Update --- all of our servers are now fully patched with the recently released updates for ImageMagick -
The talk of the Internet for the last few days has been a new exploit termed ImageTragick - CVE-2016–3714. It's a potential exploit on any server with the ImageMagick package installed that runs web apps that do not check properly for file type before displaying a file manipulated through the Convert command. It doesn't look like Drupal is VERY exploitable by this (and would only be exploitable if the site used ImageMagick, which is not a lot of them. Wordpress will also only be vulnerable if it uses an extension that calls ImageMagick.
However, since our clients run all sorts of code on our servers, we have just taken steps to mitigate this vulnerability on all of our servers. We don't think this will have any bad effects on any production sites - but if you're suddenly having issues with image processing, this may be why. We've patched the policy.xml file on all of the servers as suggested by Red Hat and CentOS. This should stop any potential exploits until such time that actual patches for ImageMagick are available that are known to actually fix the exploit - probably next week.
As most of you are probably aware, Drupal 6 support formally ends on Feb. 24 - so all official support for D6 ends on that date. This has a few ramifications:
- As of that date the Drupal Security Team will no longer release new patches and will no longer send out security notices.
- Most module developers will stop suporting their Drupal 6 versions of modules altogether.
- At some point the security notices on D6 sites should start reporting "unsupported" status for everything.
- We will no longer be able to provide the same sort of support on D6 that we have in the past - in particular we cannot really guarantee any updates will occur.
We're still working on a formal stance on support for D6, since there's quite a lot of activity around the possiblity of a D6 LTS support model to be provided by a few commercial vendors. Being a small company with limited resources, we will not be one of those vendors.
Most likely what we will recommend for everyone using Drupal 6 at this point will be the following:
- If you keep a Drupal maintenance contract on your site we will make a best effort to apply any Drupal patches that become available through the D6 LTS support system - but we cannot make any promise that any Drupal security issues will be patched in a timely basis. We will only be applying patches for security issues, and only if they become publicly available. We are currently mulling over a price structure for this.
- If you prefer you can cancel your D6 support contract and your site will be on its own for any security updates. Frankly we do not expect a LOT of security patches will be ported to D6 in the future, but it's always possible something truly serious will pop up.
- If support for your D6 site is important to you and you do not believe you will be upgrading to D7 or D8 in the near future then we will be happy to recommend a support company that is doing D6 support on a commercial basis. This is likely to become expensive, and may in a lot of cases require that you host your site with the support company involved. However, if support long-term on D6 is important to you, subscribing to one of those services will help to fund back-porting of security fixes to D6 and will support the Drupal community.
In any case, we recommend that if you are on Drupal 6 that you make an attempt to upgrade to D7 or D8 as soon as possible. We will not be taking on any new support contracts for D6 sites as of today. We'll be glad to discuss the possible options with you whether or not you are currently a customer.
Drupal continues to move forward, adding in more features, more power, higher performance, and lots of other new goodies. Drupal 8 in particular is bringing a lot to the table, and a whole new world of web development.
Unfortunately it's also big, and has a lot of new requirements for web hosting which may make it difficult to host your D8 site on a lot of hosting services, particularly if you want to host in a shared hosting environment.
We're working on a solution for that, and are offering a shared hosting environment guaranteed to work with Drupal 8. The D8 package is much like our previous half-acre hosting setup, but includes more:
- Choice of PHP 5.4, 5.5, 5.6, or 7.0 - your choice on every site, or even by directory. We recommend 5.6 currently as many Drupal contrib modules may have trouble with 7.0 (and we REALLY recommend not going with 7.0 if you're on Drupal 7).
- MariaDB 5.5
- One-click Drupal 8 installer
- CentOS 7.2 operating system
- 20 Gbytes of storage
- Unlimited bandwidth
- 6 MySQL databases
- Up to 4 real domains and up to 20 aliases
- Up to 100 email accounts
- php.ini per site under your control - with up to 256 meg php instances
- Drush, Composer, and Git all available on the server
- ssh login to server and scp file access
- Virtualmin Pro control panel
- Free optimized Cloudflare (optional)
This is a work in progress - we are working to make this the best shared hosting environment for Drupal developers, and we'd like to enlist your help. For a limited time we are offering one free month of this service, and you can sign up by going to https://billing.cruiskeenconsulting.com/cart.php?a=add&pid=36 and entering the discount code D8testing at checkout (you need to sign up for monthly billing). No contract, cancel any time.
