Why Web Hosting Can Be Weird

As a lot of you probably know, I host a mirrored copy of a private forum for the website Skeptical Science which was released by an unknown hacker. The files were available for quite some time, but you had to download them and open each individually. I thought it would be helpful if people could instead read the forum via a web browser like a normal forum user might. I announced this mirror about six months ago:

http://www.hi-izuru.org/wp_blog/2014/07/the-skeptical-science-forum-easy-access/

Today, for the first time, there was a problem with it. A couple users on Twitter said they couldn't access it. I was surprised. I hadn't done anything which could have changed the permissions for the directory the mirror was in. There hadn't been a problem for the last six months, and as far as I knew, there shouldn't have been a problem now.

It turns out the problem arose from an .htaccess file in the directory the mirror is located in. .htaccess files are used to control how resources can be accessed on an Apache server. This file was an incredibly simple one, consisting solely of these lines:

DirectoryIndex index.php
Options Indexes

IndexOptions FancyIndexing SuppressLastModified SuppressSize SuppressDescription

HTMLTable NameWidth=200

The first line sets the default page of the directory to "index.php." The second line turns on directory indexing, meaning if no index.php is found, the server will show users a list of all files in the directory. That's what I wanted. Users needed to be able to see a directory so they could look through the various files from the forum. (The last line just determines how the directory listing will look.)

It took me a little while to figure out why this suddenly stopped working. It turns out the problem stemmed from the line, "Options Indexes." While that used to turn on Indexing, now, it wouldn't. I had to change the line to say "Options +Indexes."

A + sign specifically tells the server I want the option turned on. A - sign specifically tells the server I want the option turned off. Without either sign, the server used to know I wanted the option turned on. That was the default assumption. I didn't do anything to mess with it. My web host did.

This site is on a server managed by a company named DreamHost. I like DreamHost, but I'll never get used to a third party having control over my server. This experience shows why. DreamHost apparently made some change I didn't know about, and that change changed the default behavior of how my Apache server interprets .htaccess files.

I had no way to know that had happened. I don't even know when it happened. DreamHost didn't tell me it was making whatever change it made. If users on Twitter hadn't mentioned they couldn't access the mirrored forum, I might never have noticed the problem.

That shows one of the reasons I'll always find web hosting weird. I doubt DreamHost intentionally made this change. I suspect they didn't even realize it had happened. It was probably an unexpected side-effect of some change they made. I understand how that sort of thing can happen. I should have included the + sign from the start anyway just as good practice.

But it's still weird to know any resource I place on this site could possibly be rendered inaccessible by some change I not only have no control over, but can't even know about.

Oh well. It's a tiny price to pay for a good service. I mostly just wanted to let people know why they might not have been able access the mirrored forum recently.

3 comments

  1. Hey normal new, thanks for your comment. I initially flagged it as spam because most names which are just a couple generic words are by spammers. That, plus your comment being so short made me almost overlook it >.< This can't be a change in PHP as .htaccess files aren't part of PHP. Apache servers use .htaccess files as part of the server processes in determining what resources the request will access. If the server is using PHP, PHP will only get called after (to serve the requested resources). I don't think that means you're wrong though. I suspect you are right, just not about PHP. It was probably the Apache server which was updated. Like you say, I think that's a good thing. I should have included the + sign from the start as that is good practice. I think it's fine good practice is being required, and I'm happy Dreamhost updates its servers in a timely fashion. It's just weird to have a service stop working seemingly at random.

  2. Agree that it was nearly certain to be a routine update of Apache, tightening up assumptions after some vulnerabilities have been found. Apache itself is pretty robust but recent vulnerabilities in SSL and CGI (see "shellshock") make it seem Apache is weak. Patching those vulnerabilities WILL break some things.

Leave a Reply

Your email address will not be published. Required fields are marked *