WebHosting

This page contains information about how I organize and configure my web hosting. The current web hosting provider is SolNet. Things hosted on their servers are:

• This wiki
• Various websites with static content

Also see the wiki pages Websites and DnsHosting.

SolNet Webserver Panel

This section describes the "Webserver Panel", which is the web interface for administrating the hosted services.

Access: Login to the SolNet Admin Panel, then select "Webserver" to enter the Webserver Panel.

At the top of the panel you see the domain that the hosting contract was created for. For me this is

www.herzbube.ch

Although there is no apparent logic to it up front, this seems to be some kind of super-important top-level setting - so to speak the domain that the entire webserver represents. Because of this the mappings for herzbube.ch and www.herzbube.ch need to be configured differently than the mappings for other domains, e.g. for moser-naef.ch and www.moser-naef.ch:

• The mapping for herzbube.ch is done in menu "Subdomains".
• The mapping for www.herzbube.ch is done in menu "Einstellungen".

Menu "Infos"

Provides some basic information about the hosting, such as the name of the server that hosts the domains and the name of the database server.

Menu "Mappings"

Here you can add new second-level domains (e.g. moser-naef.ch) and map them to a subfolder of your choice.

When you create a new mapping you can decide whether it should be accessible only with the "www" prefix, or also without the "www" prefix.

• If the checkbox "Name is possible also without www prefix" is not set, then only a single mapping is created for the "www" subdomain!
• If the checkbox is set, then two mappings are created: One for the "www" subdomain, and a second one for the second-level domain itself. Both mappings point to the same filesystem path.

On the surface this user interface is very unintuitive: You enter a second-level domain but the mapping is actually created for the "www" subdomain. Adding a mapping also for the second-level domain is rather an option than the primary goal. The reason for this is that when you enter a second-level domain here, this automatically creates a DNS zone for that second-level domain. This DNS zone could then be edited in menu "DNS", but I guess people usually don't want to bother with DNS configuration, so this "Mappings" area of the Webserver Panel is just a frontend for simplifying the default use case "I own a domain and I want to host a website for it under the www subdomain".

Currently configured mappings:

Domain	Filesystem Path	Without "www" prefix	Remarks
francescamoser.ch www.francescamoser.ch	/public_html/www.francescamoser.ch	Yes
grunzwanzling.ch www.grunzwanzling.ch	/public_html/www.grunzwanzling.ch	Yes
moser-naef.ch www.moser-naef.ch	/public_html/www.moser-naef.ch	Yes

Note that herzbube.ch and www.herzbube.ch are not configured here. See the top of the section SolNet Webserver Panel above.

Menu "Subdomains"

Here you can add new subdomains for second-level domains for which a DNS zone exists, and map them to a subfolder of your choice.

Currently configured mappings:

Domain	Filesystem Path	Remarks
acexpander.herzbube.ch	/public_html/acexpander.herzbube.ch
herzbube.ch	/public_html/www.herzbube.ch	Because the mapping for www.herzbube.ch is not managed in the menu "Mappings", the mapping for the second-level domain herzbube.ch must be done here - there is no other place in the Webserver Panel to do this. Very unintuitive!
kino.herzbube.ch	/public_html/kino.herzbube.ch
wiki.herzbube.ch	/public_html/wiki.herzbube.ch

Note that www.herzbube.ch is not configured here. See the top of the section SolNet Webserver Panel above.

Menu "Datenbanken"

Here you can manage databases, i.e. create new ones, and edit/delete existing ones. These are the attributes of a database:

• Database name
• Username
• Password
• An optional comment describing the database

Once a database exists it is listed with a number of icon buttons that allow to manage the database settings. In addition there is one button that starts a phpMyAdmin session for that database. Notes:

• You can have only one phpMyAdmin session active at a time.
• When you press the "Info" button, the resulting page shows a note that implies that Redis is available for object caching in a CMS. After asking tech support about this I got the confirmation that SolNet provides a Redis server that is reachable using the default Redis port (6379). Apparently also important is that a "salt" must be used (but a CMS should usually manage this by itself).

Menu "Einstellungen"

This menu contains several entries to jump to pages dedicated to configuring settings for specific areas of SolNet's hosting offer.

Webserver

• Always HTTPS
  • This causes the web server to respond to http:// requests with a HTTP 302 redirect using the exact same URL.
  • This works for all second-level domains and subdomains.
  • On my old dedicated server I solved this with a HTTP 301 redirect, i.e. a permanent redirect, but without taking the extra step of preserving the URL.
• Alternatives HOME-Verzeichnis = /public_html/www.herzbube.ch
  • This is the mapping for www.herzbube.ch!
  • This mapping must be done here, not in the menu "Mappings" and not in the menu "Subdomains". See the top of the section SolNet Webserver Panel above.

Geschützte Bereiche

• Here you define new areas that you want to protect with a user/password combination.
• You also define the credentials to be used for accessing the areas here.

