How to Check if Railgun is Running on Website

When a request is handled by Railgun, Cloudflare inserts a header with diagnostic information to track how the protocol is doing. If you want to see these headers, you’ll need to use a browser that supports examining header information.

View Railgun header in browser

Google Chrome: View > Developer > Developer Tools menu. You can also install Cloudflare’s Claire extension.

Safari: Develop > Show Web Inspector menu

Firefox: Install Firebug

Microsoft Internet Explorer: You can use a tool like Fiddler

When you are looking for the header information, you should be seeing Cloudflare headers like the following in the response:

cf-railgun:   e95b1c46e0 0.02 0.037872 0030 9878

cf-ray:   478149ad1570291

The CF-Railgun header has up to five codes separated by a space. In order, these codes and their corresponding values from the example of cf-railgun: e95b1c46e0 0.02 0.037872 0030 9878 listed above are:

  • Railgun Request ID: e95b1c46e0 (internal process number that allows us to track what connection handled a request )
  • Compression Ratio: 0.02 (the size of the response after Railgun’s delta compression expressed as a percentage)
  • Origin Processing Time: 0.037872 (that Railgun waits for the origin web server to generate the page)
  • Railgun Flags: 0030 (how a request was processed)
  • Version Number: 9878 (indicates the version of the Railgun Listener software on the origin server’s network)

Fix CPU Overload / Abuse Issues ?

Most common things you need to follow will be:

1. Adding cloudflare for your domains which will protect your domains from Unwanted Traffic/Attack/Bot Access 

2. Add robots.txt to understand Search engines to crawl your sites.There are lot of Crawl bots which will give unwanted traffic to your websites which will also cause Overloading on servers like (EP hits)

So create an robots.txt file under your public_html and place the below code : 

User-Agent: *
Disallow: /User-Agent: Googlebot
Allow: /

If you want to add any other search engines to crawl your site you can add it in the above code 

Follow the Above steps for all your domains which is an recommended thing !

For WordPress Users kindly change the File permission of 2 files under your WordPress root wp-cron.php and xmlrpc.php to Permission 000

You can change it from your cPanel > Filemanager As these 2 files will cause overloading on servers by giving unwanted traffic 

Add Heart Beat Plugin to control the admin-ajax.php Once installed WP Admin > Settings > Heartbeat Control > Disable the heartbeat for All 3 Options and click save

Add loginizer which will protect your sites from WP Login attacks (These attacks on most common your websites will be facing daily) So its best way to change your  WP Admin portal URL (VERY RECOMMENDED)

Keep your WP Core,Plugins,Themes Up to date

Remove any Un-used themes or plugins

Don’t use Jetpack Plugin as it will Eat the Resource

Setup WordPress Security Plugin Wordfence

How to Install and setup the Wordfence Security plugin in WordPress.

First thing you need to do is install and activate the Wordfence Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Wordfence Setup – WebhostUK

Setting up the Wordfence Security plugin is very simple, but there are a few areas you really wanna make sure are running, like the Firewall.

Click on Wordfence on the left-hand admin panel and select the Dashboard option. This will pull up the main settings page of the plugin. All of the information you need to see is on this page including the last scan, malware blocked, IP addresses blocked, etc.

Wordfence Setup – WebhostUK

The most important part of this security plugin is the Firewall. It will prevent most malicious activity on your website. This is a PHP based application level firewall.

The Wordfence firewall offers two levels of protection. The basic level which is enabled by default allows the Wordfence firewall to run as a WordPress plugin.

This means, that the firewall will load with rest of your WordPress plugins. This can protect you from several threats, but it will miss out on threats that are designed to trigger before WordPress themes and plugins are loaded.

The second level of protection is called extended protection. It allows Wordfence to run before WordPress core, plugins, and themes. This offers a much better protection against more advanced security threats. Click on the Firewall option to access its settings page.

Wordfence Setup – WebhostUK

Click on the Optimize the Wordfence Firewall button. It will run a test to determine the best setting to use. You may pick your own setting, but I would recommend following Wordfence’s recommendation.

Wordfence Setup – WebhostUK

You may pick your own setting, but I would recommend following Wordfence’s recommendation. Click on the Continue button once you have made your selection.

Click on the Download .htaccess button. This will allow Wordfence to run before your core WordPress files. This adds an extra layer of protection because a firewall cannot protect these files making them vulnerable to hackers. Click on the Continue button once you have the file downloaded.

