Difference between revisions of "Portfolio hosting"

From Pin Eight
Jump to: navigation, search
(some people think PHP and MySQL suck)
(I think I know where I'll be planning to move PinEight.com over the next 3 wks)
Line 18: Line 18:
 
While you're at it, try to find one that [http://slashdot.org/comments.pl?sid=3281077&cid=42124727 offers PostgreSQL] if you can.
 
While you're at it, try to find one that [http://slashdot.org/comments.pl?sid=3281077&cid=42124727 offers PostgreSQL] if you can.
 
Some people have reported problems with the fundamental design of PHP and MySQL or with the default settings that a lot of popular web applications rely on.
 
Some people have reported problems with the fundamental design of PHP and MySQL or with the default settings that a lot of popular web applications rely on.
 +
 +
The [http://slashdot.org/comments.pl?sid=3281077&cid=42124727 consensus among Slashdot users as of the fourth quarter of 2012] is that [https://www.webfaction.com/ WebFaction] is the way to go.
 +
It reportedly supports Python and PostgreSQL in addition to PHP and MySQL, and it even reportedly supports SNI so that you can secure user credentials for the nearly 90 percent of users who don't use IE on XP.
  
 
== Home hosting ==
 
== Home hosting ==

Revision as of 21:36, 29 November 2012

Say you're looking for a job, and you want a portfolio you can show to prospective employers who "don’t interview anyone who hasn’t accomplished anything."[1] If your portfolio involves web development, you'll need hosting for your projects. And if your one of your projects involves user accounts, you'll need HTTPS support on this hosting so that users don't use something like Firesheep to intercept and forge session cookies of other users on the same subnet. Since the Firesheep attack was discovered, the Electronic Frontier Foundation has been distributing an extension for the Firefox web browser called HTTPS Everywhere that automatically rewrites HTTP URLs to the corresponding HTTPS URLs on sites known to support HTTPS.

Web developers may consider implementing HTTPS if they want to show support for HTTPS Everywhere or just care about their users' credentials not getting stolen. The EFF has answered some common objections to implementing HTTPS by giving tips on how to reduce connection overhead[2] but has not yet given guidance to implement HTTPS on small sites such as blogs, forums, and wikis. The expensive part of implementing HTTPS used to be the SSL certificate, but that's no longer much of an obstacle since StartCom started offering free certificates for a domain, making some people wonder[3] why web sites use unencrypted HTTP at all nowadays. But until all major clients support SNI, which allows name-based virtual hosting for SSL sites, each certificate needs a dedicated IPv4 address. Most notably, Internet Explorer on Windows XP can't use SNI[4] and thus can't see any certificate on port 443 of a given IP address other than the primary one. Entry-level shared web hosting uses name-based virtual hosting and is thus incompatible with SSL without SNI, and hosts don't offer SNI because of IE on XP. This barrier was noticed soon after the release of HTTPS Everywhere.[5] So you need some way to get your site onto a dedicated IPv4 address so that your site's certificate becomes the primary one on the IP. By 2006, the annual cost of a dedicated IPv4 address from a web hosting company had already exceeded the annual cost of a certificate,[6] and these addresses have become even more scarce since then. And if you're looking for a job, you probably don't have the money for expensive hosting.

While you're at it, try to find one that offers PostgreSQL if you can. Some people have reported problems with the fundamental design of PHP and MySQL or with the default settings that a lot of popular web applications rely on.

The consensus among Slashdot users as of the fourth quarter of 2012 is that WebFaction is the way to go. It reportedly supports Python and PostgreSQL in addition to PHP and MySQL, and it even reportedly supports SNI so that you can secure user credentials for the nearly 90 percent of users who don't use IE on XP.

Home hosting

Some Internet service providers in some countries allow running a server at home. This requires you to leave a PC turned on at all times, and it may need to send periodic messages to the DNS provider to update your home computer's IP address.

There are three drawbacks. First, it doesn't work in all countries. ISPs in some countries without a large allocation of IPv4 addresses put all customers behind a transparent HTTP proxy or a big NAT, where one public IP address represents hundreds or thousands of customers. Second, check your acceptable use policy: some ISPs consider running a server on a home SLA as grounds for disconnection, and some enforce it by blocking inbound ports or the HTTP or TLS handshake. Third, leaving a computer powered on takes electric power and causes heat and noise unless you host it on a cheap, passively cooled device like this $25 USB stick.

