Our Web servers now ignore consecutive slashes in URLs

Today our servers began using an updated version of the Apache web server software that adds a new security feature: it collapses and ignores consecutive slashes in URLs it receives (among other security fixes).

For example, this URL (note the two slashes between “admin” and “options”):

 https://www.example.com/wp-admin//options-permalink.php

… would now be treated exactly as if the web server had been sent:

 https://www.example.com/wp-admin/options-permalink.php

This feature ensures that “hackers” cannot add extra slashes to bypass rules intended to restrict access to certain URLs. (The example above is a real security problem in WordPress from 2009 — it allowed hackers to access the permalink screen because the access restrictions were only applied to the exact pattern “/wp-admin/options-permalink.php”, and not to variations like “/wp-admin//options-permalink.php”.)

This change should not cause any problems, and our customers should not notice any change.

However, in the unlikely event that you have intentionally written script code that behaves differently when it sees two consecutive slashes in a URL instead of one slash, you would need to change your code to not rely on that behavior. (Two consecutive slashes in the path of a URI are not valid anyway, and other web servers will remove them by default, so relying on it would be unreliable to start with.)

As always, don’t hesitate to contact us if you have any questions or difficulties.

HTTP/2 support for all sites (completed)

Update June 13, 2018: This is complete, and HTTP/2 is now used on all websites we host.

We’ve updated the Apache web server software we use from version 2.4.25 to 2.4.33, which allows us to add support for the newer HTTP/2 protocol.

HTTP/2 is enabled for our own tigertech.net sites and a small number of our customer sites now, and we’ll be gradually rolling out this feature to all sites over the next few weeks. (We’ll update this post when that’s completely finished.)

Customers should not see any problems or downtime. We’re mentioning it here just so that customers who do notice a change for some reason will know about it. As always, don’t hesitate to contact us if you have any trouble.

Read the rest of this entry »

Apache 2.4.25 web server upgrade (completed)

Update May 22, 2018: The change described below is complete on all servers.

Over the next few days, we’ll be updating the software used on each web server from Apache version 2.4.10 to 2.4.25.

Customers should not notice any changes or downtime. We’re mentioning it here just so that customers who do notice a change for some reason will know about it.

This is part of a series of software upgrades to allow us to add support for the newer HTTP/2 protocol on all sites in the near future.

As always, don’t hesitate to contact us if you have any trouble.

Apache 2.4 web server upgrade (complete)

Update May 3, 2018: The change described below is complete on all servers.

Over the next few days, we’ll be updating the software used on each web server from the Apache 2.2 series to the 2.4 series.

Customers should not notice any changes or downtime. We’re mentioning it here just so that customers who do notice a change for some reason will know about it.

While the Apache 2.4 series has some changes and new features, we’ve intentionally kept things compatible with older versions. In particular, we’re using mod_access_compat to ensure that existing “Allow / Deny” authorization directives work, and we’re using SSILegacyExprParser on to ensure that existing Server Side Includes work.

The Apache 2.4 series brings changes we’re using to improve our customers’ websites. For example, we’re already using OCSP stapling to speed up the initial connection to SSL sites in many browsers, and in the future we’ll be adding support for the newer HTTP/2 protocol. Neither of these were possible with older versions of Apache.

As always, don’t hesitate to contact us if you have any trouble.

Apache Web server updated to fix CVE-2016-8743

We’ve upgraded our Apache Web server software to fix the security bug CVE-2016-8743.

Customers should not notice any changes, with one exception: If you’ve written your own software, and that software contains certain bugs that haven’t previously been noticed, the update may cause the bugs to be more visible.

Read the rest of this entry »

Brief scheduled maintenance February 18, 2012 (completed)

On Saturday, February 18, 2012 between 10:00 and 11:00 PM Pacific time, we’ll be upgrading the Apache Web server software on each of our Web servers.

Most customers will not notice anything, but the upgrade will cause approximately 30 seconds of slow Web page loading at some point during that hour as we delay incoming connections at the network level.

This maintenance is necessary to apply security and reliability fixes released by the Apache developers. (We’ve been using the upgraded version on our Webmail servers for several days, so it’s well tested.)

Update: The maintenance was completed at 10:03 PM Pacific time.

Format of compressed old access log files changing to bzip2

When we store older Apache Web server access logs for your site — those that are more than two months old — we re-compress the original logs into single monthly files. These take up less disk space for your account when you have a lot of them. (We have some customers with log files going back more than ten years!)

Until now, we’ve re-compressed these files using gzip compression. However, we’re going to switch to a different modern compression format, bzip2 compression, which reduces the size even more. The resulting files are about half the size of gzip.

Read the rest of this entry »