Wordfence Setup – WebhostUK

You will also notice a Learning Mode button. When you first install Wordfence, it attempts to learn how you and your users interact with the website to make sure that it doesn’t block legitimate visitors. After a week it will automatically switch to Enabled and Protecting mode.

Wordfence Setup – WebhostUK

To scan your website at any time, click on the Scan option.

Wordfence Setup – WebhostUK

Click on the Start a Wordfence Scan button. The free version comes with a default automatic 24-hour scan. If you upgrade to the premium version you can set your own schedule and much more. Once the scan is complete you will see a full list of problems it has found.

Wordfence Setup – WebhostUK

The scan will look for changes in file sizes in the official WordPress core and plugin files.

It will also look inside the files to check for suspicious code, backdoors, malicious URLs, and known patterns of infections.

Typically these scans need a lot of server resources to run. Wordfence does an excellent job of running the scans as efficiently as possible. The time it takes to complete a scan will depend on how much data you have, and the server resources available.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Most of this information will be technical. However, you don’t need to worry about the technical stuff.

Once the scan is finished, Wordfence will show you the results.

It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

There are many other sections to be aware of. You can view the live traffic feed by clicking on the Live Traffic option. Wordfence Live Traffic shows you what is happening on your site in real-time, including user logins, hack attempts, and requests that were blocked by the Wordfence Firewall. You can choose to log security-related traffic only or all traffic.

Traffic is logged directly on the server, which means it includes visits that don’t execute JavaScript. Google and other JavaScript-based analytics packages typically only show visits from browsers that are operated by a human, while Live Traffic can show visits from crawlers like Google and Bing.

Here you can see the list of IPs requesting different pages on your website.

Wordfence Setup – WebhostUK

This will show you how well Wordfence is defending your website. The Blocking option will allow you to see who is being blocked and allow you to manually enter an IP address to be blocked.

If you have the premium version you can also block entire countries from accessing your website. Explore these sections to see everything they offer.

Wordfence Setup – WebhostUK

Click on the Options option. This will allow you to tweak the Advanced settings that can be found by scrolling down the page.

These settings are all up to you, but should all be considered when setting this plugin up.

Wordfence Setup – WebhostUK

Congratulations, you have successfully installed and set up the Wordfence Security plugin. You can change your settings and scan your website at any time. Remember there are many features that are exclusive to the premium version of Wordfence and you can upgrade at any time, but the free version will be able to guard your website without any issues.

Install Wordfence Plugin

Installing Wordfence is Both Quick and Simple

With little more than the click of a few buttons, you will have Wordfence up, running and proactively securing your WP site. Once Wordfence is active, it will begin your first security scan and cleanup. You will be able to quash any current threats and begin to prevent future site breaches, too.

Get started with Enterprise-Class Security now, You can install Wordfence with these four best-practice steps:

  1. Sign into your own WordPress website. You’ll usually go to something like www.example.com/wp-admin/ and sign-in

2. Replace example.com with
your own website’s URL

3. Now that you’re signed in and ready to administer your own site, go to Plugins, Add New and do a search for ‘wordfence’ without quotes

5. Click the “Install Now” link and
Wordfence will be installed


When you decide to upgrade to the best WordPress Security
out there, simply upgrade to Wordfence Premium.

Install and Configure Django on a Linux Shared Hosting

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Built by experienced developers, it takes care of much of the hassle of Web development, so you can focus on writing your app without needing to reinvent the wheel. It’s free and open source.

  • Ridiculously fast – Django was designed to help developers take applications from concept to completion as quickly as possible.
  • Fully loaded – Django includes dozens of extras you can use to handle common Web development tasks. Django takes care of user authentication, content administration, site maps, RSS feeds, and many more tasks — right out of the box.
  • Reassuringly secure – Django takes security seriously and helps developers avoid many common security mistakes, such as SQL injection, cross-site scripting, cross-site request forgery and clickjacking. Its user authentication system provides a secure way to manage user accounts and passwords.
  • Exceedingly scalable – Some of the busiest sites on the planet use Django’s ability to quickly and flexibly scale to meet the heaviest traffic demands.
  • Incredibly versatile – Companies, organizations and governments have used Django to build all sorts of things — from content management systems to social networks to scientific computing platforms.

You will have a functioning Django site on your account that:

  • Loads a static homepage for the domain.
  • Loads the Django administration interface.
  • Uses a SQLite database.

Create A Python Application In cPanel

The Setup Python App feature allows you to deploy Python applications on your cPanel while running the Apache web server.

You can check the functionality by visiting the cPanel, Setup Python App.

