IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

up

Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare

by

This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.

I have a number of guides on moving away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I use Google G Suite to send and receive emails that are linked to my domain (even via the command line) using multiple domains (with aliases).

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Buy how can you extend your email security and limit spam?

Enter..

Sender Policy Framework (SPF) for Authorizing Use of Domains in Email

Background: SPF summary from the RFC document from the Internet Engineering Task Force (IETF).

“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”

Google has a guide in setting up SPF records for your G Suite account.

Scan your site for SPF, DKIM and DMARC configuration(s).

Gmail has a test site where you can check your site SPF, DKIM and DMARC etc: https://toolbox.googleapps.com/apps/checkmx/

Secure GSuite

How to set up an SPF Record

I followed this guide to set up an SPF record on my G Suite account. I use Cloudflare for my DNS provider so I’ll make my DNS changes there.

Add SPF Record

Update: Google instructions were wrong, use a TXT record and not a SPF record.

Read more on SPF at Wikipedia here.

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Now let’s set up DomainKeys Identified Mail (DKIM) Signatures

Read more on DKIM at Wikipedia here.

Background: The DKIM RFC form the Internet Engineering Task Force (IETF) states…

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

Google has a DKIM FAQ: https://support.google.com/a/answer/174124

Login to your G Suite account and load this FAQ.

The FAQ page states..

“You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn’t been changed along the way.

Click Generate the Domain Key

Generate Domain Key

Follow the steps and generate a key

Generate Key

Generate a new record

Generate key

Add the DKIM key to your DNS record

Add DNS record

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Read more on DMARC at Wikipedia here. Read the official page here https://dmarc.org/.

Background: The DMARC RFC form the Internet Engineering Task Force (IETF) states…

DMARC Flow

DMARC Flow

“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.

DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”

Google G Suite has a guide to setting up a DMARC record here

Snip from the Google guide here..

“Spammers can sometimes forge the “From” address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.

G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Login to your G Suite account and load this FAQ

Click Add A DMARC Record

Add DMARC

You will then need to set up a DKIM Domain Key (if you have not done so yet)

When you are done you need to choose your DMARC rules, I would suggest you go to https://mxtoolbox.com/DMARCRecordGenerator.aspx to generate a record

I generated these rules

Dmarc Rules

Warning: Setting a DMARC policy that is too strict may block mail from being delivered. Tighten rules over time.

Login to your DNS provider and add your TXT record.

DMARC Record

You should now have an SPF, DKIM and DMARC record in DNS.

DNS

Update: The SPD record above should be a TXT (Google led me astray)

DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.

Now go to bed and wait for DNS to replicate.

Troubleshooting SPF

My TXT record would not validate with https://toolbox.googleapps.com/apps/checkmx/check

Google Toolbox

The MX Toolbox SPF checker reports that SPF records are deprecated and to use TXT records instead.

SPF TXT Record

Fix (remove the SPF record and add a TXT record with the same contents). Don’t forget to delete the old SPF record.

TXT Record

Results

SPF Setup

Reports

SPF/DKIM reports will let me know when unauthorized people send email from my domain.

This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800.
Below is some detail information about this message:
 1. SPF-authenticated Identifiers: none;
 2. DKIM-authenticated Identifiers: none;
 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;

For more information please check Aggregate Reports or mail to [email protected]



Feedback-Type: auth-failure
User-Agent: NtesDmarcReporter/1.0
Version: 1
Original-Mail-From: <[email protected]>
Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800
Source-IP: 125.105.176.155
Reported-Domain: fearby.com
Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2
Authentication-Results: 163.com; dkim=none; spf=softfail [email protected]
Delivery-Result: delivered
Identity-Alignment: none



Received: from mitai (unknown [208.136.26.72])
	by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1
	for <[email protected]>; Sat, 14 Apr 2018 13:14:03 +0800
Message-ID: <[email protected]>
From: =?utf-8?B?5rip5a6D?= <[email protected]>
To: <[email protected]>
Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?=
	=?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?=
Date: Sat, 14 Apr 2018 13:13:56 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20"
X-mailer: Bagf 2

Also, DMARC will alert me to unauthorized activity

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>4329490063964523747</report_id>
    <date_range>
      <begin>1523750400</begin>
      <end>1523836799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>fearby.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>none</sp>
    <pct>5</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
        <reason>
          <type>sampled_out</type>
          <comment></comment>
        </reason>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>fearby.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>unknown</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Reports

v1.3 DMARC Flow image

V1.2 Updated wording

V1.1 Fixed typos (they were free)

v1.0 Initial post

Using Cloudflare DNS servers to speed up the internet and add privacy on OSX

by

Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX

Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/

DNS Performance

You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers

DNS Performance

I check the DNS at my router, I am using ISP provided DNS servers.

Review DNS

Cloudflare DNS

On April Fools 2018 Cloudflare Released a DNS server service.

Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

https://1.1.1.1/

Set Cloudflare Nameservers using OSX

Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1

Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.

Troubleshooting: Clear DNS Cache

Debug DNS Data

Confirm Cloudflare DNS from the OSX Comand line

Privacy

I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.

Speed

I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.

Conclusion

I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.0 Initial post

Backing up OSX or an Ubuntu server with Backblaze B2 Cloud Storage from the Command Line

by

This computer will show you can back up computer or server with Backblaze B2 Cloud Storage from the Command Line n OSX and Ubuntu.

This post is still being written. I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Also, I have blogged about how you can add block storage to a Vultr server, backup and restore snapshots , syncing files with rsync along with using GitHub and Bitbucket but what do you do if you need to backup large amounts of data?

Backblaze has a Cloud storage solution that costs as low as $0.005c a GB (a month), The first 10G is free. Backblaze say “From bytes to petabytes Backblaze B2 is the lowest cost high-performance cloud storage in the world. ”

Back Blaze have open sourced internal drive enclosure designs and drive failure stats and it’s time I gave them a try.

Goto https://www.backblaze.com

Backblaze

Create or sign in.

Backblaze Login

After you login got the dashboard.

B2 Cloud

Click Backblaze B2 Cloud Storage

Activate B2 Cloud

Signup

Create a Bucket

Create Bucket

Name the bucket (long names with a GUID are good).

