Surviving A “Hug of Death”

One of the wonders of the modern internet is the ability to share content and have it accessible from anywhere in the world instantly. This allows the spread of information to take place at unparalleled speeds, and can result in a sort of virtual flash mob where something gets very popular very quickly without the chance to manage accordingly. Just as in real life, these flash mobs can get out of hand.

These “virtual flash mobs” have been called a few different things over the years, a common one was “getting slashdotted”, where the traffic resulted from something getting popular on slashdot. Another, and my favourite, is the reddit “hug of death”.

This blog post will aim to help you understand, prepare for, and handle a hug of death.

Detection

As mentioned above, hugs of death tend to start quickly, so you’d better have some monitoring with high resolution. If you want to respond before things get too bad, you’ll need to act quick. This is of course if you don’t have automated responses, but that’s something we’ll discuss below.

Optimisation

Optimising any website is important, but it’s particularly important on high traffic sites, as any inefficiencies are going to be amplified the higher the traffic level gets. Identifying these weak-spots ahead of time and working to resolve them can save a lot of heart-ache down the line. An area of particular importance for optimisation is your SQL/database layer, as this is often the first area to struggle, and can be much harder to scale horizontally than other parts of a stack.

Caching/CDNs

Using a CDN to serve your site’s assets helps in two regards. It lowers the download latency for clients by placing the assets in a closer geographic location, and removes a lot of the load from your origin servers by offloading the work to these externals places.

Tiered Infrastructure

Having the different levels of your infrastructure scale independently can allow you to be much more agile with your response to a hug of death. Upscaling only the areas of your infrastructure that are struggling at any given time can allow you to concentrate your efforts in the most important places, and save you valuable money by not wasting it scaling every part of a “monolithic” infrastructure instead of just the area that needs it.

Auto-scaling

What makes responding to a hug of death easy? Not having to “respond” at all. With the ever increasing popularity of cloud computing, having your infrastructure react automatically to an increase in load is not only possible, but very easy. We won’t go into specifics, but it basically boils down to is “if the load is above 70%, add another server and share the traffic between all servers”.

As scary as a hug of death sounds, they’re actually great overall. It means you’ve done something right, as everybody wants a piece of what you’ve got. If you want some help preparing then please get in touch and we’ll be happy to help.

AWS services that need to be on your radar

We are avid AWS users and the AWS Summit this year really added to our excitement. AWS have grown quicker and larger than any other server host in the past few years and with it there has been a flood of new AWS technologies and services. Below are our favourite solutions, it is time to put them on your radar.

What is AWS?

AWS (Amazon Web Services) are the biggest cloud server provider, their countless services and solutions can help any company adopt the cloud. Unlike some of their competitors AWS allow you to provision server resources nearly instantly, within minutes you can have a server ready and running. This instant provisioning makes AWS a must for anyone looking into scalable infrastructure.

1) Elastic File System (EFS)

EFS has been on our radar since it was first announced, EFS is Amazons solution to NFS (Network File System) as a service. It is the perfect addition to any scalable infrastructure, enabling you to share content instantly between all of your servers and all availability zones. If you wanted your own highly available NFS infrastructure it would take at least five servers and hundreds of pounds to recreate their scale. It has been a long time coming and EFS has finally been released from beta, rolling out into other regions including the EU, huzzah!

2) Codestar

Codestar is Amazon’s new project management glue, it pulls together a number of Amazon services making application development and deployment a seamless process. Within minutes you can turn your code repository into a highly available infrastructure. Codestar automatically integrates with:

  • CodeCommit – A git compatible repository hosting system which scales to your needs.
  • CodeBuild – Compile, test and create applications that are ready to deploy.
  • CodeDeploy – Automatic rolling out updates to your infrastructure, CodeDeploy handles the infrastructure helping you avoid downtime.
  • CodePipeline -The process getting your code from CodeCommit, into testing, into CodeDeploy.
  • Atlassian JIRA – CodeStar can also tie into JIRA, a popular Issue tracking and project management tool.

I have just started using CodeStar for my personal website and I love it, it makes continuous deployment a pleasure. All of those little tweaks are just one git push away from being live and if anything goes wrong CodeDeploy can quickly roll back to previous versions.

3) Athena

In a couple of clicks Athena makes your S3 data into a SQL query-able database. It natively supports: CSV, TSV, JSON, Parquet, ORC and my favourite Apache web logs. Once the data has loaded you can get started writing SQL queries.

