Category: Website

What is managed hosting?

Managed hosting is a common marketing term many web hosts are now using. It means different things to different people, but let’s explain what it means to you as our customer.

  • People. The person who you interact with will personally have the access and authority to resolve or action your request. None of our support is outsourced.
  • Product. We’re not just providing you a hosting service, we are providing you a fully managed product. You tell us what you need, we make it happen. For example you may ask: “Please duplicate this existing website of mine to a new location” or “I need a new WordPress site setup on this domain”. We do the rest.
    We don’t just give you what you asked for, we go further and setup our tools to give you what you need (as well as what you asked for) not only caring for your current needs, but also anticipating what you will need in the future.
  • Systems. We have systems in place to proactively monitor, audit and resolve any security and website issues. This is in your best interests as it means less problems (or none at all) with your websites. We know of any issues and resolve them before you even notice.
  • Speed. We want you to have the fastest loading website you can. We work with you to optimise and setup our custom caching and speed solutions. Some of these may include CDN, NGINX, FastCGI, Redis Database query caching.
  • Security. The internet is a dangerous place, so we have setups that automatically block bad traffic and malicious login attempts and well known hacks.
    We monitor live certain key files on your website to ensure that none of them have been modified without your knowledge. We update your website and any plugins (WordPress/Joomla) for you. This isn’t a paid add-on, we offer it free for all customers.
  • Backups. You’ve heard of them, have you had to use them? Was it easy? We provide free off server backups to you, so you have access to them at the same time we do. We provide you a tool in your website that allows you to restore from these backups at any time.
  • DNS and Domains. We provide a fully managed DNS service to you. You don’t have to understand DNS to work with us, we will look after it all for you. SPF, DKIM, DDNSEC, CNAME, AAAA, SSL etc, we know all this so you don’t have to.
  • Flexibility. There is no one size fits all solution, so we will tailor the hosting solution to meet you and your customers needs. As your site grows, we grow with you.

Read further details on our Cloud Server offerings here. Contact us for a custom quote.

Restrict access to only traffic from Cloudflare

After finding it confusing and difficult to find clear information on this, even after checking Cloudflare’s own documentation, I’ve decided to put this post together in the hope of helping others.

The issue:

You have a website you protect (among other things) using Cloudflare. However, it’s still possible for traffic to reach your website directly, ie going around Cloudflare. This is quite easy if you do manage to find out the IP address a website is running on.

Side point: Cloudflare offer solutions such as Cloudflare Access which allow you to have VPN level protection for your website (or a section of it if you choose). These are great solutions, but only work properly if you can ensure that ALL traffic is forced to go via Cloudflare (and the protection they offer).

The solution:

After wasting days with keywords like: cloudflare restrict access, lock down traffic to only Cloudflare, restrict access to only Cloudflare IP addresses etc etc.. I stumbled on this post: Stop Cloudflare bypassing on shared hosting unfortunately the title is not as intuitive as it could be, however the solution is excellent (bar one small technicality which I will explain later). And I quote:


With a very simple Cloudflare Worker, we can add a request header, a header that will be sent from the edge (any of Cloudflare’s 180+ data centers) to the origin (your server), and therefore won’t be visible to site visitors. As long as the header name and value are kept secret by the site admin, any requests not coming through Cloudflare will not have this header, and will therefore trigger a rewrite condition at the origin server, and be redirected back to, well, Cloudflare – where a Firewall Rule will block it.

The Cloudflare worker (taken from this recipe 18). You’ll need to configure the Cloudflare worker via your Cloudflare account. For most sites, this will be free.

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

/**
 * Send header to origin, allowing for
 * .htaccess to block requests
 * not coming from Cloudflare
 */

async function handleRequest(request) {
  // Make the headers mutable by re-constructing the Request.
  request = new Request(request)
  request.headers.set('Secret-Header', 'SeCrEt-kEy')

  return await fetch(request)
}

And then on your own website the following .htaccess directives (place them at the top of the file):

# Route visitors not coming from Cloudflare to, well, Cloudflare
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	# Both the header and the value should be kept secret
	RewriteCond "%{HTTP:Secret-Header}" "!SeCrEt-kEy"
	# Uncomment and edit w/ IP of services such as certs, cron, Softaculous etc
	# RewriteCond "%{REMOTE_HOST}" "!^xxx\.xxx\.xxx\.xxx$"
	RewriteRule .* "accessdenied.php" [R,L]
</IfModule>

What these directives do is check every request to see if it has a request header named “Secret-Header” and whether its value does not contain the string “SeCrEt-kEy”. If the header does not exist, or does not contain the key, the request will be redirected to a non-existing URI named here “accessdenied.php”, (a fictitious, non-existing file) which must be added in a Firewall Rule.


/end quote.

This works wonderfully. The problem with the suggested firewall rule (at Cloudflare) is that it won’t be triggered if traffic comes in from somewhere other than Cloudflare.. makes it redundant/useless. So, well.. edit that yourself or find another solution if you wish to gracefully block traffic this way.

Conclusion:

While the concept of restricting access to IP addresses and/or blocking access to some (via .htaccess) is fairly well documented, using Cloudflare (and I do recommend it) makes some of this quite complex when wanting to restrict access to ONLY traffic via Cloudflare. The solution above is elegant in that it adds a header to each request (via Cloudflare Worker) and then the .htaccess file checks to make sure that header is present (ie did it come from Cloudflare), if not, traffic is blocked or redirected to a file of your choosing (or even a 404 if you wish). Sadly not enough airtime is given to this solution, perhaps due to the wrong keywords being used. Hopefully this post help with that.

PS If you wish to avail yourself of our services for things like this (securing your existing or new website, website hosting that ensures your site is always kept up to date and secure along with regular off-site backups (which we can automatically send to you each time) be sure to get in touch with us to find out more.

Edit: For a simpler solution to this problem, but only if you have full server access it explained here: https://xyzuluhosting.com/further-cloudflare-security-authenticated-origin-pulls/

Why you should listen to Google and get a green padlock

With the release of Google Chrome v62 in October 2017 all websites that have a “contact us” form will be marked by Google as Not Secure unless they are using SSL/https

Instead of a warning from Google, you want your visitors to see that your website and any information they provide you is secure.

You can read more about this change in the article Google have provided here: https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

We want to help you

We can enable SSL for you at no cost (in most cases), however you do need to contact us to request this. Check out our previous post Do you SSL/HTTPS? You should. Find out why

If you are concerned with security and performance, have you seen our Cloud Server offerings? We also offer free domain WHOIS privacy on all supported domain extensions.

Contact us today so we can help to keep you and your customers secure.

Scroll to Top