Name the Bucket

You can rename the bucket here and change public/private and or upload/download files manually.

Manage Bucket

The first thing I did was limit the versions of files under the lifecycle settings for the bucket.

Version Settings

Now I created a series of subfolders to store files from different servers (I could have used many buckets but one bucket will do).

Folders

I can upload files via the Backblaze bucket GUI if I needed to.

Upload and Download

Back Blaze has a command line tool for uploading: https://www.backblaze.com/b2/docs/quick_command_line.html

Install Steps

Backblaze stateThe B2 command-line tool is available from the Python Package Index (PyPI) using the standard pip installation tool. Your first step is to make sure that you have either Python 2 (2.6 or later) or Python 3 (3.2 or later) installed.

I have Python 2.7 installed

Install PIP

I ran into issues updating b2 CLI

I tried installing via the alternative method (with no luck)

I tried running the setup script (with no luck)

Upgrading setup tools also failed

Backing up a Mac via command line with B2

More to come when I can get B2 CLI Installed.

Backing up an Ubuntu machine via command line with B2

More to come when I can get B2 CLI Installed.

Update

My ticket with Backblaze was automatically closed with this note “If the issue is persisting, it may be easiest to map the installation to the user folder, rather than the system level.

No ideas how but something to research.

Ask a question or the recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.1 ticket closed

v1.0 Initial post

Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap

by

This guide will show how you can set up a website to use Cloudflare on a VM hosted on Vultr and Namecheap

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. This post will show how to let Cloudflare handle the DNS for the domain.

Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Snip from hereCloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

Buy a Domain 

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Cloudflare Benefits (Free Plan)

  • DDoS Attack Protection (Huge network to absorb attacks DDoS attacks over 600Gbps are no problem for our 15 Tbps networks)
  • Global CDN
  • Shared SSL certificate (I disabled this and opted to use my own)
  • Access to audit logs
  • 3 page rules (maximum)

View paid plan options here.

Cloudflare CDN map

Cloudflare CDN says it can load assets up to 2x faster, 60% less bandwidth from your servers by delivering assets from 127 data centres.

Cloudflare Global Network

Setup

You will need to sign up at cloudflare.com

Cloudflare

After you create an account you will be prompted to add a siteAdd SiteCloudflare will pull your public DNS records to import.

Query DNS

You will be prompted to select a plan (I selected free)

Plan Select

Verify DNS settings to import.

DNS Import

You will now be asked to change your DNS nameservers with your domain reseller

DNS Nameservers

TIP: If you have an SSL cert (e.g Lets Encrypt) already setup head to the crypto section and select ” Full (Strict)” to prevent ERR_TOO_MANY_REDIRECTS errors.

Strict SSL

Cloudflare UI

I asked Twitter if they could kindly load my site so I could see if Cloudflare dashboard/stats were loading.

The Cloudflare CTO responded.  🙂

Confirm Cloudflare link to a domain from the OSX Comand line

Caching Rule

I set up the following caching rule to cache everything for 8 hours instead of WordPress pages

Page Rules

“fearby.com.com/wp-*” Cache level: Bypass

“fearby.com.com/wp-admin/post.php*” Cache level: Bypass

“fearby.com/*” Cache Everything, Edge Cache TTL: 8 Hours

Cache Results

Cache appears to be sitting at 50% after 12 hours.  having cache os dynamic pages out there is ok unless I need to fix a typo, then I need to login to Cloudflare and clear the cache manually (or wait 8 hours)

Performance after a few hours

DNS times in gtmetrix have now fallen to a sub 200ms (Y Slow is now a respectable A, it was a C before).  I just need to wait for caching and minification to kick in.

DNS Improved

webpagetest.org results are awesome

See here: https://www.webpagetest.org/result/180314_PB_7660dfbe65d56b94a60d7a604ca250b3/

  • Load Time: 1.80s
  • First Byte 0.176s
  • Start Render 1.200s

webpagetest

Google Page Speed Insights Report

Mobile: 78/100

Desktop: 87/100

Check with https://developers.google.com/speed/pagespeed/insights/

Update 24th March 2018 Attacked?

I noticed a spike in and traffic (incoming and threats) on the 24th of March 2018.

I logged into Cloudflare on my mobile device and turned on Under Attack Mode.

Under Attack Flow

Cloudflare was now adding a delay screen in the middle of my initial page load. Read more here.  A few hours after the Attach started it was over.

After the Attack

I looked at the bandwidth and found no increase in traffic from my initial host VM. Nice.

cloudflare-attack-001

Thanks, Cloudflare.

Cloudflare Pros

  • Enabling Attack mode was simple.
  • Soaked up an attack.
  • Free Tier
  • Many Reports
  • Option to force HTTPS over HTTP
  • Option to ban/challenge suspicious IP’s and set challenge timeframes.
  • Ability to setup IP firewall rules and Application Firewalls.
  • User-agent blocking
  • Lockdown URL’s to IP’s (pro feature)
  • Option to minify Javascript, CSS and HTML
  • Option to accelerate mobile links
  • Brotli compression on assets served.
  • Optio to enable BETA Rocket loader for Javascript performance tweaks.
  • Run Javascript service workers from the 120+ CDN’s
  • Page/URL rules o perform custom actions (redirects, skip cache, Encryption etc)
  • HTTP/2 on, IPV6 ON
  • Option to setup load balancing/failover
  • CTO of Cloudflare responded in Twitter 🙂
  • Option to enable rate limiting (charged at 10,000 hits for $0.05c)
  • Option to block countries (pro feature)
  • Option to install apps in Cloudflare like(Goole Analytics,

Cloudflare Cons

  • No more logging into NameCheap to perform DNS management (I now goto Cloudflare, Namecheap are awesome).
  • Cloudflare Support was slow/confusing (I ended up figuring out the redirect problem myself).
  • Some sort of verify Cloudflare Setup/DNS/CDN access would be nice. After I set this up my gtmetrix load times were the same and I was not sure if DNS needs to replicate? Changing minify settings in Cloudflare did not seem to happen.
  • WordPress draft posts are being cached even though page riles block wp-admin page caching.
  • Would be nice to have ad automatic Under Attack mode
  • Now all sub-domains were transferred in the setup ( id did not know for weeks)

Cloudflare status

Check out https://www.cloudflarestatus.com/ for status updates.