Install and Configure Django

On the next page, you will be able to Create Application and check existing Web applications.

Install and Configure Django

After clicking Create Application you will be presented with the app creation menu:

If you wish to create a new Python application, you must specify the Python version, fill in the Application root, and the Application URL. Then click Create.

Optionally, you can also set up Application startup fileApplication Entry point and Passenger log file.

As soon as the environment is set, you can upload your application files to the application root directory.

When the application is created, you will be able to see the next page:

At the very start, you have the command necessary to enter your virtual environment. This is useful when you need to manually execute some commands either via SSH or with the terminal menu in cPanel.

To be able to do this, you need to enable Shell access as in this guide.

How to Configure the Django project

1) Login to cPanel.

2) You can see the option Terminal under the “ADVANCED” menu. Click the option to open the terminal.

3) If you are accessing the terminal for the first time, a screen will appear with a warning message. Please click on the button proceed.

4) This interface provides command line access to your account on the server. You can now manage the account using CLI

5) Use the command you noted in the above step to activate the virtual environment. For example:

# source /home/username/virtualenv/myapp/3.6/bin/activate

You need to replace username with your cPanel username

The command prompt now starts with (myapp:3.6) to indicate that you are working in the myapp virtual environment with Python 3.6. All of the following commands in this article assume that you are working in the Python virtual environment.

6) Type the below command to install Django:

# cd ~pip

# install django==2.1.8

You can verify the version of Django installed, with the following command:

# django-admin --version

7) Type the below command for creating a Django project:

# django-admin startproject myapp ~/myapp

8) To create directories for the static project files, type the following commands:

# mkdir -p ~/myapp/templates/static_pages 
# mkdir ~/myapp/static_files 
# mkdir ~/myapp/static_media

a. Find the ALLOWED_HOSTS line and then modify it as below. Replace example.com with your own domain name:

ALLOWED_HOSTS = [‘example.com’]

b. Find the TEMPLATES block, and then modify it as below:

TEMPLATES = [
{
‘BACKEND’: ‘django.template.backends.django.DjangoTemplates’,
‘DIRS’: [os.path.join(BASE_DIR,’templates’)],
‘APP_DIRS’: True,
‘OPTIONS’: {
‘context_processors’: [
‘django.template.context_processors.debug’,
‘django.template.context_processors.request’,
‘django.contrib.auth.context_processors.auth’,
‘django.contrib.messages.context_processors.messages’,
],
},
},
]

c. Locate the STATIC_URL line, and then add the below lines beneath it:

MEDIA_URL = ‘/media/’
MEDIA_ROOT = os.path.join(BASE_DIR, “static_media”)

STATIC_URL = ‘/static/’
STATIC_ROOT = os.path.join(BASE_DIR, ‘static_files’)

9) Open the ~/myapp/myapp/urls.py file using the text editor. Delete the existing text and copy the below text into the file:

from django.contrib import admin
from django.urls import path, include
from django.conf import settings
from django.conf.urls.static import static
from django.conf.urls import url
from django.views.generic.base import TemplateView

urlpatterns = [
path(‘admin/’, admin.site.urls),
url(r’^$’, TemplateView.as_view(template_name=’static_pages/index.html’), name=’home’),
] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

10) Open the ~/myapp/passenger_wsgi.py file and do the following changes. Replace username with your own account username:

import myapp.wsgi
SCRIPT_NAME = '/home/username/myapp'

class PassengerPathInfoFix(object):
    """
    Sets PATH_INFO from REQUEST_URI because Passenger doesn't provide it.
    """
    def __init__(self, app):
        self.app = app

    def __call__(self, environ, start_response):
        from urllib.parse import unquote
        environ['SCRIPT_NAME'] = SCRIPT_NAME

        request_uri = unquote(environ['REQUEST_URI'])
        script_name = unquote(environ.get('SCRIPT_NAME', ''))
        offset = request_uri.startswith(script_name) and len(environ['SCRIPT_NAME']) or 0
        environ['PATH_INFO'] = request_uri[offset:].split('?', 1)[0]
        return self.app(environ, start_response)

application = myapp.wsgi.application
application = PassengerPathInfoFix(application)

11) Use a text editor to create a basic index.html file in the ~/myapp/templates/static_pages directory.

The file can be as simple as a text file that says Hello world.

