Hey everyone!
In case you hadn't noticed, we released version 0.5 of pagekite.py last Friday:
http://pagekite.net/2012-07-20/Pagekite_py_0_5_0_released
There are a bunch of new features and improvements in this release
over 0.4.x, but there is one in particular which makes this release a
little different - we've added a very basic request firewall to keep
folks from shooting themselves in the foot by exposing things like
insecure Xampp, phpMyAdmin or WordPress installations to the public
web. You can read more about this feature and why we felt it was
necessary, here:
http://pagekite.net/support/security/
As we realize that some folks using the RPM or DEB packages may
actually be relying on the ability to reconfigure e.g. their WordPress
blogs over PageKite, we are pondering what the default configuration
should be for people who are using the OS-level integration.
It boils down to this: Should we disable the firewall for people whose
pagekite's start up on boot?
If we disable the firewall, then that becomes an insecure-by-default
policy for anyone using the .deb or .rpm package. This is not
necessarily a good thing, we prefer to be "as secure as is reasonable"
by default.
If we enable the firewall, some users will be surprised and their
current websites may "break" without them really understanding why
(especially if automatic apt or yum updates are enabled). Of course,
it will be easily fixable by adding the "insecure" keyword to their
/etc/pagekite.d/80_httpd.rc file, but until people figure that out the
new behavior could be quite confusing.
Any opinions?
--
Bjarni R. Einarsson
Founder, lead developer of PageKite.
Make localhost servers visible to the world:
https://pagekite.net/