Shared hosting

Type budget ssl hosting into Google and you might be able to find plans under $120 per year. Most of these will be similar to the HTTP-only shared hosting that you may have used in the past, except they're IP-based instead of name-based so that each site can have its own SSL certificate, or they use a certificate owned by the hosting company that lists multiple sites in Subject Alternative Name fields. Past searches have returned results like the following:

  • Domain Ledger: "Economy Plan" for $5.95 per month plus $29.95 per year for SSL (which includes their certificate), but use of Perl, Python, or Ruby costs extra.
  • HostGator offers web hosting with "shared SSL" for under $8 per month.

VPS

Some hosts offer a virtual private server (VPS), also called a virtual dedicated server (VDS), for $120 per year or less. A VPS is a virtual machine, run on a server in a datacenter. The customer has privileges equivalent to those of the administrator of a dedicated server, including the ability to customize the operating system. A VPS is far more likely to have its own public IP address than a shared hosting account, allowing it to run several HTTPS sites on separate ports, or even several HTTPS sites on the standard port 443 for those visitors whose browser supports SNI.

  • Directspace [7]
  • prgmr.com[8]
  • Inception Hosting[9]
  • Not yet sorted [1]

No user accounts

You might try designing your web application to use OpenID so that your site never sees passwords. Users would log in with their AOL, Google, LiveJournal, Ubuntu One, WordPress.com, or Yahoo! account, and these well-known identity providers would take care of all the SSL. But then you'd have the same problem as web sites that run only their login page through HTTPS and immediately drop back to HTTP: though the password is encrypted, the session cookie is not, and that can still be sniffed and cloned.

So design your application to be completely stateless or otherwise anonymous. All information submitted to the site is either immediately visible to the public, without any form of authentication or authorization, or deleted after the page finishes loading. This can work for applications where you are demonstrating only the client side, such as graphic design of CSS, or a game written in JavaScript or Flash.

One Slashdot user suggests[10] that anyone seeking a web development position ought to have developed a bank interest/mortgage/retirement calculator written in PHP, Perl, Python, Java, Ruby, etc. that calculates on the server, one written in JavaScript that calculates on the client, a video game written in JavaScript or Flash, a news aggregator that combines a fixed set of Atom feeds, and an anonymous imageboard with a spam filter. Another recommends a regex tester or a currency converter.[11] They appear to claim that web applications can be made sticky even without storing preferences in a user account or session cookie.

Another option is to provide a stand-alone program designed for PCs running Windows (.msi), PCs running GNU/Linux (.deb), or Android-powered devices (.apk). Since 2011, Android phones have been available on prepaid carriers, and both the Nexus 7 by ASUS and the Kindle Fire by Amazon are affordable Android tablets.

Warn the user

Stick with HTTP-only shared hosting at any entry-level provider that doesn't completely suck,[12] but put prominent warnings on the site that the connection is not secure because this is a demonstration site, and that users should not submit any valuable information or use the same password as on other sites. This will provide evidence of web application programming ability,[13] even if it is not as valuable to an interviewer as the experience of having run a production web site.

References

  1. Jon Evans. "Why The New Guy Can't Code". TechCrunch, May 7, 2011.
  2. Chris Palmer. "How to Deploy HTTPS Correctly". Electronic Frontier Foundation. 2010-11-15. Accessed 2012-06-25.
  3. Slashdot comment by adolf
  4. Eric Law. "Understanding Certificate Name Mismatches". IEInternals, 2009-12-07. Accessed 2012-11-25.
  5. Lennie. "EFF Tool Offers New Protection Against 'Firesheep'". LWN, 2010-11-24. Accessed 2012-10-21.
  6. Ali Ebrahim. "Server Name Indication (SNI)". inside aebrahim's head, 2006-02-21. Accessed 2012-11-25.
  7. thanks Compaqt
  8. thanks Short Circuit
  9. thanks icebraining
  10. zeroshade
  11. Fjandr
  12. Alternatives to Go Daddy recommended by Slashdot users
  13. thanks Compaqt