12) Type the following command:

# python ~/myapp/manage.py migrate

13) Create and set up the superuser account:

  • For this, type the below command:

# python ~/myapp/manage.py createsuperuser

  • Type the administrator username at the Username prompt and then press Enter.
  • Type the administrator e-mail address at the Email address prompt and then press Enter.
  • Type the administrator password at the Password prompt and then press Enter.

14) To collect the static files, type the below commands:

# python ~/myapp/manage.py collectstatic

In case you are asked for overwriting existing files, type yes and then press Enter.

15) Restart the Python application in cPanel:

  • Log in to cPanel.
  • Click Setup Python App in the SOFTWARE section of the cPanel home screen.
  • Locate the correct application under the Existing applications and then click Restart.

16) Test the Django site:

  • Go to http://www.example.com, where example.com represents your domain name. The index.html file should load.
  • Go to http://www.example.com/admin, where example.com represents your domain name. The Django administration login page should be displayed. Use the superuser credentials that you created earlier to log in.

If there a problem for the website to appear in your browser, run the passenger_wsgi.py file manually. For this, type the below command:

# python ~/myapp/passenger_wsgi.py

When you run this file, you should get any text output to the console. In case there are any errors, check the syntax in the configuration files.

That’s all! Now, you can easily install and configure Django on a Linux shared hosting account.

Setup Python App

The Setup Python App feature allows you to deploy Python applications on your cPanel while running the Apache web server.

You can check the functionality by visiting the cPanel, Setup Python App.

Install and Configure Django

On the next page, you will be able to Create Application and check existing Web applications.

Install and Configure Django

After clicking Create Application you will be presented with the app creation menu:

If you wish to create a new Python application, you must specify the Python version, fill in the Application root, and the Application URL. Then click Create.

Optionally, you can also set up Application startup fileApplication Entry point and Passenger log file.

As soon as the environment is set, you can upload your application files to the application root directory.

When the application is created, you will be able to see the next page:

At the very start, you have the command necessary to enter your virtual environment. This is useful when you need to manually execute some commands either via SSH or with the terminal menu in cPanel.

To be able to do this, you need to enable Shell access as in this guide.

You can change options like Python version, Application root, Application URL, Application startup file, Application Entry point and Passenger log file here.
After changing such options, please make sure to click the Save button on the upper right.

The Python versions available are 2.7 and 3.3, 3.4, 3.5, 3.6 and 3.7.

PLEASE NOTE: Python version switch can take up to 5 minutes.

The Application startup file is to specify the Python WSGI application entry point. It must be specified as a filename.
Application Entry point is there to set up a WSGI callable object for the previously specified startup file.

With the help of the Configuration files field you can install various modules through Pip. Under the Add another file… field you can enter the name of the given module and click Add.

If you click Delete, the corresponding module entry will disappear. If you click Edit, you can change the module in question.

Once you have added the module, you can click Run Pip Install and install the module in question from the drop-down.

You can also execute pip install commands directly under the virtual environment via SSH.

Also, you can execute python script commands from the web interface (e.g. you can install packages from specific repositories or control web applications by means of django-admin).

You can additionally set up Environment variables:

Click Add Variable and you will be able to set up Name and Value of the variable in question. After you have entered the correct data, click Done to create the variable.

NOTE: Changes will not be applied to the application environment until the Update button is clicked. All changes can be reverted by clicking the Reset button.

You also have the options to Stop App and Restart the application.

To delete the application, click Destroy. The application folder itself will remain unmoved.

Dealing with WSGI application issues

In some cases, apps may not run properly when the main application variable is called app. This is because WSGI software that we use to run Python on our servers requires the main application variable to be called application.

We will use the Flask application as an example here to make the application work:

1. Install Flask and all the other modules required for the app. It can be done in many ways:

  • Install modules manually one by one over SSH

This can be done using the standard Run Pip Install button described in this guide, or via SSH using pip install module command.

  • Install all the modules at a time with a requirements.txt file.

It can be done with the following type of command via SSH:pip install -r requirements.txt

  • Install all the modules with a setup.py file via SSH, if it is created for the application,. The usage of this option depends on the app in question.

2. Remove the default passenger_wsgi.py file under the application root folder.
3. Find the main script of the application in the application root folder. Search for the following line to find it:
from app import app
(it can be from src import app or from app import application, however from app import app is the most common way to write it). The main script is usually called app.py, main.py, index.py, or init.py.
4. Rename this script to passenger_wsgi.py or set it in the Application startup file field within the Python App interface in cPanel.
5. Right below the import line (from app import app), insert this line:
application = app

The described actions should help fix an application that was not written with WSGI software in mind.