Don’t forget to install the CloudFlare Plugin for WordPress if you use WordPress.

More Reading

Check out my OWASP Zap and Kali Linux self-application Penetration testing posts.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.8 host Command from the OSX CLI

v1.7 Subdomain error

v1.6 Cloudflare Attack

v1.5 WordPress Plugin

v1.4 More Reading

v1.3 added WAF snip

v1.2 Added Google Page Speed Insights and webpage rest results

v1.1 Added Y-Slow

v1.0 Initial post

Setting up the Debian Kali Linux distro to perform penetration testing of your systems

by

This post will show you how to setup the Kali Linux distro to perform penetration testing of your systems

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Securing your systems is very important (don’t stop) and keep learning (securing ubuntu in the cloud, securing checklist, run a Lynis system audit etc)

snip from: https://www.kali.org/about-us/

“Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.”

Download Kali

I downloaded the torrent version (as the HTTP version kept stopping (even on 50/20 NBN).

Download Kali

After the download finished I checked the SHA sum to verify it’a integrity

A least it matched the known (or hacked) hash here.

Installing Parallels in a VM on OSX

I use Parallels 11 on OSX to set up a VM os Demina Kali, you can use VirtualBox, VMWare etc.

VM Setup in Parallels

Hardware: 2x CPU, 2048MB Ram, 32MB Graphics, 64GB Disk.

I selected Graphical Install (English, Australia, American English, host: kali, network: hyrule, New South Wales, Partition: Guided – entire disk, Default, Default, Default, Continue, Yes, Network Mirror: Yes, No Proxy, Installed GRUB bootloader on VM HD.

Post Install

Install Parallel Tools

Official Guide: https://kb.parallels.com/en/123968

I opened the VM then selected the Actions then Install Parallels Tools, this mounted /media/cdrom/, I copied all contents to /temp/

As recommended by the Parallels instal bash script I updated headers.

Then the following from https://kb.parallels.com/en/123968

Parallels will not install, I think I need to upgrade to parallel 12 or 12 as the printer driver detection is not detecting (even though it is installed).

Installing Google Chrome

I used the video below

I have to run chrome with

It works.

Chrome

Running your first remote vulnerability scan in Kali

I found this video useful in helping me scan and check my systems for exploits

Simple exploit search in Armitage (metasploit)

Armitage Scan

A quick scan of my server revealed three ports open and (22, 80 and 443). Port 80 redirects to 443 and port 22 is firewalled.  I have WordPress and exploits I rued failed to work thanks to patching (always stay ahead of patching and updating of software and the OS.

k006-ports

Without knowing what I was doing I was able to check my WordPress against known exploits. 

If you open the Check Exploits menu at the end of the Attacks menu you can do a bulk exploit check.

kali_bulk

WP Scan

Kali also comes with a WordPress scanner

This will try and output everything from your web server and WordPress plugins.

/xmlrpc.php was found and I was advised to deny access to that file in NGINX. xmlrpc.php is ok but can be used in denial of service attacks.

I had a hit for a vulnerability in a Youtube Embed plugin but I had a patched version.

k007-wpscan

TIP: Check your WordPress often.

More to come (Draft Post).

  • OWASP scanner
  • WPSCAN
  • Ethical Hacker modules
  • Cybrary training
  • Sent tips to @FearbySoftware

Tips

Don’t have unwanted ports open, securely installed software, Use unattended security updates in Ubuntu, update WordPress frequently and limit plugins and also consider running more verbose audit tools like Lynis.

More Reading

Read my OWASP Zap guide on application testing and Cloudflare guide.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.2 added More Reading links.

v1.1 Added bulk exploit check.

v1.0 Initial post

How to start-up (flesh out) an app idea

by

How do you start up a project idea?  How much time and effort do you put into product planning, prototyping, product development and product support?

Below is a rough guide to how you should start up a project (exec summary: start with defining the problem(s) and solution(s)).

I have blogged about app workflow here (mostly for public apps).

Infographic-So-you-have-an-idea-for-an-app-v1-3

Choose a Methodology

Early on you should choose a project management methodology, Agile is a popular (no lock-in) methodology compared to the older/less-flexible Waterfall or PRINCE2 methodologies.

I am a fan of the Agile methodology as it allows for inevitable frequent and required pivots over the more rigid locked down methodologies of the past.

Agile Software Development Manifesto

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

Agile Methodology and Practices (Stages)

1. Inception Phase

  • Form Initial Team (Stakeholders)
  • Develop Common Project Vision (What is the problem)
  • Align with Enterprise Direction (Integrate where possible)
  • Explore Initial Scope (MoSCoW Method)
  • Identify Initial Technical Strategy (testing, draft, final, support)
  • Develop Initial Release Plan (Goals)
  • Form Work Environment (remote, onsite etc)
  • Secure Funding (after whiteboarding)
  • Identify Risks (what if…)

2. Construction Phase

  • Produce Potentially Consumable Solution (Minimum Viable Product/Minimum Value)
  • Address Changing Stakeholder Needs (Pivot)
  • Move Closer to Deployable Release (Iterate)
  • Improve Quality (Measure)
  • Prove Architecture Early (Test)

3. Transition Phase

  • Ensure Solution Is Consumable (Signoff)
  • Deploy Solution (Test and Deploy)

4. Ongoing Goals

  • Fulfill Project Mission (Complete Must-have backlog)
  • Grow Team Members
  • Address Risk
  • Improve Team Process and Environment
  • Leverage/Enhance Existing Infrastructure

First, you will need to define the problem(s)

First, decide on what the problem(s) are and are aiming to solve?  After the problem(s) are known you can discuss and validate possible solutions before any coding is done (billed). The business requirement will drive the technical requirements/directions,.

Letting technology goals drive the project is a bad idea.  Why do you need XYZ? Is an app required after all? Does an “off the shelf solution” exist already?  Can existing processes or software be tweaked?