Earlier this week there was an attack on one of our servers, in minutes I had the web logs into Athena and was manipulating the data into reports.

4) Elastic Container Service (ECS)

ECS takes all of the hassle out of your container environment letting you focus on developing your application. ECS has been designed with the cloud ethos from the ground up, designed for scaling and isolating tasks. It ties straight into AWS CloudFormation allowing you to start a cluster of EC2 instances all ready for you to push your Docker images and get your code running.

In Summary

One common theme you might have picked up on is that Amazon is ready for when you want to move fast. Streamlined processes are at the heart of their new offerings, ready for horizontal scaling and ready for continuous integration.

Are you making the most of AWS?

Is the cloud is right for you?

Drop us a line and we will help you find your perfect solution.

Feature image by Robbie Sproule licensed CC BY 2.0.

Is your uptime in your control?

People have always relied on 3rd parties to provide services for them, and this is especially true in the technology sector. Think server providers, payment providers, image hosting, CSS & JS libraries, CDNs etc. The list is endless. Using external providers is of course fine, why re-invent the wheel after all? You should be concentrating on what makes your product/service unique, not already-solved problems. (It’s also the Linux ethos!)

Why should you care?

With that said, relying on other people’s services is obviously a problem if their service isn’t up. Luckily, most big service providers, and lots of smaller providers too, have status pages where they will provide the current status for their systems and services. (see ours here). These status pages are great during an unforeseen outage, as you can get the latest info, such as when they are expecting the issue to be fixed, without having to contact their support team with questions, at a time when their support is probably under a lot of strain due to the outage in question.

Lots of status pages even allow you to subscribe to updates, meaning you’ll receive an email or SMS (or even have them call a web-hook for an integration into your alerting systems) when there is an issue.

As much as everyone hates outages, they are unfortunately a part of life, and when it’s another service provider’s outage, there isn’t much you can do. (Ideally you should never have a single point of failure, i.e. high availability, but that is a blog post for another time).

What can you do about it?

However, not all outages are unforeseen, and lots of common issues are easy to prevent ahead of time with some simple steps:

    1. Monitor the status page / blogs of your service providers for warnings of future work that could effect you, and make a record of it
    2. Subscribe to any relevant mailing lists. These not only let you know about issues, but allow you to take part in a discussion around the issue and it’s effects
    3. Set up your own checks for service providers that don’t have a status page and/or an automated reminder system (we can help with this).
    4. Make sure that reminder notifications are actually being seen, not just received. You could have all of the warning time in the world, but if nobody reads the notification, you can’t action anything.

Other things to consider

As mentioned above, your customers are likely to be more forgiving of your outage if it is somebody else’s fault, but they’re not gonna be happy if it’s your fault, and they are really not gonna be happy if it was easily preventable.

The two most common problems that fall into this bracket are domain name and SSL certificate renewals. Every website needs a domain name, and massive amounts of sites use SSL in at least some areas. If your domain name expires, your site could become unavailable immediately (depending on your domain registrar and how nice they are).

SSL certificate expiries can also cause your site to become unavailable immediately. On top of this, browsers will give nasty warnings about the site being insecure. This is likely to stick in the mind of some visitors, meaning it could damage your traffic and/or reputation even after the initial issue has been resolved. It’s also really easy to set up checks for these two things yourselves.

If you don’t want to set these up, then we handle this for you as part of our maintenance packages. Just contact us and we can get this set up for you right away.

Privacy

Data Privacy Day 2017

This year we bring you an infographic showing how data privacy is good for business. We also encourage you to check out last years post about the business requirements of running a business in the UK.

Feature image by g4ll4is under the CC BY-SA 2.0 license.

HTTP/2

HTTP/2 is a fairly new technology, offering significant improvements over its predecessors, whilst remaining backwards compatible with previous web browsers and services. HTTP/2 is only going to get bigger, and it’s certainly not going away any time soon, so here’s some stuff you should know about it.

Before we get too in depth with the advantages of HTTP/2 and the reasons you should be using it, it’s important we understand what HTTP is in the first place, and how it fits into modern internet use.

HTTP stands for Hyper Text Transfer Protocol, and it is one of the main parts of the modern web as we know it. It is a set of rules for how information should be sent and received between systems. Any text, images and media you see and interact with on a standard web page (including this one) would most likely have been sent to you using HTTP.

