Hi All,

I just want to bounce an idea against potential hosting customers.

A fair portion of web server problems regarding server load and security breaches come from CGI scripts. A sizeable number of sites use nothing more than static html pages, DNS, FTP and email

I would like to know if hosting customers would prefer a host that doesn't offer CGI scripts , however radical this idea may sound...

Cheers
Balaji

My first host, SimpleNet, didn't offer CGI/PHP/ASP or anything else (actually they started offering Miva Script after I was with them a while, but I--and probably 99% of their other clients--didn't bother to learn or use it). Yahoo! bought them and still doesn't offer CGI (although I just looked at their site and it looks like they're now offering PHP with their $20/month plan).

I think most hosts would love to do away with cgi. But most people will still want it, or think a host is inferior if it doesn't offer it.

Thats exactly my point Nexdog...

Customers want so many features just to feel comfortable even though many of them they dont use; and I think hosts can educate the customers that if they share a server that permits CGI when they themselves dont need it, they are risking their uptime

We hear so many horror stories of downtime and fork bombs and if these are caused by "features" then aren't we better off without features?

We have a package that we just started offering a few months ago. Unlike the rest of our hosting packages, it offers no CGI...just space, Webmail and FTP....that's it. Its extremely cheap and popular. Actually, it surprises me how popular it is...especially with the no POP3 access.

--Tina

I've had a web site for several years that is fairly vanilla -- all .html and .jpg files, no CGI with the trivial exception of a web page counter using the host-supplied CGI.

I'm looking around for a new host and even though I don't use CGI currently, I would like the comfort of knowing that it is available if I ever get a brainstorm for something that would require CGI.

A plan that might appeal to me would be hosting on a non-CGI server with the option available of upgrading to an account with CGI access, which would fit my current situation but wouldn't give me the feeling that I had painted myself into a corner (it's much easier to upgrade a plan than to switch to another host).

Also, it might be nice to allow the non-CGI customers to use a few host-supplied CGI scripts that aren't resource intensive, like web counters.

- Dennis D.

Originally posted by DDeMars
I've had a web site for several years that is fairly vanilla -- all .html and .jpg files, no CGI with the trivial exception of a web page counter using the host-supplied CGI.

I'm looking around for a new host and even though I don't use CGI currently, I would like the comfort of knowing that it is available if I ever get a brainstorm for something that would require CGI.

A plan that might appeal to me would be hosting on a non-CGI server with the option available of upgrading to an account with CGI access, which would fit my current situation but wouldn't give me the feeling that I had painted myself into a corner (it's much easier to upgrade a plan than to switch to another host).

Also, it might be nice to allow the non-CGI customers to use a few host-supplied CGI scripts that aren't resource intensive, like web counters.

- Dennis D.



Yeah, thats exactly how we set it up. The reason we started offering this is because we wanted to 'bring 'em in' and then hope they upgrade later. ;) Again, for those hosts wondering if its a good idea, it is.

--Tina

This is truly something that sounds like it would be a good plan to offer. But, like hte customer said.. perhaps include a few small non intense scripts like a guestbook and counter. Those are the two most used cgi's that I can think of.. besides a mail form of course.

AffordableHost, said it is working for them, and it makes sense that it would.

Just make sure you can upgrade the customer to another machine if they decide to want cgi later. Then, I think you would have your bases covered.

Good luck with it if you decide to give it a try.

Tim L

Spammers seem to be drawn to cheap hosting packages. Basically, all they need is the ability to send out 1000s of emails and then move on. If you offer this no-CGI package - I wouldn't offer POP/SMTP with it. We offer Webmail only.

Agreed, you might want to offer a few pre-installed scripts (we have stats and FormMail...but nothing else, on these packages).

Make it a decent deal, but don't give away too much. You're not going to make much of a profit on these accounts - but it is a good marketing tool.

--Tina

That's a neat idea. Hmm...