You will need stakeholders (or stakeholder proxies)

Choose customer stakeholders (or customer proxies) that are engaged and positive, build a team of about 5 people who can drive the decisions and who understand the problems. Involve key stakeholders early and capture problems in a formal setting

  • Identify the stakeholders and establish a team
  • Document the problems (as it is and not how it should be)
  • Identify and specify improvement points
  • Plan solutions and Iterate

Improving a process or product should be measurable and agreed. The main aim of a customer/stakeholder is to create validated user stories that define the problem(s) and solution(s) from the end users perspective.

Example user story formats (snip)

  • As a <role>, I want <capability> so that <receive benefit>
  • In order to <receive benefit> as a <role>, I want <goal/desire>
  • As a <role>, I want <goal/desire>
  • As <persona>, I want <what?> so that <why?>
  • etc

Whiteboarding

Whiteboarding is a great way to get everyone on board (and on the same page). One person may assume that something is a certain way but another person from the trenches may say it is not the case at all. It is key that problems reported lower down the managerial structure are listen to and be valued.  Accept any problems and add them to the backlog (prioritizing comes later).

Whiteboarding should build a backlog of ideas and common understanding of what the landscape of issues are. I use a tool called Mind Node from https://mindnode.com/ to map things electronically. Within minutes you can have a map of connected or not connected areas of interest.

Mind Node

Backlog

A backlog is a place where you can document issues and break issues down into tasks.  I have blogged before about Developing software and staying on track. You can use software like Trello, JIRA or Excel or notepad.

Backlogs should have crazy ideas and things that will never be developed. Agile development iterations should only pick the best items to work on.

Trello offers basic shared lists management

Jira offers a more complex Agile backlog management suite

Backlog

Mockup Prototypes

It is important that you develop validate ideas with on device/screen with mockups/prototypes before coding something.

I use Platforma web and Platforma mobile prototyping tools with Adobe XD to prototype before development.

Agile Terminology in Backlogs

Whiteboarding and Backlogs can allow you to capture Epics, Stories and Tasks. Once tasks are prioritized they can be picked up and complete in Agile work sprints.

  • Epics are the bigger user deliverable objectives like a “usable web-based solution”, “usable iOS mobile app”, “user Android Mobile app” or other long-term objectives.
  • Stories are smaller things like “deliver back-end server infrastructure”, “Deploy a working prototype of feature X”, “Build an API (Application Programmer Interface)”. A user story can usually be completed in 2 weeks.
  • Tasks are often subtasks to stories and can be done quite quickly.  A task could be “Change the colour scheme”, “Set up a testing environment” or  “Deploy the alpha release”.

Prioritize the Backlog Often

Prioritize items in the backlog often using the MoSCoW Method.

  • Must-Have
  • Should Have
  • Could Have
  • Won’t Have

Do not work on won’t have and focus on Must-Haves first.

Define the Solution and Minimum Success Criteria

The following graphic is well known within the Project Management community.

Project Mangement Lol

How would you feel as the customer knowing that you have not been understood and that you may not get what you need?

How would you feel as the developer not knowing fully what you need to deliver?

No one likes to double back or waste time and resources unnecessarily.  Define and plan early. “Failing to plan is planning to fail.” Benjamin Franklin

Technology Requirements

The backlog will drive the requirements; e.g:

  • mobile app or web app
  • type of technology needed
  • the location and number of servers
  • number of prototypes
  • scalability and redundancy

Knowing the requirements drives the technology. Technology drives the work and the budget.

TIP: Be wary of contractors that quote before listening to your full requirements. I was once told by a contractor that their main job was to “Con” “and Insult” you.  If you accept a quote before saying what you need is a guarantee that you are paying a load of profit.

Now What

If you have defined the problem well, have good user stories and validated with stakeholders you are on the right path.

Be prepared to pivot and set frequent milestones to launch value (RERO).

Obviously centralised web-based technology is easily updatable compared to compiled and distributed mobile apps so choosing the right technology early is key to success.

Security and Quality

This is the project triangle where you can choose two sides (not three)

project mgmt triangle project mgmt triangle

Quality is a given so you must choose that, the other given is secure in my opinion.  I have blogged before about securing Ubuntu in the cloud (checklist), running security audits, installing WordPress WordFence Firewalls and WordPress Anti Malware plugins along with updating OpenSSL and applying kernel patches to protect against Spectre and Meltdown securing issues.  Supporting an app is serious stuff and often deployment is the start of the real work.

Maintenance

Will you need to recompile apps to meet iOS or Android requirements?

How often will you release updates? What percentage of devices do you want to reach?

What “service level” will you set for concurrent users, uptime and failover?  What priority will you give to backups and snapshots of the environment in case you need to restore to a previous state?

Past Lesson learned

Obviously, the larger the project and higher levels of storage/reliability/security the more checks and balances need to happen.

The Australian Bureau of Statistics contracted IBM to handle the Australian online census in 2016 and the major failure and report into what the identified problems were was an interesting read.

  • The ABS website was pulled down on the night of the study, with it then being unavailable for about 40 hours.
  • The ABS is judged to have failed to communicate with the public properly about major
  • IBM is deemed to have failed to properly test its disaster recovery processes
  • IBM had failed to properly plan for how to bring systems back up again.
  • IBM’s failure to have tested a router restart, or have a backup synchronised and in place, appears to have been significant contributing factors to the failure of the eCensus
  • In his report, meanwhile, Mr MacGibbon also found that the long-term, almost exclusive, relationship between the ABS and IBM had contributed to the problems by meaning any external questioning or oversight was absent.
  • Read more about the report.

As a minimum, you should plan and discuss early on about the performance, reliability and uptime targets for any app.  Personally I have moved between multiple cloud providers (CloudAnt, Digital Ocean, AWS and Vultr) to comfortably meet cost v performance (each app WILL have different requirements)

Type of app

The type of app (Web, Desktop, Mobile) you will need will come after discussing the problem, focus on the problem(s) and not the solution(s).

Conclusion

Do’s

  1. Keep Source ownership and IP (never let contractors own the code or processes)
  2. Insist on frequent handover often
  3. Do plan for updated version with major OS releases
  4. Do secure the app
  5. Do plan for maintenance of the app.

