Increasing security measurements across the service

[willnode]

Recently I got a report that DOM Cloud servers were used for malicious purposes.

Along with #9 we decided to take important security measurements today:

1. All users must have a confirmed email. This it to prevent bad actors using our free service for phising.
2. All outgoing request from free non-paid host will be blocked except requesting to explicitly whitelisted list of domains. This unfornatunely also blocks legitimate request like email or external API, but we have to. This is to prevent bad actors using our free service for proxy, DoS or other malicious purpose. If you need to unblock this, you need to upgrade the host.
3. Paid hosts will have a choice to add custom outgoing whitelist domains or turn it off completely
4. Direct IP access to will show a link to abuse reporting email to help mitigate unexpected attack quickly.
5. Custom domains ordered from here will have DNSSEC enabled by default (not implemented yet, but coming soon)

[willnode]

This is a follow-up update.

As situation has been cooling down for weeks, so it's time to relax some rules regarding to firewall.

As of today, we have bring improvements to portal, especially the deployment feature. It is now possible to disable PHP execution and firewall, like this:

features:
- firewall: off
nginx:
  fastcgi: off

Unlike the past, we now allow all host turn off firewall explicitly, but with either condition is satisfied:

• PHP execution turned off fastcgi: off, or
• Using nested root public folder root: public_html/public

Why the conditions? We learn that most of attack is in websites with weak admin password and with application script files exposed to public root, like WordPress. So using nested root public folder root: public_html/public is essential to a website security, which is already been a common practice for modern frameworks like Laravel and all non-PHP apps running under Phusion Passenger. I believe static websites wouldn't cause much problem too so fastcgi: off is a viable alternative option to allow firewall turned off.

WordPress users may be affected the most, but I believe those who don't implement proper security also probably doesn't even know that they're under active firewall, as wordpress.org and other common APIs that required to run WordPress already on the whitelist.

On the side note, we have improved common functionalities like DNS and NGINX config checker, also added firewall check. And now you can also see deployment progress while it runs (no longer need to wait until it finished).

I will close this issue in later time, this issue isn't quite the right to post updates, actually.

[willnode]

Now security is explained in the docs: https://domcloud.co/docs/features/security https://domcloud.co/docs/intro/security