Jobs/Scripts

• Here you can define cron jobs.
• The server runs on UTC time, so the crontab specification for when a job is scheduled must take this into account.
• Each job refers to a script that must have been previously uploaded via SFTP, typically to the /jobs folder. Important: The executable bit must have been set for the script, otherwise it can't be selected here.
• The "lightning" icon button allows to execute the script right now. Very useful for one-shot scripts. Note that there is a timeout for such immediate execution - if the script takes too long to complete you get a server error. I don't know whether the script is then aborted, or is left to run unattended in the background.

FTP Benutzer

• Here you can add additional FTP users.

Menu "DNS"

Here you can view and manage the DNS configuration of your second-level domains as well as their certificates.

Click on domain name

• Shows the "Domain Editor" page where you can edit the DNS records of the domain.
• There seems to be some kind of history. Currently all entries shown here seem to be empty. Maybe this would make more sense if I were actually using SolNet's DNS service.
• The records can be downloaded.

Click on "Status" column value

• Toggles the domain between online / offline.
• It's not clear what this does, exactly.

Click on "Cache" column value

• Shows the output of "dig" querying the SolNet DNS servers.
• Shows the information that zone changes are updated every 15 minutes.
• There is a recommendation to change TTL to a low value the day before any important changes are due.

Registrar column

• Is currently empty for all of my domains.

Click on "DNSSEC" column value

• Shows a page where DNSSEC can be activated or deactivated.

Click on button "Zertifikate"

• Shows a page that lists all certificates for all second-level domains and subdomains.
• Some certificates are valid for both the second-level domain and the "www" subdomain. This can be seen in the column "Domain(s)".
• Certificates can be revoked here.

Menu "E-Mail"

Here you create mail accounts and mail forwardings.

I have not investigated this area of the Webserver Panel because I don't use these services.

Filesystem

The root of the filesystem that can be seen via SFTP is actually this server path:

/var/webs/www.herzbube.ch

This is how the filesystem looked like after the webserver was fresh:

root (actually /var/webs/www.herzbube.ch)
+-- cgi-bin
|   +-- formtomail
+-- etc
|   +-- stats.users
|   +-- webalizer.conf
+-- jobs
+-- log
+-- public_html
|   +-- index.html
|   +-- robots.txt
+-- stats
+-- userdata
+-- var
    +-- maintenance
    |   +-- index.html
    +-- mysql-backup
    +-- php-session
    +-- tmp

Notable changes since then:

• I added new folders under /public_html, one for each static website and one for wiki.herzbube.ch.
• The path /var/mysql-backup is now populated with automatically created backups.
• Once I created the first cron job, the file /etc/crontab was created automatically.

Certificate handling by SolNet

How the certificate handling by SolNet works is not entirely clear. In some cases certificates are generated automatically, in some cases not. This section attempts to summarize my experiences.

In one of the first emails I received from tech support on 24 February 2025 there was this statement, which is already sufficiently unclear:

SSL/TLS Zertifikate: Sind für Shared Server nicht vorgesehen, ich kann Ihnen aber gerne für jede Subdomain ein Zertifikat generieren. Wenn Sie im Webserver Panel eine neue Subdomain einem Ordner zuweisen, wird zudem automatisch ein Zert. generiert.

And these were my experiences during migrating my websites:

• Whenever tech support wanted to manually generate a certificate, they required me to first change the DNS record for the second-level domain or subdomain for which the certificate was supposed to be generated.
• In most cases (but not all! see below) where I had the impression that a certificate was auto-generated, it seemed like I had to first change the DNS record, only afterwards was the automated process able to pass some sort of security check.
• Clear and confirmed is that for subdomains like wiki.herzbube.ch where the DNS record does point to the SolNet server, a certificate is automatically generated.
• Also clear and confirmed (by tech support after explicitly asking) is that certificates are automatically renewed, regardless of whether they were created manually or automatically.
• Not clear is whether a certificate is automatically generated when I create a new second-level domain and its "www" subdomain. I seem to remember that they are auto-generated, but when reviewing the confirmation emails I received for moser-naef.ch, francescamoser.ch and grunzwanzling.ch, I see they were sent during normal working hours, so it would theoretically be possible that the certificate generation was manually triggered. What I am 100% sure of is that at the time I received the email for the www.moser-naef.ch/moser-naef.ch certificate, I had changed the DNS record only for www.moser-naef.ch, but not for moser-naef.ch. I can only assume that this is somehow related to the fact that there is only one certificate for both the second-level domain and the "www" subdomain, i.e. these two things are treated as one unit and because the certificate generation process is based on the "www" subdomain it is sufficient to change the "www" DNS record to pass the security check.
• The process for generating the certificates for www.herzbube.ch and herzbube.ch was done completely by hand by tech support. It worked differently than for the other second-level domains and their "www" subdomains. I can only assume that this was so different because the entire web hosting offer by SolNet is somehow tied to www.herzbube.ch, and consequently herzbube.ch was also affected. A notable difference to the other second-level domains and their "www" subcomains is that there is not a single certificate for both herzbube.ch and www.herzbube.ch, instead they both have their own certificate.