Don’t

  • Lock into expensive maintenance contracts.
  • Ensure the vendor is passionate about solving your problem and not the invoice they will submit.
  • etc

I hope this guide helps someone.

More Reading

Making your first Android app

Making your first cross-platform mobile app

Making your first cross-platform app with Electron

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.1 added More Reading

v1.0 Initial post

Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin

by

Below is my quick blog posts on using the EWWW IO ExactDN CDN plugin in WordPress to set up an ExactDN (Global Dis.cotribution Network (CDN)) to distribute images to my site’s visitors and shrink (optimize) images in posts.

I have blogged before on speeding up WordPress that has involved moving servers away from CPanel domains to self-managed servers (e.g on Digital Ocean or Vultr), using Lazy Load image plugins like BJ Lazy Load, Optimize images automatically in WordPress with EWWW.io and scaling and moving servers closer to your customers.

For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Today I am going to set up the https://www.ewww.io/resize/ ExactDN (CDN) delivery network. I am paying for this myself (and this is an unbiased review).

FYI: I use Ubuntu servers and not Windows.

Know your starting point. 

“If you fail to plan, you are planning to fail!” – Benjamin Franklin

In my original post about Speeding up WordPress, I used the webpagetest.org site to test my sites response times, I was getting an embarrassing 21 seconds load time and 6 second first-byte time. I have worked to speed up WordPress by moving WordPress to a self-managed server (away from CPanel), used the BJ Lazy Load plugin and the awesome ewww.io image optimize plugin, now I get about 4-5 seconds.

I am hoping adding a CDN will make things faster. My blog is delivering over two-thirds images, perfect for a CDN, this is why I am trying this out.

Image type cdn

TIP: Check where your customers/readers are located, and how many are New versus Returning customers? Do you need a CDN to deliver content (Images) that are closer to your customers/readers or do you need to move your web server somewhere else?  The more you know the more you can help them. Worst case you will be supporting a positive experience (and potentially turning a one time visitor into a returning visitor).

I looked at my Google Analytics data to see where my visitors are. Whether good or bad, they are all over the world (Hello)?

World

Other data is available in Google Analytics.  I can see the last few years growth is growing and I am getting more returning visitors, now is the time to ensure my site is ready for more traffic and returning visitors.

Data

Note: The fall in traffic in the Audience overview (right-hand side of the left image) is the unfinished month (not a reader fall off).

Personally, I set a goal to have a high page bounce rate of 90% be way lower (at present I am at about 80% and falling (good) and my page read time has gone from 40 seconds to 1 minute 40.  Every bit you can do will help create a positive experience and help your visitors. I can see from the data above the content is being read, I am building returning visitors and they are geographically spread out. A CDN will be great. After you know where your visitors are it is good to know the times of day that your visitors are hitting your site. Lucky for me it is spread evenly over a 24 hour period.

Data Quantity

FYI: My servers outgoing data (last 30 days), not huge but BJ LazyLoad and image optimization may be helping.

Outbound

Traffic Forecast

Do you know the forecasted growth of your website?

Site Growth

Measure Before Optimizing

Before I started to optimize my WordPress site (hosted on a shared CPanel server) I had the following Web Page Test score. I tested from Singapore as that’s was where my server was originally (and the closest to me).

TIP: Read more about Performance, First Byte, Start Render and Complete scores at my blog post here.

Web Page Performace Test Results (Before Optimizations):

  • Load Time: 23.672s
  • First Byte: 6.743s
  • Start Render: 11.8300s
  • Speed Index: 15024
  • Requests: 132/164 (Document complete v Fully Loaded)
  • Bytes: 3,346KB/3,454KB  (Document complete v Fully Loaded)

Quick Web Page Performace Score Card (Before Optimizations):

  • First Byte: F (I should have captured the subscores)
  • Keep Alive Enabled: F (I should have captured the subscores)
  • Compress Transfer: F (I should have captured the subscores)
  • Compress Images: A (I should have captured the subscores)
  • Cache Static Content: X (I should have captured the subscores)
  • Effective use of CDN: X (I should have captured the subscores)

My initial scores were bad across the range of tests (before optimisations). On the upside, I was manually compressing images with a tool on my desktop before uploading images and this showed an “A” but this scorecard overall was really bad.

Here are the results after Quick Optimizations (EWWW.io image compress, moved the server, reorganizing the site and Lazy Load Images)

Now I get these results after speeding up my site (after using the EWWW.io image resizing, reorganizing the site, minifying, lazy load images, moving servers etc.).

Web Page Performace Test Results (After Simple Optimizations):

  • Load Time: 8.823s (down 14.849s)
  • First Byte: 3.5533s (down 3.1897s)
  • Start Render: 5,4800s (down 6.35s)
  • Speed Index: 5594 (down 9430)
  • Requests: 73/76 (Document complete v Fully Loaded) (down 59/88)
  • Bytes: 848KB/855KB  (Document complete v Fully Loaded) (down 2,498KB/2,599KB)

Quick Web Page Performace Score Card (After Simple Optimizations):

  • First Byte: F (I should have captured the subscores)
  • Keep Alive Enabled: A (I should have captured the subscores)
  • Compress Transfer: A (I should have captured the subscores)
  • Compress Images: A (I should have captured the subscores)
  • Cache Static Content: B (I should have captured the subscores)
  • Effective Use of CDN: X  (I should have captured the subscores)

Tested my pagespeed tests

Even at 4 seconds web page “First Byte“, this is considered not good. My brain says I want sub 1 second, I doubt this is achievable with WordPress over thousands of miles away with SSL (read here about scalability).

I know https and non-geographically favourable servers add half a second to data. SSL will add processing overheads and latency period. If you only want speed don’t setup SSL but if you want SEO and security then setup SSL.

locationlocationlocation

WebPageTest.org test reveals there is no effective use of Content Delivery Networks (CDN) on fearby.com (that’s why I am about to install EWWW.io ExactDN).