High Severity Vulnerability Patched in Ninja Forms

On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.

We reached out to Ninja Form’s security team according to their Responsible Disclosure Guidelines and they replied within a few hours. The plugin was patched less than 24 hours after our initial contact, on April 28, 2020.

All Wordfence users, including both Wordfence Premium and free Wordfence users, are protected from XSS attempts against this vulnerability by the Wordfence Firewall’s built-in XSS protection.

Description: Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: < 3.4.24.2
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (High)
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 3.4.24.2

The Ninja Forms plugin features a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. As part of this feature, it adds several AJAX functions which appear to be intended to import forms and fields between the “legacy” mode and the default mode. While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user. One function in particular, ninja_forms_ajax_import_form, allowed importing forms containing custom HTML:

add_action( 'wp_ajax_ninja_forms_ajax_import_form', 'ninja_forms_ajax_import_form');functionninja_forms_ajax_import_form(){if( ! current_user_can( apply_filters( 'ninja_forms_admin_upgrade_import_form_capabilities', 'manage_options') ) ) return;$import= stripslashes( $_POST[ 'import'] );$form_id= ( isset( $_POST[ 'formID'] ) ) ? absint( $_POST[ 'formID'] ) : '';WPN_Helper::delete_nf_cache( $form_id); // Bust the cache.Ninja_Forms()->form()->import_form( $import, TRUE, $form_id, TRUE );if( isset( $_POST[ 'flagged'] ) && $_POST[ 'flagged'] ){$form= Ninja_Forms()->form( $form_id)->get();$form->update_setting( 'lock', TRUE );$form->save();}echojson_encode( array( 'export'=> WPN_Helper::esc_html($_POST['import']), 'import'=> $import) );wp_die();}

As such, if an attacker was able to trick an administrator into clicking a crafted link, they could spoof a request using that administrator’s session and import a form containing malicious JavaScript into the site. Worse yet, it was possible to replace any existing form on the site with one of these imported forms by setting the formID $_POST parameter to the ID of an existing form.

Depending on where the JavaScript was placed in the imported form, it could be executed in a victim’s browser whenever they visited a page containing the form, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attempted to edit any of the form’s fields. As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.

Vulnerability Disclosure Policies are Important

One of the reasons this plugin was patched so quickly was because the plugin’s team maintains a Responsible Security Disclosure Policy, often referred to as a Vulnerability Disclosure Policy. This allowed us to contact them directly with our full disclosure rather than spending days trying to find or verify the appropriate contact channel. While we have occasionally seen plugins patched in less than 24 hours in the past, responses like this are exceptional and indicate a serious dedication to security.

If you are responsible for any kind of software product or service, having a Vulnerability Disclosure Policy (VDP) not only improves your chances of being alerted to serious security issues, but also allows you to set expectations for your response. Most importantly, it reduces the risk of vulnerabilities in your products being prematurely or irresponsibly disclosed and attacked by bad actors before you have a chance to fix them. For these reasons, we strongly recommend implementing a VDP to improve not only the efficiency of your response to specific flaws, but also the general security of your product.

Timeline

April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies that our existing Firewall Rules provide sufficient protection against XSS.
April 27, 2020 19:24 UTC – We provide full disclosure to the plugin’s developer as per their Responsible Security Disclosure Policy.
April 27, 2020 20:27 UTC – We receive a response that a patch should be available the next day.
April 28, 2020 19:00 UTC – Patched version of the plugin released.

Network Optimizer – Railgun

Optimized partners can reach international customers faster with Railgun

Railgun ensures that the connection between your origin server and the Cloudflare network is as fast as possible.

Railgun compresses previously unreachable web objects by leveraging techniques similar to those used in the compression of high-quality video. This can result in additional performance increase.

railgun
www.cloudflare.com/en-gb/website-optimization/railgun/

What Railgun Does

Railgun accelerates the connection between each Cloudflare data center and an origin server so that requests that cannot be served from the Cloudflare cache are nevertheless served very fast.

Approximately 2/3 of requests to sites on Cloudflare are served directly from cache from the data center that is physically closest to the person surfing the web. Because Cloudflare has data centers around the world this means that whether you are in Bangalore, Brisbane, Birmingham or Boston web pages are delivered quickly even when the real, origin web server is thousands of miles away.

Cloudflare’s ability to make a web site appear to be hosted close to web surfers is key in accelerating web surfing. A web site might be hosted in the US, but accessed mainly by web surfers in the UK. With Cloudflare the site will be served from a UK data center eliminating the costly delay caused by the speed of light.

