concerns. He wants a secure transaction. Does being on a shared host automatically eliminate that possibility? The suggestion by the web host was to step up to a dedicated IP. I was surprised not to find this as a common discussion here.

Thanks in advance.

Top
Wed, 08/06/2008 - 09:36
#2 View page
gmitchel850
gmitchel850's picture
Offline
Joined: 07/22/2008
Juice: 51
Re: Ubercart on Shared Hosting

I think you should reconsider trying to run a site with UC from a shared host. You run a big risk of disappointing customers.

Shared sites sound great. Unlimited storage. Unlimited bandwidth. There are big gotchas waiting. First, their contracts always talk about their right to terminate your site if it consumes too many resources. There are lots of server resources they can measure to make this determination. They will, too, and quickly in order to encourage you to upgrade to more expensive options. Second, they will put you on a server with dozens, maybe hundreds of sites. All competing on something like a duo core, maybe duo core quad processor with something like 4GB, maybe 8GB of RAM, and all banging at the same harddrives.

Now, consider that Drupal uses databases for everything. Even siomple pages can require -- literally -- dozens of SQL queries to populate everything. UC adds more database activity. Database activity is very processor-intensive.

What I have seen happen, many times, is someone creates a new site on something like a shared account, goes out and announces it, traffic surges because of the initial interest, and then the site goes down or serves pages so slow and has so many hangs that users stop trying.

If you expect to make any money at all, you need to consider a dedicated server. You can rent basic servers for under $100. Even a VPS (virtual private server) will leave you severely strapped for RAM.

The shared sites are fine when you serve mostly static HTML pages. Even dozens of users could be served concurrently from a shared server in that context. That's not Drupal, however. Even static "Page" content is stored in a MySQL database. Just go look at how many tables there are for your Drupal site in MySQL. Dozens and dozens. Just look at how many for UC. Several. If you get more than a few concurrent users with a shared server, you'll find that pages load slowly, etc.

Drupal is not well-suited for shared servers. It is designed for efficient production and editing of content. It is not the most efficient solution for serving content. You need more server "ummph" than you would with static HTML pages.

I have a site on a development machine. It will offer video streams, image galleries, forums, etc. The only cost-effective solution I can find is a colocated server. That means, I buy the server and take it to the host. I expect I will eventually need multiple servers. One for video, one for the forums, and one for everything else. I'll start with one server. But I am confident that a shard server or VOPS cannot handle the load. I'll just end up disappointing people when the site crashes or hangs.

Cheers,

Mitch

Top
Wed, 08/06/2008 - 10:21
#3 View page
goodeit
goodeit's picture
Offline
Joined: 05/28/2008
Juice: 322
Re: Re: Ubercart on Shared Hosting

Over the past year, I have hosted several simple Drupal sites on a shared server. While none ever had any serious problems, there were many times that pages would load very slowly, or the entire server would go down due to someone's 'misuse' of resources. This took all of my sites offline and was very frustrating. Recently I stepped up to a modest VPS from WiredTree.com (and I am never looking back). I have multiple Drupal sites on my VPS, and have never had a problem with a page loading too slow or the server being 'overloaded' (VPS have DEDICATED resources). Yes, Drupal takes a good chunk of RAM to run, but at least on my server so far that hasn't been a problem (keep in mind most of my sites are small and still under development, so there are not a lot of active users yet). At first it looked like it was going to be close with the RAM issue (out of 384mb, I was using up to 300mb), but after disabling spamd and clamd (spam and antivirus email protection) I am now down to an average of only 120 - 150mb RAM use. I will be running all my email through a separate host, which I strongly recommend to anyone who has storage/bandwidth/memory limitations. After cutting those services out, I feel that my server is ready to take on more sites and I do not foresee it having any problems once more of my sites 'go live'.

Another good thing about VPS/dedicated/colocated hosting is that it is usually easier to get a dedicated IP address and therefore an SSL certificate. This helps keep data being transmitted private (end-to-end encryption) but does nothing to protect the data from a local attack - that's where either virtualization or having your own server would help.

I think the best way to decide what you need is to try it out. I have a contract-free VPS for only $44 a month (hint: look for coupons on sites like RetailMeNot before buying. I get 10% off a month at WiredTree with code 10PERCENTOFF. Also if you choose to pay annually or semi-annually some places give an additional discount). It may not be quite as easy to test a dedicated server setup, but if you have a spare computer lying around you could set it up as a local server to get a feel for it (of course buying a server and colocating it would probably have better specs but a longer loading time than a truly 'local' server).

Good luck!

Top
Wed, 08/06/2008 - 12:53
#4 View page
okeedoak
okeedoak's picture
Offline
Joined: 07/31/2008
Juice: 17
esmith wrote:...but I have
esmith wrote:

...but I have some concerns about the possibility of a php-based directory traversal exploit exposing our encryption keys in this type of environment. I am not sure how reasonable of a concern this is, but my gut says we should go with a VPS for the added layer of security.

It is my understanding that if the web server is not running as the account owner but instead as 'nobody' (or some equivalent) then one account user can write a php program to read your settings.php file and then they'll have full access to your database! A VPS (with lots of ram) or a dedicated machine offers better security.

Top