ExactDN (Content Delivery Network)

I did try and set up a number of caching and CDN plugins in the past (e.g Max CDN, W3 Total Cache, WP Fastest Cache, Cache Enable, WP Rocket, WP Super Cache, etc.) but they either made results worse or were impossible to set up.

Now that EWWW.io has a CDN let’s give that a go.

What is EWWW.io’s ExactDN?

You can read more about EWWW.io’s two-pronged approach to delivering one plugin to A)compress images” and B)add a Content Delivery Network (CDN)” here: https://ewww.io/resize/

What is ExactDN

Ensure you read up about EWWW.io’s ExactDN here: https://ewww.io/resize/ . If you have not used EWWW.io check out my review of the EWWW.io image compression plugin here first.

Pre Signup

Purchasing and Installing ExactDN Exact DN

Login to your EWWW.io account (or signup then log in).

Signin

FYI: If you have used the Optimise images automatically in WordPress plugin from EWWW.io plugin before, then you will see past purchases here.

Signed in

Now you can go back to the EWWW.io ExactDN product page (https://ewww.io/resize/) and purchase a subscription (Make sure you are logged in with an EWWW.io account before you purchase ExactDN).

Pre purchase

I purchased an ExactDN monthly subscription for $9.00 monthly (with a $1 signup fee for the cloud compression service).

Order

Purchase confirmation screen.

Order

Post-purchase, I was advised to find my “Site Address (URL)” in WordPress and add it to EWWW.io Manage Sites screen.

Add site to the plugin

I now noticed I had a CDN for my domain ( fearby-com.exactdn.com ). Nice.

CDN Site Created

EWWW.io said to tick the CDN option in the Image Resize area of the EWWW.io plugin. But before I do that I  will update WordPress Core and WordPress Plugins before enabling the ExactDN as they are out of date.

Update

TIP: I update WordPress Core and WordPress plugins via command line (my guide here).

Backup WordPress (just in case)

It is always a good idea to backup your website, I logged into my Ubuntu server and checked the size of my site before backing it up.

I copied the website folder (from “/www/” to “/www-backup”)

I confirmed the copied folder size (same, good)

I dumped all databases with the MySQL dump command

While I was there I compress the SQL backup files (text files)

Checking the CDN Status

I checked the DNS replication for fearby-com.exactdn.com with this DNS checker. It’s setup and ready to go across the globe 🙂

A quick CNAME check reveals its upstream provider is fearbycom-8ba8.kxcdn.com. Keycdn.com have been around since 2012. It is great that EWWW.io has paired with keycdn and included their image compression magic in a single WordPress plugin.

Configuring the EWWW.io plugin in WordPress.

Before you enable the CDN below do check the https://www.whatsmydns.net/ and see if your CDN has replicated around the world (Australia can be a bit slow at DNS replication from time to time). Do wait at least 10 minutes before proceeding.

Click the settings in your EWWW Image Optimizer Plugin.

Configure

Now click the Resize Settings tab and click Enable CDN in the EWWW Image Optimizer plugin screen.

Enable Exact DN

Don’t forget to click Save Changes

Save

Testing the CDN

https://www.webpagetest.org NOW reports that my site is using a CDN 🙂

FYI: I have always used webpage test from Singapore and I have done the same here to compare apples to apples.  Singapore is not a good test location in Australia (my server is in Australia) and it is 200ms away and the added layer of SSL adds latency to the connection (read here). This is a real-world test though (worst case).

CDN's Used:
fearby.com : 
fearby-com.exactdn.com : KeyCDN
fonts.googleapis.com : Google
fonts.gstatic.com : Google
static.addtoany.com : Cloudflare
www.googletagmanager.com : Google
pagead2.googlesyndication.com : Google
www.youtube.com : Google
adservice.google.com.sg : Google
adservice.google.com : Google
googleads.g.doubleclick.net : Google
www.google-analytics.com : Google
s.ytimg.com : Google
stats.g.doubleclick.net : Google
fearby-com.disqus.com : Fastly
ssl.google-analytics.com : Google

FYI: https://www.webpagetest.org does want other (all) static content to be on a CDN to give a higher score than 42 out 100, sorry I did not get a subscore before enabling the CDN.

I was expecting a green A here for CDN but Webpage Test has given me more items to investigate to ensure WordPress plugins are also fast (minify or move to CDN). It appears WordPress includes are my next target for optimizing.

Web Page Test indicates the following WordPress assets should also be in CDN.

FAILED - https://fearby.com/wp-content/plugins/youtube-embed-plus/styles/ytprefs.min.css?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/simple-social-icons/svgxuse.js?ver=1.1.21
FAILED - https://fearby.com/wp-content/plugins/youtube-embed-plus/scripts/ytprefs.min.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.0
FAILED - https://fearby.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta
FAILED - https://fearby.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
FAILED - https://fearby.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
FAILED - https://fearby.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/themes/genesis/lib/js/menu/superfish.args.js?ver=2.5.3
FAILED - https://fearby.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta
FAILED - https://fearby.com/wp-content/themes/genesis/lib/js/skip-links.js?ver=2.5.3
FAILED - https://fearby.com/wp-includes/js/comment-reply.min.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-includes/js/hoverIntent.min.js?ver=1.8.1
FAILED - https://fearby.com/wp-content/themes/genesis/lib/js/menu/superfish.js?ver=1.7.5
FAILED - https://fearby.com/wp-includes/js/jquery/ui/tabs.min.js?ver=1.11.4
FAILED - https://fearby.com/wp-content/themes/news-pro/js/global.js?ver=3.2.2
FAILED - https://fearby.com/wp-content/themes/news-pro/js/responsive-menus.min.js?ver=3.2.2
FAILED - https://fearby.com/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4
FAILED - https://fearby.com/wp-content/themes/news-pro/style.css?ver=3.2.2
FAILED - https://fearby.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4
FAILED - https://fearby.com/wp-content/themes/news-pro/js/jquery.matchHeight.min.js?ver=3.2.2
FAILED - https://fearby.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/youtube-embed-plus/scripts/fitvids.min.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-includes/js/wp-embed.min.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/bj-lazy-load/js/bj-lazy-load.min.js?ver=2
FAILED - https://fearby.com/wp-content/plugins/disqus-comment-system/media/js/count.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-includes/js/wp-emoji-release.min.js?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/wp-seo-html-sitemap/style.css?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/simple-social-icons/symbol-defs.svg
FAILED - https://fearby.com/wp-includes/css/dashicons.min.css?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/themes/news-pro/images/favicon.ico
FAILED - https://fearby.com/wp-content/plugins/genesis-tabs/style.css?ver=230d722825ddde2688088d563a906075
FAILED - https://fearby.com/wp-content/plugins/simple-social-icons/css/style.css?ver=2.0.1
FAILED - https://fearby.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.14

It would be a huge effort trying to read and keep static plugin and theme related files in a CDN. I’ll ask the EWWW.io developer to see if this is possible in a future version (that would be nice). The developer did promptly point me here to opt into using the CDN to deliver CSS, JS etc.