SolNet Environment

Information provided by phpMyAdmin

In phpMyAdmin when you select the server in the title line the following interesting information is displayed:

Database server

• Server: SolNet Signon (hosting25.mlan.solnet.ch via TCP/IP)
• Server type: MySQL
• Server connection: SSL is not being used Documentation
• Server version: 8.4.0 - Source distribution
• Protocol version: 10
• User: mediawiki@hosting25.mlan.solnet.ch
• Server charset: UTF-8 Unicode (utf8mb4)

Web server

• Apache/2.4.58 (Ubuntu)
• Database client version: libmysql - mysqlnd 8.1.27
• PHP extension: mysqli Documentation curl Documentation mbstring Documentation sodium Documentation
• PHP version: 8.1.27

sftp

Using sftp and "ls -la" I see the following permissions

• Files usually have the this owner/group
  • User = herzbubech405 (uid unknown)
  • Group = 50887 (name unknown)
• Some files/folders have non-standard owner/group
  • User = root
  • Group = 50887
  • The following files:
    • /etc/stats.users
    • /log/httpd-error.log
    • /stats/*

crontab

When I created the first cron job, the file /etc/crontab was created:

• Owner = 0
• Group = 50887
• Permissions = 600

When executing a job manually, the timestamp that can be seen indicates that the server runs on UTC time. This is important for providing the correct crontab specification when scheduling a cron job.

Not supported by SolNet

• sftp
  • Public key authentication is not supported
    • This can be seen when doing "sftp -v herzbubech405@sftp.solnet.ch"
    • At some point this line is found in the debug output: debug1: Authentications that can continue: password
    • I explicitly asked tech support but the response was that this public key auth is not available.
  • The "cp" command is not supported
    • When you try to use the command you get the message "Server does not support copy-data extension".
• ssh is not supported
• rsync (via ssh) is not supported

.htaccess directives

This section contains information what can/cannot be done via .htaccess files.

Directory listing

Directory listing is disabled by default, which is good. For instance,

http://www.herzbube.ch/software/acexpander/0.9/

does not show any of the files in that folder.

Directory listing can be allowed with

Options +Indexes

Add default charset

The following works both inside <FilesMatch> and outside, but not within any other context:

AddDefaultCharset utf-8

Redirects (mod_alias)

The following directives work:

• RedirectMatch
• Redirect (not tested, but assumed to work since RedirectMatch works)

Important: When testing, remember that the web browser caches redirects, so it may be necessary to clear the cache in between changes to the .htaccess file to see the actual behaviour from the server.

Rewrites (mod_rewrite)

• A precondition for rewrites to work in .htaccess is that the server configuration specifies Options FollowSymlinks. This is the case at SolNet.
• The tricky part is that within an .htaccess file there are some specialties to keep in mind:
  • RewriteEngine on must always be given.
  • The RewriteBase option must be specified if the target is a relative path.
  • And finally the path in which the .htaccess file is located is stripped from the path that the pattern matching is made against, including the terminating slash. So a pattern ^/ will never match.

For details see https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule

FilesMatch

Confirmed that this directive works:

<FilesMatch>

ForceType

Confirmed that this directive works:

ForceType text/plain

This makes sense only within a <FilesMatch> directive. I use this to enforce the type for certain files so that AddDefaultCharset is applied to them.

SetHandler

Because SolNet uses php-fpm instead of mod-php, the following must be used to disable the execution of PHP:

<Files "*">
  SetHandler !
</Files>

If mod-php were used, this would be used to disable execution of PHP:

<IfModule php_module>
  php_flag engine off
</IfModule>

The following did not work for some reason, instead I had to use ForceType text/plain.

<Files "<some regex>">
  SetHandler text/plain
</Files>

Alias / AliasMatch

These cannot be used in .htaccess files - this has nothing to do with SolNet, it's an Apache thing: https://httpd.apache.org/docs/current/mod/mod_alias.html#alias

Requirements

These are the requirements that a web hosting provider must fulfill:

• Service independence
  • Must allow web hosting independently of DNS hosting, i.e. I want to do my own DNS hosting somewhere else.
  • Must allow web hosting independently of Mail hosting, i.e. I want to host mail somewhere else.
• Domains
  • Must host 4 second-level domains plus their "www" subdomains.
  • Must host 3 herzbube.ch subdomains.
  • Bonus points for more second-level domains/subdomains.
• Certificates
  • Must provide auto-generated certificates for new domains/subdomains, or the ability to request from tech support the generation of certificates for new domains/subdomains.
  • Must provide auto-renewal of certificates.
• Filesystem access
  • Must provide filesystem access that allows uploading of entire websites, i.e. not just file-by-file.
  • Must provide automated filesystem access for uploading websites and downloading backups.
  • Bonus points for rsync.
  • Bonus points for public key authentication.
• Disk space
  • Must provide 2 GB disk space.
  • Bonus points for more disk space.
  • At the time of migration to SolNet: 542 MB static content + 372 MB for database + 117 MB uncompressed database backup.
• Languages
  • Must provide PHP.
  • Bonus points for Python, Ruby, Perl, CGI.
• Database
  • Must provide 1 MySQL or MariaDB database.
  • Bonus points for more databases.
  • Must provide automated database backup, or capability of scheduling my own database backup script.
  • Must provide automated access to the database backup data so I can download the data and integrate it into my local backup solution.
• