![]() |
![]() |
||||
We have added a new subsystem today which will check your SSL Certificate expiry date.
The following conditions are checked and reported on:
In addition to having your certificate expire, the Certificate Authority (CA) can move very slowly, even when just renewing a certificate. Their authorisation process can also change every few years (for example, at Thawte it's no longer possible to use ssladmin@ as the email address for automatic authorisation). All these delays add up to more downtime for your SSL security, which can mean your entire online shop is effectively offline. Over Christmas and New Years, there can be even more delays!
Certificate Authorities notify their customers when an SSL certificate is about to expire, so why do our customers let them expire?
These are the reasons we have discovered:
SSL Certificate Checks are a new feature at metawerx, to ensure your website remains stable and reliable. They are sent to the Technical and Billing Contacts on your account.
If your SSL certificate has issues, it reduces the trust that users have in your website or application, so hopefully we can save you some stress and embarrassment!
Metawerx is proud to release our new Java Application Health Check system this week.
This system can be used to quickly analyse your configuration and application for serious errors.
You will notice a new link system is available in our online control panel (SiteWinder) under the App Health Check link and we will also be sending weekly email alerts.
The following areas are checked and reported on:
These types of issues indicate a problem with your application which may not become apparent unless your site is busy, or errors which could prevent your application from running at all. When your application appears to be running well, checking logs is boring work, so hopefully we can make things easier for you!
We don't report every exception or error in your logs, as there are bound to be numerous small issues with any project, especially one under constant development. However, we will try to alert you to anything important we find, such as the more serious issues in the above list, or issues that are being reported excessively.
To ensure your application is running at it's best, check your System Logs and Private System Logs for errors and exceptions and ensure log4j is never set to DEBUG logging unless you are tracking a specific bug. DEBUG logging will reduce JVM performance and disk-performance due to excessive writes, so switch it off when you're not using it.
And of course, if you ever need any assistance at all, please don't hesitate to contact us directly!
While investigating a large increase in spam over the last week, we have found the problem was caused by an incompatibility with Google DNS and SpamHaus. One of our secondary mail servers uses (used!) Google DNS and since Dec-14 we can see no SpamHaus queries succeeding.
Others have reported similar problems
Most SPAM is blocked by SpamCop but SpamHaus usually does a good job of finding the other 30% or so, and does an excellent job when SpamCop is slow in picking up new bot networks.
We have now removed the Google DNS entry on the secondary mailserver and can confirm that SpamHaus queries are now succeeding again.
The following upgrades are now available:
We have a released a series of monitoring improvements today which tie in to SiteWinder and our Failover System.
The following upgrades are now available:
We have also increased disk space on all hosting plans above the Budget Plan by approximately 80-100% today due to the reduced prices of quality RAID storage. All existing customers have been automatically upgraded (not that this really affects anyone since most users are either well below their storage limit or have not been charged for disk over-usage during the last 14 years!).
In addition, some plans have had RAM boosted recently as follows:
Our local DNS resolvers are used to find the IP address of sites which your application connects to, and also when sending email.
These have been upgraded with DNSSEC today, to provide an extra layer of security when connecting to DNSSEC-enabled domains.
We have also enabled DLV support.
We have a workaround for the deadlock in Tomcat 7.0.23 startup and it is now available to all customers.
Tomcat 6.0.35 has also been released today and is now available.
Metawerx is proud to announce that we have completed the initial implementation of an exciting new system for improved uptime.
Usually reserved only for large companies with dedicated server clusters, we are bringing simple failover to all our hosted customers free of charge.
Automatic Metawerx Default Failover Page
Customised Failover Page
Full Automatic Failover/Failback to secondary JVM
Tomcat 7.0.23 has been released but has a deadlock when starting. We will not be making this version available to customers at this stage.
Please see the change logs at Apache for details.
The following upgrades are now available:
The following upgrades are now available:
The new edition of Ubuntu was released yesterday and we have upgraded some servers already.
The server upgrade went very smoothly, as it did with Maverick and Natty.
This version includes Linux Kernel 3.0 and OpenSSL 1.0.0e.
We have upgraded managed Tomcat accounts to the latest releases:
Please see the change logs at Apache for details.
We now have a shared MySQL 5.5 server available, as well as the ability to install dedicated MySQL 5.5 instances.
To upgrade, simply send us an email and we'll move you over to the new server.
Subqueries on MySQL 6.0 (currently in development) now use indexes correctly. This was always a major problem with MySQL. The changes have been backported to 5.5, so now queries containing subqueries are much faster. All Metawerx internal systems have been upgraded to MySQL 5.5 and we have noticed a large performance increase in these areas.
An example of a subquery is as follows:
-- get a list of all document creators select id from users where id in (select creator_user_id from documents)
Current versions available for hosting are now:
Please see the change logs at Apache for details.
Apache have announced that support for Tomcat 5.5.x will end on 30 September 2012, meaning bug fixes and security patches will no longer be available after that time.
Oracle have also announced that Java SE 6 will no longer be publicly available after July 2012.
We therefore recommend our Tomcat 5.5 customers start testing their applications and migrating to Tomcat 6.0, or 7.0 if possible, and also start testing against Java 7 to stay current.