Is that it? It can’t be that simple!

I can load my site at https://fearby.com and my images load from https://fearby-com.exactdn.com 🙂 I am impressed, blog posts are now loading images from the CDN network and I did not have to edit posts. I did have to subscribe to ExactDN and tick a checkbox in WordPress though.

Here is a sample image (my largest) from this blog post.

https://fearby-com.exactdn.com/wp-content/uploads/2017/10/Infographic-So-you-have-an-idea-for-an-app-v1-3.jpg?strip=all&quality=60&ssl=1

fearby.com WebPAGE TEST Results – Singapore

Web Page Performace Test Results – Singapore (After Setting up the EWWW.io ExactDN):

  • Load Time: 4.177s (down 4.646s from previous optimizations ((My Original load times were 23.672s))
  • First Byte: 2.240s (down 1.3133s from previous optimizations (My Original First Byte: 6.743s))
  • Start Render: 2.800s (down 2.68s from previous optimizations (My Original Start Render: 11.8300s))
  • Speed Index: 3009 (down 2585 from previous optimizations (Speed Index: 15024))
  • Requests: 67/68 (Document complete v Fully Loaded
  • Bytes: 535KB/538KB  (Document complete v Fully Loaded)

Quick Web Page Performace Score Card – Singapore (After Setting up the EWWW.io ExactDN):

  • First Byte: F (I should have captured the subscores). 
  • Keep Alive Enabled: A (I should have captured the subscores).
  • Compress Transfer: A (I should have captured the subscores).
  • Compress Images: A (I should have captured the subscores).
  • Cache Static Content: B (I should have captured the subscores).
  • Effective Use of CDN: X (I should have captured the subscores). plugins now need to be on a CDN.

The Web Page Test site does give detailed scores and recommendations if you scroll down or click the score car (A-F). Do read the recommendations and see what you may need to do next.  I am happy that I now have a CDN via EWWW.io. Clicking the first byte and CDN buttons at Web Page Test reveal sub-scores to allow you to see if you have made improvements, regrettably, I did not know of and capture sub-scores until after installing the CDN (I suggest you do).

Full Dump.

GT Metrix Page Speed Score

https://gtmetrix.com is giving a good score across the board (86%). It hints I should optimize Javascript files and “Remove query strings in static files” as some proxy servers do not cache URLs with “?” in them. That is (fortunately) not a problem with ExactDN, as the servers are configured to properly handle query strings.

GTMetrics

Gtmetrix.com does give some optimisation tips too (However, it does report low CDN optimizations if a single file is not delivered over a CDN).

I do like Gtmetrix.com email reports, you can see if your site performance is degrading.

GTMetrix Summary

Page Speed Insights

I am now looking at the Google PageSpeed Insights test for things to fix next. I think I can tweak my NGINX a little (adding caching). Read more about Google Page Speed Insights here.

fyi: My Google Page Speed Insights score (desktop) along with another local big corporate site I tested.

Page Insight

I am happy with 82 🙂

It appears if you want to get 100% you need to get..

  • Initial Response under 100ms
  • Animate, produce frame in under 10ms
  • Idle maximize idle time
  • Deliver all content in under 1000ms

Getting More from ExactDN by caching CSS and JS files.

I added the following to my /www/wp-config.php file as mentioned here: http://docs.ewww.io/article/47-getting-more-from-exactdn This will serve more resources from the CDN

define( 'EXACTDN_ALL_THE_THINGS', true );

I refreshed my site in a browser and now CSS, JS and fonts are loaded from the CDN too.

All

To reduce files served from my website I re-enabled the Fast Velocity Minify plugin in WordPress and pointed it at my CDN (https://fearby-com.exactdn.com/)

cdn-minify

Now I am getting a GTMatrix score of Page Speed Score = 93% (A) and YSlow Score  = 74% (C) and a 2.6-second load and a much lower 35 requests (post minification and pointing the minified files to the CDN).

WOW.

Minifiy

And WebPageTest.org is reporting Effective use of CDN 🙂 Awesome.

Effective use of CDN

I think I’m done (ExactDN CDN and the image optimiser and other tweaks have worked its magic).

How do I compare to other sites?

Given Apple, Microsoft and NBC speed scores are worse than mine I’m happy for now.  🙂

GTMetricx Graphs

GT Metrics graphs show the improvement, YSlow report does indicate I can reduce the website DOM elements to speed things up and tweak plugins but I’d rather keep my design for SEO and not play with plugins or they might break.

I could tweak the server side (NGINX/MySQL/Cache or DNS) but I don’t need too.

Conclusion

I still can’t believe setting up a CDN is a one-click solution and adding a wp-config.php lin (after you subscribe). Best of all the BJ Lazy Load plugin still works. I am very happy with the EWWW.io ExactDN. I now have a CDN and it has lowered my First Byte time, Start Render Times, Speed Index time (on more than just the front page) and all I did was subscribe and tick a checkbox.

It is nice that EWWW.io have not charged for Data delivered from the CDN network on top of a monthly subscription at this stage but they have left it open in the terms and conditions. It is important to ensure a service can sustain itself, so this is a good sign. FYI: my favorite Agile toolkit (Atlaz.io) that I reviewed here closed shop today so it is wise for aaS shops to plan ahead. I know how hard it can be to spin up servers and stuff and allocate times to keep them running. Good luck EWWW.io!