But the other 1/3 of requests made to Cloudflare have to be sent to the origin server for processing. This happens because many web pages are not cacheable. This can be because of a misconfiguration, or, more commonly, because the web page changes frequently or is personalized.

For example, it’s hard to cache the New York Times home page for any length of time because the news changes and being up to date is essential to their business. And for a personalized web site like Facebook each user sees a different page even though the URL may be the same for different users.

Railgun uses a collection of techniques to accelerate and cache these previously uncacheable web pages so that even when the origin server must be consulted web pages are delivered quickly. And that even works for rapidly changing pages like news sites, or for personalized content.

Cloudflare research showed that even though many sites cannot be cached they actually change very slowly. For example, the New York Times home page changes throughout the day as news stories are written, but the boilerplate HTML of the page mostly stays the same and many stories stay on the front page all day.

For personalized sites the boilerplate HTML is the same with only small pieces of content (such as a person’s Twitter timeline or Facebook news feed) changing. This means there’s a huge opportunity to compress web pages for transmission if the unchanging parts of a page can be detected and only the differences transmitted.

How It Works

When a request is made to a Cloudflare server for a web page that is not in cache Cloudflare makes an HTTP connection to the origin server to request the page. It’s that HTTP connection that Railgun accelerates and secures.

www.cloudflare.com/en-gb/website-optimization/railgun/

Railgun consists of two software components: the Listener and Sender. The Railgun Listener is installed at your web host on an origin server. It’s a small piece of software that runs on a standard server and services requests from Cloudflare using the encrypted, binary Railgun protocol.

The Railgun Sender is installed in all Cloudflare data centers around the world and maintains connections with Railgun Listeners.

When an HTTP request comes in that must be handled by an origin server, Cloudflare determines whether it is destined for a Railgun-enabled website. If not, standard HTTP is used, but if so the HTTP request is routed to the Railgun Sender for handling.

The Railgun Sender turns the request into a compressed, binary chunk that’s transmitted to the corresponding Railgun Listener. The Railgun Listener handles the request and performs an HTTP request to the origin server. From the origin server’s perspective it’s as if the HTTP connection came directly from Cloudflare, but because it comes from inside the hosting partner’s infrastructure the request suffers no latency related delay.

Railgun uses a new caching mechanism based on comparing page versions to determine what needs to be transmitted across the Internet to the Railgun Sender. Using this mechanism Cloudflare is able to achieve typical 99.6% compression (taking, for example, a 100k web page down to 400 bytes) and a speedup of over 700%. In fact, the compressed data is often so small that using the binary Railgun protocol the entire response fits inside a single TCP packet.

Railgun connections are secured by TLS so that requests sent across them cannot be eavesdropped upon. The connection is secured by certificates so that a man-in-the-middle attack is not possible. The TCP connection between Cloudflare and the origin server is kept alive so that it can be reused for subsequent requests eliminating the slow start up of a TCP connection.

Railgun requests are multiplexed onto the same connection and can be handled asynchronously. This means that Railgun is able to handle many, simultaneous requests without blocking and maximizing the use of the TCP connection.

What is QUIC.cloud

QUIC.cloud

Introduction

QUIC.cloud is the first and only content delivery network with the ability to cache dynamic WordPress pages. Using QUIC as the transfer protocol, QUIC.cloud will make your website faster and more secure than the competition.

Litespeed’s QUIC.cloud is a new way to supercharge your website.

QUIC.cloud CDN, an intelligent cache CDN based on LiteSpeed Cache, is the only CDN service that can accurately cache dynamic pages (pages that can change frequently).

LSCache for WordPress knows when to automatically purge and sync data in QUIC.cloud CDN, giving it the upper-hand on all other CDN providers. Users can now provide anyone across the globe access to their sites in less than 100ms!

Also, new to QUIC.cloud is image optimization, critical CSS, and LQIP. With these new services readily available, QUIC.cloud is more customizable and efficient than ever before.

After reading through this guide, if there is something you do not understand, please let us know by sending an email to support[at]quic.cloud.

Requirements

Before you can utilize QUIC.cloud, you should refresh your LiteSpeed Cache for WordPress module to in any event v3.0.

Ths guide also assumes you already have a domain setup with WordPress. If you do not yet, please check out WordPress’ Domains guide.

Matching WordPress and QUIC.cloud

To begin, sign into your WordPress dashboard for the domain you’d like to use with QUIC.cloud.