The downsides of regular ol’ HTTP

HTTP has been around for a long time. This of course is not inherently bad, but HTTP was designed a long time ago, and things have changed a lot since then. HTTP/1.1, which is the version that a very large majority of the modern web uses, was first standardised in 1997, and saw major development before that date too.

That’s 20 years ago now, and in that time the internet has gone from something connecting only large enterprises and government facilities, into a truly global communications utility used daily by billions of people.

The original HTTP/1.1 spec was never designed with this sense of scale and use in mind, and so it has shortcomings in the modern day, resulting in the need for often time-consuming and complex workarounds.

One of the biggest drawbacks of HTTP/1.1 is the need for new connections on every request. This adds overheads, which are amplified due to the large number of assets used on most modern websites, and amplified even further by the additional overhead of negotiating HTTPS connections when loading assets securely.

What is HTTP/2 and what are the advantages?

HTTP/2 is the newest version of HTTP, and was standardised in mid-2015, taking influence from the earlier SPDY protocol, initially designed by Google. HTTP/2 offers significant improvements over previous versions in the following ways

  • Server push – the web server running your website can push assets to visitors before they request them, speeding up the overall load times of pages
  • Concurrency – all communication can happen via one connection, removing the overhead and complexity of establishing and maintaining multiple connections, which again results in speed improvements
  • Dependency specifications – you can now specify which of the items on your page are most important, and make sure the most important ones are dealt with first. This means the content somebody wants to see can be displayed sooner
  • Header compression – decreases the amount of data to be transferred by compressing the metadata in messages being sent and received, lowering bandwidth usage and once again decreasing load times

All of these advantages, combined with sites and applications making the most of them, can result in significant improvements in page load speeds, particularly on mobile devices, and a much nicer overall experience on the web.

An interesting point on HTTP/2 is that although there is nothing in the RFC that specifies HTTP/2 should only support encrypted connections (using TLS or SSL), some major browsers such as Firefox and Chrome have stated they will not support HTTP/2 over plain-HTTP connections. This means that in a lot of cases, you’ll have to support HTTPS in order to reap the benefits that HTTP/2 provides, but you should really be using HTTPS by now anyway, so this is not too big a deal.

Sound good? We can help!

If HTTP/2 sounds like something you’re interested in, then just get in touch and we’re more than happy to help. We’ve been running HTTP/2 on our website for quite a while now, and we’d love to help you get it running on yours!

How will Ubuntu 12.04 end of life affect me?

On April 2017, Ubuntu 12.04 reaches end of life.
We recommend that you update to Ubuntu 16.04.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old Ubuntu 12.04 systems past April 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Ubuntu End of life dates:

Ubuntu LTS (long term support) operating systems come with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance updates including security updates.

  • Ubuntu 12.04 : April 2017
  • Ubuntu 14.04 : April 2019
  • Ubuntu 16.04 : April 2021

Faster:

Just picking up your files and moving them from Ubuntu 12.04 to Ubuntu 16.04 will speed up your site due to the new software.

  • Apache 2.2 -> Apache 2.4
  • MySQL 5.5 -> MySQL 5.6
  • PHP 5.3 -> PHP 7.0

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Open-sourcing our Raspberry Pi Displayboard

Our office warboard runs off a simple Raspberry Pi plugged into a wall mounted TV however the code to get this to work reliably has taken a bit of tweaking over the years.

Today we continue our efforts to give back to the open source community by publishing our recipe for a solid, stable displayboard that can be used for anything from digital signage to office displays.

You can find all the code in our pi-display GitHub Repo.

This code…

  • Waits for the TV/display to be turned on before proceeding.
  • Reconfigures the resolution to match the best resolution the TV/display has to offer.
  • Fixes itself and any bad configuration should corruption occur from a bad webpage.
  • Works with the latest SSL technologies (TLS1.2).
  • Supports CEC commands allowing you to control the TV via the HDMI cable.
  • Installs fonts required for correct webpage rendering

Our office warboard is not only locked down to certain IP addresses but also uses the latest SSL protocols and ciphers. The stock chromium on Raspberry Pi wasn’t up to date (v22 when the current version is v51) and didn’t support the latest security protocols.

This repo used to use the epiphany browser instead which was more up to date (but not as stable). Now (28 Sep 2016) the Raspberry Pi team have released PIXEL which includes a much more up to date version of the Chromium browser.

