Sams Blog

I just had a fun night making some changes to one of our Windows Servers, the update was to add some great new functionality to our control panel (DotNetPanel) and also to make sure the server was fully up to date.

The update started great, install software and the obligatory reboot that MS makes you do (Always a heart stopping moment). Machine came back and all looked good initially. Went to test some of the sites on the server and all seemed okay until I tried my own blog and realised that for some reason the permalinks were not functioning properly! quick check of some other blogs and the same deal, the PATHINFO based permalinks (links that include a /index.php/ path in) were FUBARed just returning a 404 error.

First check was file permissions as this can be a common cause of php errors, nothing I tried made a difference, next was checking the PHP.ini config, nope not helping, next was IIS, nothing wrong there, then it was my browser, maybe something wrong with cookies or cache…. nope.  I was stumped….. lots of checking and rechecking later and I still couldn’t understand why  the permalinks  weren’t working…. A number of hours later and I’ve almost given up, a report of a magento site having problems accessing there admin (Yes you heard correct Magento works on our Windows server :0), or at least had been up until a few hours ago).

Went of to check why and noticed a similarity to the Wordpress problem, the Magento admin also uses urls with /index.php/ in and although they were being redirected back to the homepage rather than showing a 404 it was still a coincidence..

Now these sites were in completely separate IIS processes and paths so permissions and IIS seemed like a dead end so I was still none the wiser other than knowing it was a server wide issue not localised to a specific path.

After more hours of head scratching I decided to check out the new features I had installed to see if something there might of caused such a strange problem, with the upgrade we gained some new security tools one of them being the new URLSCAN tool from Microsoft which has a number security benefits, it dawned on me that maybe this had something to do with the issue, typically you would expect these things to install disabled until you are ready to enable them.

Well to cut a long tiring experience short URLSCAN was enabled and has a nice setting enabled (or rather set to disable) by default called “AllowDotInPath”…. The name says it all really and it is meant to block any url that has a dot in the path of the url, I set this to 1 “AllowDotInPath=1″ and saved the INI and suddenly all the Wordpress and Magento sites sprang back to life. Thanks for that MS….

So after all that it was such a simple if less than obvious fix.

Anyway I’m writing this to help other admins as I’m sure this is going to effect lots of other people using these sort of php PATHINFO based URL rewriting techniques on IIS.

We get asked regularly if we offer plans with unlimited (or huge) amounts of space and bandwidth like some other well known hosts.

The simple answer is , No, and the reason is also simple, lying to our customers is not something we feel happy to do.

Advertising plans with unlimited bandwidth or space is simply a marketing ploy used by some less than honest web hosts to sell to unsuspecting and inexperienced customers something that can’t in reality exist.

As a rule a single server will usually have maybe up to 2000 GB’s of bandwidth per month allocated to it, so how can a web host offer a single customer more bandwidth than the whole of the server they’re hosted on has available to it. Answer: they can’t and the offer is a lie.

How the unlimited space and bandwidth “Con” works!

In hosting circles it is a well known fact that people on the whole don’t know how much space and bandwidth their site is going to need, and so if they can take an unmetered/unlimited plan then they don’t have to make the customer think about it. The customer feels that if their site suddenly becomes popular they are covered because there’s no bandwidth limit.

Unfortunately the fact is that the opposite is usually the case. Unlimited plan hosts are by definition over-sellers, they rely on the fact that in most cases a website will use very little space and bandwidth, and so they pack their servers with customers vastly overselling the space and bandwidth available to the server. The same goes for hosts offering huge amounts of space and bandwidth.

What this means is that when a site does start to use a high amount of bandwidth, (or god forbid the site gets hit by Digg) or a client decides to make use of the huge amount of space they were promised and uploads their digital photo or video collection, the host then has to act quickly to remove the customers site so as not to bring the whole over-sold server to it’s knees.

This usually comes in the shape of an email or phone call telling the customer that their site is using more server CPU cycles than is allowed, and asking the customer to upgrade or risk losing their hosting, in many cases though is just means the site is shutdown without notice.