Also, I now have a clear set of steps (below) to resolve other non-optimized assets that are outside of the CDN.

Full Report

Thanks to EWWW.io and Web Page Test for helping make my site faster.

I doubt WordPress and my “down under”  server location can get me to under 1000ms but I will try.

Read on here to see how Cloudflare can increase your site’s performance.

Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap

DNS Improved

Don’t forget your sites performance/SEO and security.

Website

Update November 2018

I have a much faster loading website after moving it to a new host, read my guide here.

GTMetrix After YSlow

Donate and make this blog better

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v2.0 November 2018 Update

v1.9 added Cloudflare, SEO, Google Page Speed Insights test and future optimization, page insight speed image, added GTMetrics comments, growth image, gtmetrix.com reports (typos are free), updated change is domain to .com, added EXACTDN_ALL_THE_THINGS, 93 page speed, minify, compare, graph, fixed typos, tidied up the conclusion.

Setting up additional server storage on cloud servers (block storage on Vultr)

by

Vultr has a generous disk quota with the cloud servers you can set up. But what do you do when you want more space than the default allocation (for backup or application data)?

I have blogged before about setting up an Ubuntu server on the cloud on Vultr and configuring it if you do not already have a cloud server.

Vultr allows you to set up a server in minutes.

Server

A Vultr $2.5 a month server comes with 20GB storage, a $20 a month server comes with 60GB of SSD storage.

Vultr does offer more storage for about 0.10c per GB. At this time or writing Vultr allows you to add more storage to serves in NY/NJ (only). Read my guide on moving data between servers with RSync. And cond forget yo secure your server with a free SSL certificate and secure it (read more here and here).

An additional 10GB of storage would cost $1/m.

10GB

An additional 50GB of storage would cost $5/m.

50GB

An additional 100GB of storage would cost $10/m.

100GB

An additional 250 GB of storage would cost $25/m

250GB

View the Vultr pricing calculator hereVultr does say that you can resize your block storage volume but there are manual actions and risks involved so get the space you need early on and prevent resizing later.

Read the Vultr Block Storage FAQ here: https://www.vultr.com/docs/block-storage

Vultr did offer early customers in (limited location’s) a free 50GB storage (read more on these limits here).

I am going to spin up a Block storage and attach to my server in Sydney.

fyi: Read the official guide on Attacking Block Storage to a Vultr server.

1. Login to your Vultr admin panel ( https://my.vultr.com/ ) and click Block Storagehttps://my.vultr.com/blockstorage/ ).

2. Click Add Block Storage

Add Block Storage

3. Choose the size of your block storage volume.

New Block Storage

Darn, I can’t choose Syndey yet as a location to create a block storage volume (I have asked Vultr when we can) so I’ll continue this guide with my existing (free) 50GB volume in New Jersey) and mount it in a server in NY/NJ (and also Syndey).

It appears I can’t connect to a  Block Storage volume outside the block storages location (data centre).

Manage Block Storage

You will need to attach the block storage volume to the server at that data centre location or you will get this error when you try and connect to it later.

Error

In my case, the server did not automatically restart so I manually restarted it.

Connecting the Block Storage to your VM

From the Vultr admin panel ( https://my.vultr.com ), Block Storage ( https://my.vultr.com/blockstorage/ ) you can manage individual Block Storage volumes and see the mounting information.

e.g

FYI: You can only connect to block storage from the same location (one server at a time I’d imagine).

4. From the Vultr Admin panel SSH into the server (in the same location).  See my guide here on setting up a Vultr server and configuring it.

Vultr say’s “Block storage is connected to your server as /dev/vdb. We do not create any filesystems on it by default.” Official Block storage documentation is located here.

5. Run the commands listed in the Block Storage screen (above)

Mount

Error: In my case, the echo command failed to add to configuration to the /etc/fstab file (even with sudo) and the mount command failed?

I checked the /etc/fstab file contents

I manually edited the /etc/fstab file and added the mount point configuration as suggested by Vultr.

Contents

6. I re-ran the mount command

sudo mount /mnt/blockstorage
#

Success

I can now directory list in the block storage volume.

ls /dev/vdb1 -al
brw-rw---- 1 username disk 253, 17 Nov  7 21:18 /dev/vdb1

Now let’s attach it to another folder in the root folder (e.g /data)

First, unmount the volume

Edit the /etc/fstab file with sudo nano

Change the mount point somewhere else (e.g /data)

Make a folder in the new path (/data), If you don’t do this the mount will fail.

Remount the volume (but use the new path)

sudo mount /data

You can now use the path and new storage.

cd /data
mkdir /data/test
cd /data/test
pwd
# /data/test/
sudo nano /data/test/test.txt

Nice

Disposing of Block Storage

TIP: Move or backup any data before you destroy or detach the volume.

First, you will need to unmount the volume (SSH session with your server).

Then remove the entry from the /etc/fstab file

Then you can navigate to the https://my.vultr.com/blockstorage/ and edit the said block storage volume and detach the volume (this will cause the server to reboot).

Detatch

After a few minutes you can delete the volume from the edited Block Storage Volume page  (click the Trashcan up the upper right).

Detatch

Done, You can now add and remove Block Storage volumes on Vultr.

How to check the disk usage of the block storage volume

You may need to remind yourself of the block storage volume (cat the /etc/fstab file and view the drive information on the mount line).

cat /etc/fstab
# .. /dev/vdb1 ..

How much space is used/free

df -h /dev/vdb1
Filesystem      Size  Used Avail Use% Mounted on
/dev/vdb1        50G   52M   47G   1% /data

You can also show the usage information in that mounted folder

du -xsch /data
10G     /folder1
10G     /folder2
20G     total

Use the pydf tool to view mounted partitions

Install pydf

Use pydf

Troubleshooting

  • You need to attach the block storage volume and reboot in the Vultr admin panel before mounting.
  • The echo command (as documented by Vultr) may not add information to the /etc/fstab file (a manual edit will work).

How to Resize a Block Storage Volume on Vultr.

Coming soon (if requested below).

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.2 added disk usage information