This install also downloads and compiles the latest cec-client that allows you to turn the TV on and off each day via cron.

Let us know if you find this useful and feel free to fork and/or make pull requests :-)

Types of SSL Certificates

The number of businesses that use SSL have increased tremendously over the past few years and the reasons for which SSL is used has also increased, for example:

  • Some businesses need SSL to simply provide confidentiality (i.e. encryption)
  • Some businesses like to use SSL to add more trust or confidence in security and identity (they want you to know that they are a legitimate company and can prove it)

As the reasons companies use for SSL have become wider, three different types of SSL Certificates have been established:

  • Extended Validation (EV) SSL Certificates
  • Organization Validation (OV) SSL Certificates
  • Domain Validation (DV) SSL Certificates

Extended Validation (EV) SSL Certificates are issued only when a Certificate Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA conducts a very THOROUGH vetting (investigation) of the organization. The issuance process of EV Certificates is standardized and is strictly outlined in the EV Guidelines, which was created at the CA/Browser Forum in 2007, specifies the required steps that a CA must do before issuing an EV certificate:

  1. Must verify the legal, physical & operational existence of the entity
  2. Must verify that the identity of the entity matches official records
  3. Must verify that the entity has the exclusive right to use the domain specified in the EV Certificate
  4. Must verify that the entity has properly authorized the issuance of the EV Certificate

EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses.

A second set of guidelines are for the actual CA and it establishes the criteria to which a CA needs to be audited before being allowed to issue an EV Certificate. It is called, the EV Audit Guidelines, and they are always done every year to ensure the integrity of the issuance process.

  • Takes 7-14 days to provision
  • Expect costs to be at least £150+
  • Gives a green bar in the browser

We recommend EV certificates if you are asking for sensitive details such as credit card information on your website.

Organization Validation (OV) SSL Certificates are issued only when a Certificate Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA does some vetting (investigation) of the said organization.  This additional vetted company info is displayed to customers when the Secure Site Seal is clicked on, this gives enhanced visibility to who is behind the site which in turn gives enhanced trust in the site.

  • Takes 1-3 days to provision
  • Expect costs in the range of £40 to £100

Perfect certificate for any businesses website.

Domain Validation (DV) SSL Certificates are issued when the CA checks to make sure that the applicant actually has the right to the specific domain name.  No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV certs can be issued immediately.

  • Instant provisioning
  • Usually around £10. However notably Lets Encrypt provides free certificates

This is perfect for securing every day websites like blogs.

How will CentOS 5 end of life affect me?

On 31st March 2017, CentOS 5 reaches end of life.
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024

Faster:

Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Adding Google Analytics tracking to WordPress via a plugin

Before we start you will need a Google Analytics account.  See our other guide for setting up a Google Analytics account.

There are many Plugins that add Google Analytics to a WordPress site. Some will add Google Analytics reports into your WordPress site admin interface and other will just push your site’s data to Google Analytics meaning you have to view it on the Google Analytics website.

For this post we are installing Google Analytics Dashboard for WP.  As with any Plugin you need to consider security.  Look for Plugin’s that have had lots of downloads and good reviews and also that have been updated within the last 6 months. Plugin are made by anyone with programming skills and like most things people lose interest or run out of time to keep their made plugin secure and updated.  An insecure plugin could be the way hackers get into your website and cause issues.

To install Google Analytics Dashboard for WordPress:

  1. Log into your WordPress site (www.example.co.uk/wp-admin)
  2. On the left hand side go to Plugins and click Add New.
  3. Search Plugins in the right hand corner of the page for ‘Google Analytics Dashboard for WP‘ and click Install Now.Google Analytics Dashboard for WP
  4. On the install page click Activate Plugin – you will now see Google Analytics on your left hand menu
  5. Select Google Analytics – General Settings and click Authorise Plugin
  6. Click the red link (Get Access Code) on this page to generate and get your access code. A new window will pop-up asking you to allow specific data from your Google Analytics account to be used by Google Analytics Dashboard for WP. After agreement, an access code will be provided.
  7. Copy the code, paste it in the field called Access Code and save it by pressing the Save Access Code button.
  8. Once set up please be aware it may take up to 24 hour for data to appear in your reports.

You are now set to explore and set up Google Analytics Dashboard for WP as you wish. For more information and a more in depth video on how it works please visit the Google Analytics Dashboard for WP Documentation, Tutorials and FAQ page.