So what about us?

In our case we never oversell our servers, and we only offer plans with a realistic amount of space and bandwidth. We never allocate more space and bandwidth than is allocated to each of our servers, in fact we generally allocate less than 50% of a servers overall resources to allow for the growth of the customers on it, and to allow for the odd occasion when a customers site may suddenly gets an unusually large amount of traffic.

Another thing we don’t do is immediately disable sites that go over their allocated space or bandwidth limit, in fact unless it is an ongoing problem and we’ve heard nothing from the customer from multiple communications your site will be safe, we’ll also first advise how the customer can reduce their usage to come within their limits (properly compressing images or removing log files etc)..

The final word.

The last question you should really ask yourself is this – Can I trust my valuable website with a host that is less than honest with me??

I know I wouldn’t…

Anyway don’t take my word for it, I work for a web host after all. Just visit these independent sites to read what they have to say about the unlimited space and bandwidth Con.

http://www.findmyhosting.com/truthunlimited.htm
http://www.calvinleong.net/blog/2008/06/10/choosing-a-webhost-unlimited-bandwidth/
http://forums.webhostdir.com/showthread.php?t=14899

For some great “Limited” space and bandwidth plans please visit our main website at http://www.servwise.com.

It has always been important when transmitting sensitive data over the Internet that that data is transmitted and stored securely. Secure storage is a subject for another time, but for now I’m going to talk about security during transit which is most commonly achieved on the web using SSL (Secure Socket Layer).

Secure Socket Layer (AKA Transport Layer Security) is an “on the fly” encryption technology that securely encrypts data transmissions through the TCP/IP network.

I won’t go into exactly how SSL works but you can find out much more from our friends at Wikipedia (Link at end). What I will talk about here are the differences between the types of SSL certificate on the market today.

Choosing the right SSL certificate.

Choosing an SSL certificate does not need to be difficult. Firstly lets make things absolutely clear, typically when it comes to the job of securing data, all SSL certificates of the same key size will offer the same security level. If security is your only concern then any low cost SSL (Or even a self-signed one) will secure data to the same level of encryption.

So why should you BUY a certificate if they all do the same job?

The reason for the different types of SSL is nothing to do with security but to do with assurance (Trust). When you buy an SSL from a certificate authority like VeriSign or GeoTrust you are validating your identity on the Internet and providing assurance to your customers that they are dealing with a legitimate business. You should also consider that if you are securing a public website then using an SSL issued by a certificate authority will eliminate the scary browser pop-up message that your visitor would get if you were using a self-signed SSL.

What are Domain Validation, Organisation Validation  and Extended Validation certificates?

These are the main types of SSL and provide different levels of assurance (Trust) to the site visitor.

A Domain validated certificate is where only the domain owner is validated using an email to an address at the domain. It’s simple and fast and you can normally have your certificate in under an hour but provides only the minimum assurance (trust) for the user.

An Organisation validated certificate takes longer as your business or personal identity will be validated as well as the domain and you will normally have to provide proof in the form of authenticated documents etc, this will however mean if a visitor decides to read the details of the SSL certificate in the browser that instead of just mentioning the domain it may also mention the business entity in the certificate details adding more assurance for the visitor, typically these types of SSL will also come with Dynamic Site seals to help the visitor validate your site more easily.

An Extended validation (EV) certificate is a relatively new concept for SSL and is only supported fully in newer web browsers (Internet Explorer 7+, Firefox 3+ etc), in older browsers it works just like a standard organisation validated SSL certificate. However in newer browsers it will also provides a highly visible security indicator by turning the browser address bar green to indicate the site is highly trusted and fully validated and also no need for the visitor to manually view the certificate to validate ownership as the business name  and certificate issuer are clearly displayed in the address bar. These types of certificate are perfect for sites that deal with highly sensitive information like financial or medical data.

Here are some other things you should check before buying an SSL certificate.