QUIC.cloud
QUIC.cloud

At that point explore to the menu bar on the left half of the site, and float over LiteSpeed Cache.

QUIC.cloud
QUIC.cloud

Then, select General.

On that page there will be a box for a Domain key; click the link Apply Domain Key, on the right side of the box.

Pairing WordPress and QUIC.cloud
Pairing WordPress and QUIC.cloud

You will see a bar at the top saying you applied successfully and to wait for the result. Please refresh the page.

After refreshing, the box should be automatically filled with the key. Next click Save Changes in the right corner.

This image has an empty alt attribute; its file name is image-34.png

Once you save, click Link to QUIC.cloud.

Next you will be redirected to QUIC.cloud to sign up/login.

If you login, you will be redirected back to your WordPress dashboard.

If you sign up, you will be asked to fill in your desired password and to agree to the QUIC.cloud terms and conditions. Then click Register.

Check your emails for a message from QUIC.cloud and confirm your account.

!Activate Account Link

Once you click the activation link, a new tab will open saying the activation was successful.

!Activation Complete

Click My Dashboard and you will be redirected back to the WordPress dashboard.

Back on the WordPress dashboard, there is a button that will direct you to your QUIC.cloud dashboard.

!Visit Dashboar

Once on the QUIC.cloud dashboard, you will see the new domain listed.

When you click into the domain, you should see a list including our CDN and the services offered.

If you’d like to use the CDN, please continue on to the next section of this document. If you are not interested in using the CDN, however, then you have successfully finished your setup. Congratulations and welcome to QUIC.cloud!

Setting up the CDN

Before a domain can use QUIC.cloud CDN, the DNS for that domain must be properly set up. Please follow the instructions below to set up your DNS.

DNS Setup

If you are not sure about how the DNS works, check out our DNS Primer. You will need to be logged into your WordPress admin and your DNS management page.

Note -  The base domain, e.g. example.com is known as the Root or Apex Domain. All other usages of this domain such as sub.example.com or www.example.com are subdomains.

If you are adding the root domain to QUIC.cloud, refer to the following section. If you are adding a subdomain, refer to the subsequent section.

Adding the Root(Apex) Domain

QUIC.cloud requires that your DNS maps your domain to a domain provided during setup. This means that your DNS provider must support domain to domain mapping for the Root domain.

The following instructions have screenshots from the CloudFlare DNS manager.

  1. Take a screenshot of your current configurations. Keep this as a reference in case things go wrong, so you have something to go back to.
  2. Check what your TTL value is and adjust it to the smallest value possible (if not already). You will need to wait until the old DNS records expire before you can use QUIC.cloud. After the old value expires, every record should be using the new value. Example: previous value: 1 hour, new value: 2 minutes. If it is 3pm when you change the value to 2 minutes, you must wait until 4pm to be sure that all the records now use the 2 minute value.
  3. (Optional) If you wish to use both the root domain and the www. subdomain: Create a CNAME record pointing www. to your Root domain:

If you have a www. record already, edit that to look like the above screenshot. The net result is that www.example.com will target the same server as example.com. 

4. Create an A record for a random subdomain that points to your origin IP. For example, origin.example.com.

1.Convert your current record for @ to a CNAME record targeting the subdomain you created in step 4.

Deleting the root domain record:

Note – The below screenshots are for deleting an A record and adding a CNAME record. If your current record is a CNAME record or your DNS Manager allows changing record types, you can just edit the record.

Setting the CNAME record for the root domain:

Make sure that your site is still accessible as is. Here are some ways to test.

Note – If you are using CloudFlare DNS, ensure that the cloud is set to “Grey” (this means you are not actually using Cloudflare for anything other than the DNS).

After performing the above steps, the following should be true: * Your site is still accessible. Nothing should have changed. * If you performed step 3, your www. subdomain should also point to your current IP. Refer to how to check the DNS. * The random subdomain should also target the same IP.

If any of the above are not true, review your DNS configurations and run through the steps again. One possible reason that the above are not true is that the TTL for the old configuration has not expired yet. Make sure that the time has elapsed.

Adding the Subdomain

The following instructions have screenshots from the Digital Ocean DNS manager. The steps should be similar for your DNS provider.