I agree with the idea that you can give people a basic, stripped away hosting plan. I.e., rather than having people choose to have FP extensions (of all things, yuck! There's something I'd never offer if I ran a hosting company -- I don't care if people wouldn't host on me, if they couldn't figure out to just use FTP), give them a choice of other things they might need or not, perhaps on sign up. Still, just flat out offering a server with only stripped down plans is a good idea. As far as CGI being an issue of being insecure or a resource hog, PHP is exactly just as bad and exactly just as much of an issue (perhaps more, in most cases) over CGI. So, you'll want to do away with PHP too, not just CGI. There are other things that might be wise, in that regard and ideal, to change or remove as well -- not just CGI and PHP. Tina's plan she outlined briefly is more proactive in that regard (i.e., no SMTP and/or POP) to prevent other aspects that might be a hassle. But, what's to stop people from using a free provider then?

As far as worrying about scripts crashing the server, just use SuEXEC and set the limits for the user's total CGI processes, how long the processes can run and how much CPU and RAM those processes can run for. That will solve your problem against server crashes. After all, if CGI poses a security issue for you, then you should probably better configure your server. The same holds true of PHP too. I do like this idea though and doing away with a lot of things might be wise. However, really, there's no reason why CGI should pose any issues, if you run it properly. That's also not to deny that every single thing you do allow (CGI, PHP, FTP, SSH, etc.) will all each open up another resource and another security issue (since people can't do as much with static HTML or inhouse scripts -- that is true). Anyway, while I'd personally toss some features quick, I don't think I'd toss CGI, but simply configure it to have more control -- in addition to a tool to monitor user's processes. The reasons and solutions that can be discussed about this, could be endless, but I will just say I agree, but for different reasons.

Originally posted by Tim_Greer
Tina's plan she outlined briefly is more proactive in that regard (i.e., no SMTP and/or POP) to prevent other aspects that might be a hassle. But, what's to stop people from using a free provider then?

1. I don't care if spammers use the free provider's email account to spam with (well, I do...but it won't get me into trouble with my upstream).

2. You can't get a domain, and hosting, from a free provider for $22 per year. :D

--Tina

I agree, anything to keep SPAMMER's away, I'm all for it.

If no CGI, then how about POHS (Plain Old Hosting Service :D) by just running an HTTP server, an FTP server, and maybe a POP3 server? That means no control panel, CGI, PHP, mySQL, etc. That would probably cause the least amount of problems. I'd feel the most comfortable about running a hosting company that way, but how many people would go for that? That's enough for many people, but many people seem to want things they don't need.

Originally posted by AffordableHost

1. I don't care if spammers use the free provider's email account to spam with (well, I do...but it won't get me into trouble with my upstream).


Wait a sec. You mean that if you host a site, say DOMAIN.XYZ, and the customer sends out a bunch of Spam through their AOL account or whatever, that DOMAIN.XYZ shouldn't be penalized? Assuming you investigate and establish if it's a frame-up job, a clueless innocent mistake, or an outright Spam.

I thought this issue had been squared away a couple of years ago when Netcom was still hosting all the Spammers and refusing to penalize them because the Spam wasn't sent through Netcom's network. I'm probably just misunderstanding.

Kevin

Originally posted by sigma


Wait a sec. You mean that if you host a site, say DOMAIN.XYZ, and the customer sends out a bunch of Spam through their AOL account or whatever, that DOMAIN.XYZ shouldn't be penalized? Assuming you investigate and establish if it's a frame-up job, a clueless innocent mistake, or an outright Spam.

I thought this issue had been squared away a couple of years ago when Netcom was still hosting all the Spammers and refusing to penalize them because the Spam wasn't sent through Netcom's network. I'm probably just misunderstanding.

