Week of 9/9/19 – SSH Auth Changes, Squashed a New Account Bug, and Other Security Patches!
Per our introduction post, one of the areas that we know we can do better on is with Changelogs. In fact, this is an area a lot of SaaS companies struggle with – so we’re trying to do better. While we don’t have SemVer numbers for our changes, we think anything is better than nothing.
Without further ado, let’s dig into it. This week we see a lot of great changes landing in the release today. Most of these items are only hitting production in today’s release. However, some of these trickled out as host fixes over the past week.
A Cut Above the Rest: A Few Changes Worth Noting!
- Rebuild and updated GridPane Nginx to 1.16.1
All new servers will deploy the new version and existing prometheus servers will be updated as part of their unattended upgrade cycle.
- Upgrade SSL provisioning scripts – developed and expanded API functionality
Overall this change is a huge improvement and makes the script more flexible to work with. SSL’s are backed up when disabled, traditional verification doesn’t require disabling tools like CloudFlare, and some configs were changed. Read more in the help docs!
A great disturbance in the force…
Recently things have been running pretty well around here. Too well – and without pause reality came knocking. Long story short, this week we ran into two issues that we needed to address.
First, we recently realized that there was a security flaw in how we manage system users. This is an area we’re sensitive to as we try to go above an beyond for security concerns. Something we felt we were doing right when competitors were not. After realizing our mistake we quickly adjusted to fix the issue. As such, SSH Password Authentication is now properly and fully disabled on all GridPane servers.
The next thing was a minor snafu with account creation/upgrade that some of you may have noticed. This issue would have prevented users from signing up (or upgrading) to one of our Paid plans. Not an idea situation! After debugging the issue we traced it down to a bug with our payment processing and then fixed it up!
All of the Changes! (The rest of the changes)
- Rebuild and updated GridPane Nginx to 1.16.1 See Above…
- Upgrade SSL provisioning scripts See Above for more details…
- Improved syncing Server data from API Providers
Changing the hostname in your GridPane will update the hostname on the server and reboot it. Similarly, updating the servers IP will trigger the Stats and PHPMyAdmin domains to update their DNS.
- Added new safeguards when deleting servers
When deleting servers you will be required to confirm the action to prevent accidental server deletions.
- Fixed Database duplication bug causing issues when pushing between production and staging
Should be fixing a lot of issues users were reporting. When Staging failed to sync this was the culprit in most cases.
- Removed the ‘Change PHP User’ dialog from staging
This was a non-functional option that’s been unused for some time.
- Updated dropdowns on forms throughout platform to be Alphabetized
Just a simple UX improvement that should make sorting through dialogs and dropdowns easier.
- Fixed UI glitch after SSH Key push that caused stats button to go inactive
A pesky little annoyance that wasn’t causing any ‘real’ issues, but certainly wasn’t giving a great experience either.
- Improved the Change PHP dropdown to prevent race condition
Previously users could make multiple subsequent requests to change PHP version before the first one has completed even. This could lead to completely broken systems under certain conditions.
- Automatically adjust quotas on server resizing
When you resize a server, the Monitoring and Backup related quotas will now be adjusted to match the new resources. This provides a much better experience when you’re resizing to allocate more resources to a services or site.
- Add validation to disallow numerical system user names
- Fixed bug with bind mounts and system permissions
This should squash the reports of issues with System Users missing site folders via SFTP.
- Added new PHP Process Manager CLI commands
- Fixed bug allowing existing domains to be re-added
We’ve added extra validation rules and more error messages to the domain dialogs. This should help prevent the same domain being added multiple times on a single server.
- Improved server list bug to only list fully provisioned servers
If the server hasn’t completed provisioning, you shouldn’t be able to setup a site yet.
What’s Up Next?
In the coming weeks we expect to roll out even more important changes. From a support perspective, we’re hoping to migrate from Intercom to Zendesk. We’ve backed up everything from our end, but it may be wise to make your own backup of support cases from Intercom.
On the security front, we’re looking into what we can do about our older Plaid stack. This is a platform that’s been effectively deprecated. Our Dev team is not doing any continued development on that platform and it is not getting new features or improvements. We will eventually be deploying improved tools to help migrate from Plaid to Prometheus. Once that happens we will officially be announcing the EOL for Plaid.
Finally, on the platform side of things we’ll continue to be making steadfast improvements. We’re still constantly taking your feedback from real support cases to drive our priorities here. Some areas we’re focusing on to note are: Teams, the Domains manager, and DNS management. You can expect to see some changes to all these in the near future.
Until next time, from the GridPane Dev team, have a great day!