We will continue to support these platforms for the foreseeable future, but as bug fixes and security patches will become unavailable, customers who wish to remain on these versions will be at higher risk.
You can now select your SSL Security Level, per domain, in the Domain Administration section of SiteWinder.
The following levels are supported:
All domains have been set to the Medium level by default, eliminating any Export-level ciphers and of course SSLv2.
For internal systems which do not require access by the public, you can now easily switch to the strongest level of encryption available. All new browsers, iPad, iPhone and Android devices already work with our High-Encryption level, but for public-facing systems, Internet Explorer 6 is still used by 2-3% of the general internet so we recommend Medium level for now.
For the absolute highest SSL security, we have two additional levels of security available on Tomcat 7 / JDK 1.7 JVMs, but Tomcat does not currently support them so they are disabled for now. With a specially rebuilt version of Tomcat we have achieved a score of 98 at SSL Labs (currently the highest in the world) and can offer that version on demand (contact Metawerx Support). A score of 100 is also theoretically possible with this modified version, but SSL Labs currently cannot test a TLS 1.2-only server so a score of 98 is the maximum currently achievable.
Please note that this new option is only relevant for Metawerx-Managed Tomcat JVM customers. If you have a Semi-Managed or Self-Managed JVM, you will need to manually edit server.xml to alter the SSL security level. Please contact Metawerx Support in this case and we will help you to modify your JVM.
You can test your current SSL setup at SSL Labs
Over the last week, you may have noticed some of our customer tools have been converted to use SSL.
The first stage of this is now complete, and the following systems now all use SSL:
In addition, we have made the following changes to hosted Tomcat accounts:
We have also added a new Import Cert feature in Domain Administration where you can import your SSL certificates by yourself. This will let you see any problems with your SSL certificates immediately, and therefore increase the speed of installation of new SSL certificate onto your site.
By the way - we're on Twitter now! Follow our news updates on twitter for immediate updates!
We now host Java 7, and recommend if you are developing a new app, to make it work with Tomcat 7 and Java 7.
Actually we've both hosting OpenJDK 1.7 for ages now, but finally Oracle has made it an official release :-)
"This release includes new features such as small language changes for improved developer productivity, a new Filesystem API, support for asynchronous I/O, a new fork/join framework for multicore performance, improved support for dynamic and script languages, updates to security, internationalization and web standards and much more." - javasoft.com
As usual, we are the first Java host in the world to make these new technologies available in a hosted environment!
We have also upgraded to the following recently (all the latest releases):
Unfortunately, we've noticed JDK 1.7.0 has some incompatibilities which make some apps not perform correctly.
For example, this wiki (JSPWiki) seems to work fine, but if we run it on Java7, it won't let me login! Not the best first impression of the official Oracle release, but as they say, there are a few language differences so some apps may need a few changes to work properly. Still, it's the first official release, so it's best to stick to the more mature 1.6.0_x flavour for production sites for a while.
We have moved the Metawerx Wiki and some of our internal software over to Tomcat 7.0.8 today. Performance feels a little snappier due to the new caching and perhaps the new ETag headers. The manager app has more features, and no compatibility problems with JSPWiki or our internal tools have been found so far.
Version 6.0.29 and up, and also Tomcat 7, required a few special security policy changes to make the Session list show in the Manager application - we've found a way to patch that, and so that's working fine as well now. If you've recently been upgraded to 6.0.32 and noticed the Session List was throwing a JSP error, it should now work. We've submitted a bug for the Apache Tomcat team to review as well. (edit: this has now been fixed by markt!)
If you are still running on Tomcat 5 or 6 and want to upgrade to Tomcat 7 to take advantage of the latest features, including the new Servlet 3.0 specification, the new JSP 2.2 specification and EL 2.2, please let us know. The minimum JDK version is 1.6.
Tomcat 7 also includes memory leak prevention and detection.
Java and Tomcat upgrades are always free of charge!
We now have a new server in Germany. If any of our customers would prefer to be hosted on that server, please contact us to start the transition process.
We love Java, and we decided long ago to focus on Java and not host PHP. There are already so many PHP hosts, and we wanted to stay focussed on Java hosting issues, Java performance and security.
However, thanks to the wonderful people at Resin, you can now run most PHP applications on your metawerx site using Quercus, the PHP compiler for Java.
Security: By using Quercus to run PHP at Metawerx, security is handled by your already secured metawerx java hosting account. PHP binaries are not used, because everything is recompiled into Java on the fly and run by the Java VM as 100% java instead.
Performance: PHP is compiled into java classes when you change it (like JSP) and then gets all the performance benefits from Java and the HotSpot compiler. According to performance reports, Quercus runs applications such as Drupal around 3.5-4x faster than a standard PHP install.
Integration: You can integrate your existing userbase with the WordPress, Drupal, MediaWiki or phpBB user databases to instantly enhance your user's capabilities on your site. There's even an API available to allow Java and PHP objects to communicate.
We have already created pages on how to install WordPress, phpBB and a few other popular software packages. We were unable to get Joomla to work with Quercus unfortunately, but I assume in the future most popular software will work out-of-the-box.
Please share your experiences with us about any other software you've installed successfully (or unsuccessfully!) and we'll add them to the wiki.