Kevin

I think I can confidently say that is not what Tina had meant. Data centers and (in I think Tina's case) upstream providers (if you have your own data center/NOC) will sometimes charge you per SPAM incident, if the SPAM is being sent out from one of your servers/systems. That's to prevent her from getting SPAM complaints by people thinking she has an open relay, hosts SPAMMERs (that also use her systems to SPAM from) or whatever else. That's not to say that she wouldn't terminate their domain/account if they were sending SPAM from another location. It's like a SPAMMER sending email out from one host and having their actual SPAM site on a free host with no SMTP service. That free host might be emailed complaints for them to remove the SPAMMER's site, but at least you're not liable for providing them an SMTP service for them to use you to SPAM through -- and you also won't get blacklisted like the server that the email was sent out from will. This is a pretty significant difference -- not to mention you save resources on the server and bandwidth those emails would have generated if sent from your server. Less complaints, and a lot less hassle -- but that doesn't mean she wouldn't terminate their account with extreme prejudice -- I know I would too!

Well I have decided not to allow CGI or FP extensions on my server even if I have to lose business because of that. I will provide formmail, counters etc.

I cant do away with pop3 or smtp because my server is primarily intended as a mail server for outsourced email

Thanks for the inputs and maybe I will post an offer in the ad forums and see where it takes me. I would rather wait 2 years to have 200 clients who will share the server sensibly than have 50 sign ups in a week who bring it down in no time!

And yes the idea of an upgrade to a CGI server is awesome and I have to see the best way to offer that

My clients may not be able to have shopping carts and application hosting [atleast on this server] but in return they can sleep peacefully in the night knowing that the server load will be well below 0.2 and their site will be up

Cheers and any more inputs will be appreciated

Balaji

But then the paradox is that the people who want cheap hosting are usually the ones that use Frontpage and like to have their free tacked on cgi scripts...

I love the idea and I would love the low server load and greatly decreased chances of problems, but I'm not sure the general Joe Bloggs customer will care for such things... As ToastyX pointed out earlier, people are always going to want things they don't need.

Maybe if you pushed this product to the more internet savvy users and really market the reliability angle ("Sick of downtime? Sick of other users crashing the server you're on? Sign up for this...") sorta thing it might be better than as a low price product, where people are more likely to be comparing it to the 600Mb for $1/yr crowd... :D

I don't know, just some thoughts anyway!

Well thanks for all your wishes and suggestions

I have gone ahead and offered it in the ad forums at a mouth-watering price!

And I am targeting sites like this (http://graniteworld.net) which I currently host.

I have given 1 pop3 mail, 1 FTP account and 10MB of space and the customer has added significant value to his export business after this site...

So 10mb is a lot of space actually!

Cheers
Balaji

Originally posted by Tim_Greer


I think I can confidently say that is not what Tina had meant. Data centers and (in I think Tina's case) upstream providers (if you have your own data center/NOC) will sometimes charge you per SPAM incident, if the SPAM is being sent out from one of your servers/systems. That's to prevent her from getting SPAM complaints by people thinking she has an open relay, hosts SPAMMERs (that also use her systems to SPAM from) or whatever else. That's not to say that she wouldn't terminate their domain/account if they were sending SPAM from another location. It's like a SPAMMER sending email out from one host and having their actual SPAM site on a free host with no SMTP service. That free host might be emailed complaints for them to remove the SPAMMER's site, but at least you're not liable for providing them an SMTP service for them to use you to SPAM through -- and you also won't get blacklisted like the server that the email was sent out from will. This is a pretty significant difference -- not to mention you save resources on the server and bandwidth those emails would have generated if sent from your server. Less complaints, and a lot less hassle -- but that doesn't mean she wouldn't terminate their account with extreme prejudice -- I know I would too!


Thanks Tim. You saved me from having to type that reply. :D

--Tina

Originally posted by helper
There are W2K hosts that can offer that stability "and" include the functionallity with native ASP and many COM components that are available on host servers now. With full featured W2K hosting packages available in the $19.95 price range.[/URL], I believe those hosting packages have the potential to fill the need you speak of as long as they continue to offer the features you really want, the host is good at keeping hot fixes and security fixes current, and their level of support is high.

I think that everyone was talking more in the line of under $2/month hosting, and there is no way that a W2K with ASP and COM components compares to what we were talking about with a UNIX account with no CGI or SMTP. Please try to stay on topic.

Thank you. :)