Is the certificate signed by a root certificate authority?
Many are, Verisign, Geotrust, RapidSSL, Comodo to name a few, always look for a single root issued certificate otherwise you may have trouble as you’ll need to add additional certificates in a chain to make the certificate work without giving a browser alert. We sell SSL Certificates from VeriSign, GeoTrust and SBS/Comodo and they are all single root issued certificates.

What is and do I need a Dynamic site seal?
A dynamic site seal is basically a piece of code provided by the SSL issuer that can be placed on the secure site which when clicked opens the SSL issuers site and shows a page providing information about the SSL certificate and who it is registered too and sometimes the seal itself will display a dynamic graphic or html with the business name on it.  This can add an additional element of  assurance for the visitors of the site.

What is a Wild-card SSL certificate and how do they work?

When you register a standard certificate it is only registered for one “fully qualified” domain, so a registration for “domain.com” will only work for “domain.com”, it won’t work for www.domain.com or “secure.domain.com”, so if you need an SSL to work on www.domain.com you must make sure you generate your CSR for www.domain.com.

A Wild-card SSL certificate works slightly differently and allows you to use the same SSL certificate to secure multiple sub-domains of a domain e.g. www.domain.com or secure.domain.com as well as just domain.com, if you need to secure a lot of sub-domains then this can be a cost effective way to do it.

So in the end which SSL certificate should you purchase?

That question is obviously down to your own personal requirements. A basic domain validated SSL certificate can cost very little. However if you want your customers to have extra assurance (trust) in your website  then the advantages of an organisation validated or extended validation (EV) certificate can out way the costs.

View our low cost SSL certificates here

For more information about SSL in general please visit Wikipedia.

So far I have only really talked about ServWise and our affordable hosting packages. But this time I want to discuss the Web Design business (My other favourite topic) and specifically the subject of “How much should I expect to pay for a new website?“.

Many people ask me this question, and more than often I am surprise at the perception people have about how little it should cost to produce a professional corporate website. In part I think this is down to the prominent advertising of free or cheap web design systems that give the impression that all web design is easy and takes only minutes.

These systems will generally use pre-programmed templates that in many cases will look quite professional, but you have to remember that you are not buying a personal design, its probably being used by 100’s if not 1000’s of other websites and will be very limited in the amount of customisation you can make.

So in an effort to educate and inform I’ve listed a few example price ranges that I beleave are fare for the most common types of website systems for the typical SME business based on the many years experience that I have had producing high quality web site solutions for these types of client.

Basic website with a pre-made design
Example Technologies : xhtml, css
Pages : 5-10 A4 sized pages.
Price : £200-£500

Basic website with a bespoke design
Example Technologies : xhtml, css
Pages : 5-10 A4 sized pages.
Price : £400-£800

Medium sized website with a bespoke design and features like drop-down menus using javascript (dhtml)
Example Technologies : xhtml, css2, javascript (dhtml)
Pages : 20-30 A4 sized pages.
Price : £700-£1500

CMS (Content management system) driven website using an off the shelf open-source CMS and incorporating a bespoke template design
Example Technologies : SQL, php, xhtml, css, javascript
Pages : Unlimited via CMS
Price : £1200-£2000

CMS (Content management system) driven website using an off the shelf open-source CMS and incorporating a bespoke template design and including eCommerce
Example Technologies : SQL, php, xhtml, css, javascript
Pages / products :Unlimited via CMS
Price : £3000-£5000

Bespoke CMS (Content management system) driven website incorporating a bespoke template design
Example Technologies : SQL, php, xhtml, css, javascript
Pages / products : Unlimited via CMS
Price : £6000-£10000

Bespoke CMS (Content management system) driven website incorporating a bespoke template design including eCommerce
Example Technologies : SQL, php, xhtml, css, javascript
Pages / products : Unlimited via CMS
Price : £8000 and above

As with any competitive market you are likely to get prices ranging wildly based on by who and where the work is done, however the prices listed are what I would say in the UK should get your a fairly decent website. Don’t expect to get a Facebook or Amazon for those prices though.

Anyway that’s all for this post, I hope it provides some valuable information and for those looking for a new website and don’t forget to ask for a FREE quote at WiredEyes.com

back soon.