Help us polish our D8 hosting service and get a free month of hosting to boot ---
Yesteray I went off on an experiment with one of our own Drupal sites. For some years now I've maintaned the web site http://www.uppitywis.org - it's a political blog about progressive politics in Wisconsin. It's gone thorugh a lot of different configurations and life stages. At the moment it's built on a pretty straightforward build of Panopoly,. In the most recent version I have taken it out of Varnish, and it runs behind Cloudflare.
In an attempt to eat our own Dogfood as a Cloudlflare host, I though I'd make a stab at making Cloudflare cache the entire site, rather than just the static assets. You can do this in the free Cloudflare implementation by setting up a rule that says "cache everything" and putting it in with your three allowed rules. I've also set up rules to not cache admin* and user* and have put those ahead of the cache everything rule - so that admin functions are not cached.
All of our CentOS 6 servers have been updated to 6.7.
The latest requirements for Drupal 8 include a requirement for MySQL/MariaDB/PerconaDB of version 5.5.3 or later - now THAT one may be an issue for a lot of hosting companies. We're going to get that done, but it's a little more unusual than the PHP requirement. At the moment our solution to this is to be using CentOS 7 for all of our database servers (and since CentOS 7 uses MariaDB 5.5, that works fine). We're currently re-thinking what we're actually going to do about this before the Drupal 8 release.
I'm writing a little bit today about some of the concerns that folks are having about Drupal 8, the new hosting requirements it imposes, and particularly the concerns that smaller organizations will not be able to find Drupal 8 compatible hosting plans. There is a lot going on with us and with other hosting companies at the moment to support Drupal 8 and other PHP software that has more modern requirements. We don't think this will be an issue with most reliable hosting companies by the time Drupal 8 ships.
Some things you probably should know about our company:
- What's this Cruiskeen thing? Its Gaelic. A cruiskeen is a little jug. Our farm is named Cruiskeen Lawn, which has a number of different stories associated with it that are way too confusing to go into. Suffice it to say that among other things I'm a home brewer abd we make a fair quantity of beer, wine, and cider here.
We've come to realize that we are hosting more and more developers who are using Git to manage their projects (including ourselves). The current Git repository that we're hosting on our own servers is a little cumbersome, so we're working toward having our own Gitlab repository, which will be available to our hosting clients. This way you'll have a Git repository that can be private, on your local network, and will be free as long as you host with us.
We're still in the process of deciiphering the details of Gitlab, so it's not available yet - but I expect some time before summer.
As a CloudFlare Optimized Partner, we are thrilled to offer the CloudFlare Railgun™ technology to all our customersas a free addon for Half-Acre and VPS hosting packages. Railgun is CloudFlare’s latest performance optimization technology that gives you significant improvements in site load times. To activate Railgun, log into your Cloudflare account and select Railgun “On”. Note that Railgun costs at least $200 if purchased from Cloudflare directly. Read on for additional details and instructions:
Railgun ensures that the connection between our network and the CloudFlare network is as fast as possible. Railgun achieves a 99.6% compression ratio for previously uncacheable web objects by using techniques similar to those used in the compression of high-quality video. The average website can expect a 1.43x performance increase.
Cruiskeen Consulting LLC is happy to announce a new partnership with CloudFlare, the web’s easiest performance and security solution. As a CloudFlare Certified Partner, we deliver their simple and free solution to help protect and accelerate your website. Once your website joins the CloudFlare community, it loads twice as fast and is protected from a range of online threats.
Getting started is easy—you just need to log into our billing system and add the Cloudflare addon to your hosting plan. With two clicks, you can activate CloudFlare and your website will automatically be faster and safer around the world.
We are pleased to offer you the CloudFlare service for FREE. There is no commitment. Turning CloudFlare on and off takes two clicks of the mouse, so feel free to try it out. We think you’ll like it.