2012/11/26 18:32:17
grindkore

HC 9.03 Anyone actually using it in a production?

I have been trying to wrap my head around this HC 9.03 cluster we have setup for couple of month. To be honest, I'm ready to give up on HC entirely. We were evaluating a control panel system to migrate 30K+ domians to and HC is clearly not production ready in my opinion.
 
Here is the main gripe lists:
 
1) No support for FastCgi- This is huge, we will never run php in a production environment on windows without it. Simply unacceptable for a control panel claiming supporting Windows 2008.  Until you manage thousands of users and understand what standard cgi does to server IO under load you will to appreciate FastCgi or ISAPI php.
 
2) No support for IIS AppPool\<AppPool> ACL  - I suggest if you are actually using HC in the production environment, try using one of the popular hacking scripts on one of the domains you host. All domains hosted on the server including c:\windows, C:\Program Files are readable if one domain is compromised with the way HC currently setups ACL for the application pool users.  Basically hacker can compromise any web facing application such as wordpress, phpBB, or DNN and upload standard php or aspx rootkit script, after that your entire server is open to be rooted. 
 
3) Click & Install Apps - I have yet after a month of troubleshooting to get this working reliably, too many issues tied with PHP and ASP.NET/Application pool ACLs.
 
The HC has a potential being a good alternative to Plesk, if it actually supported basic core functions such as FastCgi and IIS 7.5 as intended. However as it stands it is not workable for us and our clients.
 
2 comments Leave a comment
Xavier
grindkore

1) No support for FastCgi- This is huge, we will never run php in a production environment on windows without it. Simply unacceptable for a control panel claiming supporting Windows 2008.  Until you manage thousands of users and understand what standard cgi does to server IO under load you will to appreciate FastCgi or ISAPI php.

I think you are misunderstood in this case. I also contacted the HC team and they told Fast CGI is in todo list. They told me that they have already supported it in their another control panel product I do not remember its name but that panel is for Linux only hostings. For ISAPI I remember I configured it back when I was using HC7 panel. So, it would also not be a big deal.
grindkore
2) No support for IIS AppPool\<AppPool> ACL  - I suggest if you are actually using HC in the production environment, try using one of the popular hacking scripts on one of the domains you host. All domains hosted on the server including c:\windows, C:\Program Files are readable if one domain is compromised with the way HC currently setups ACL for the application pool users.  Basically hacker can compromise any web facing application such as wordpress, phpBB, or DNN and upload standard php or aspx rootkit script, after that your entire server is open to be rooted. 

This part I am more interested in. If you could share some example here. It would be better. For AppPools HC provides option for such creation of application pools.
grindkore
3) Click & Install Apps - I have yet after a month of troubleshooting to get this working reliably, too many issues tied with PHP and ASP.NET/Application pool ACLs.

You should check with HC support team for this case, they do help in configuration of HC panel with click apps.

 

2012/11/26 20:14:57
HC Staff


 1) No support for FastCgi- This is huge, we will never run php in a production environment on windows without it. Simply unacceptable for a control panel claiming supporting Windows 2008.  Until you manage thousands of users and understand what standard cgi does to server IO under load you will to appreciate FastCgi or ISAPI php.
 
 
In HC it is not mandatory to use only CGI, You can  use ISAPI filter. Regarding FastCGI its already in our plan to support it, I will escalate your feedback toward concern department.
 
 
2) No support for IIS AppPool\<AppPool> ACL  - I suggest if you are actually using HC in the production environment, try using one of the popular hacking scripts on one of the domains you host. All domains hosted on the server including c:\windows, C:\Program Files are readable if one domain is compromised with the way HC currently setups ACL for the application pool users.  Basically hacker can compromise any web facing application such as wordpress, phpBB, or DNN and upload standard php or aspx rootkit script, after that your entire server is open to be rooted. 
 
 
HC run website under a unique anonymous user with limited permission, secondly if you have enabled dedicated application pool then HC will create it with identity "ApplicationPoolIdentity" which is much secure and recommended by Microsoft. And secondly about PHP base application we already jail each website in its own directory using Openbase_dir implementation. This way a php script can't operate and process beyond domain.com folder.
Tip: To improve your system security make sure that "Everyone" user is not mapped on root of system drives (c,d etc). Further restrictions can be applied if you remove "Users" permissions but make sure some applications like SQL server require this permission on system drive.
 
 
3) Click & Install Apps - I have yet after a month of troubleshooting to get this working reliably, too many issues tied with PHP and ASP.NET/Application pool ACLs.
 
 
There is not any known issue with click apps installation you can contact HC support team to help on this case.


2012/11/27 06:42:06

Comments are closed.

© 2024 APG vNext Invalid Version 5.5