  1. Take a screenshot of your current configurations. Keep this as a reference in case things go wrong, so you have something to go back to.
  2. Check what your TTL value is and adjust it to the smallest value possible (if not already). You will need to wait until the old DNS records expire before you can use QUIC.cloud. After the old value expires, every record should be using the new value. Example: previous value: 1 hour, new value: 2 minutes. If it is 3pm when you change the value to 2 minutes, you must wait until 4pm to be sure that all the records now use the 2 minute value.
  3. If the subdomain points to the same origin server as the Root domain, this step is not required. Create an A record for a random subdomain that points to your origin IP. For example, origin.example.com.
  1. Convert your current record for the subdomain to a CNAME record targeting the subdomain you created in step 3. If you are using the root domain as the base, target that instead.The below screenshots are for deleting an A record and adding a CNAME record. If your current record is a CNAME record or your DNS Manager allows changing record types, you can just edit the record.

Deleting the old record:

  1. Make sure that your site is still accessible as is. Here are some ways to test. If you are using CloudFlare DNS, ensure that the cloud is set to “Grey” (this means you are not actually using Cloudflare for anything other than the DNS).

After performing the above steps, the following should be true: * Your site is still accessible. Nothing should have changed. * The random subdomain should also target the same IP.

If either of the above are not true, review your DNS configurations and run through the steps again. One possible reason that the above are not true is that the TTL for the old configuration has not expired yet. Make sure that the time has elapsed.

Enable CDN

When on your QUIC.cloud dashboard, click on the domain you’d like to enable the QUIC.cloud CDN service for.

Note – Domains can be listed in QUIC.cloud and use the QUIC.cloud services, without using the CDN.

Next, under the services list, click CDN.

Note - If the status of the CDN says ‘OK’, then your CDN is already enabled for that site and you do not need to continue with this guide.

On the following screen, click Enable CDN.

Next we will discuss the DNS records and verification.

Configure DNS Records and Verify

Update the DNS Manager

Note the CNAME record that we created for you, as below:

In your DNS Manager, change the CNAME you set up to point to this CNAME domain.

CloudFlare DNS Example:

At this point, nothing should have changed. Your site should still target your server. Here are some ways to test.

Configure Access for your site (Optional)

On the CDN page, under Setting -> Connection, there are three options that configure how the browser connects to QUIC.cloud and how QUIC.cloud connects to your origin server. Select the appropriate option.

Connection Type to Origin: This option specifies the connection type between QUIC.cloud and your origin server. The available options are: match the connection type from the browser to QUIC.cloud or use HTTP Only.

Frontend Force HTTPS: This option specifies the connection type between the browser and QUIC.cloud servers. If set to ON, HTTP requests to QUIC.cloud are redirected to HTTPS automatically. Otherwise, both request types are forwarded to your backend server (depending on how Connection Type to Origin is configured).

Enable QUIC Backend: If your site offers QUIC and/or HTTP/3, you can try this option. This will let QUIC.cloud servers attempt to connect to your origin server using QUIC and/or HTTP/3.

Configure your Firewall

When your site goes through QUIC.cloud servers, all the requests will appear via QUIC.cloud IPs. This will likely trigger some firewall rules. Make sure to whitelist QUIC.cloud IPs so that the requests do not trigger the firewall.

Verify Your Website is Using QUIC

You must have a valid SSL Certificate set up on QUIC.cloud to use QUIC.

If QUIC.cloud is working properly, your site should be using QUIC. You can use a browser extension to verify this, such as this for Google Chrome. It will show a Green lightning bolt indicator, if your website is using QUIC.

Alternatively, you could use HTTP/3 Check to test it out.

That’s it. QUIC.cloud CDN should now be set up. If you have any questions or issues, please contact us at support[at]quic.cloud.


What is Entry Process Limit – Shared Hosting

An Entry Process is the number of PHP scripts you can run at a time. Our Shared Hosting and WordPress hosting plans have limitation of entry process at a time.

Number of visitors on website – An Entry Process should not be confused with the number of visitors you can have on your website as it takes just fractions of a second to complete. 

For Eg. if we have restrict 25 entry processes that doesn’t mean that only 25 people can visit your website at a time. It’s because there is very rare possibility of 25 people browsing your website at the same fraction of a second.

When a visitor browses any web page of your website, the web server would start serving the request. While this request is being served, it will use one entry process.

Once this request has been served, the web server would no longer use an entry process and the entry process count would get decreased by 1.

Please note that cron jobs, shell scripts and other commands also use entry process for the duration of the time they are running.

Why such restrictions – Entry process limitations to ensure that no single user consumes all server resources and to prevent DDoS attacks against the web server.

Entry process will limit the number of concurrent connections to web server, thus preventing our server against malicious traffic.

When you use all allotted entry processes (25), new visitors would experience a 508 error.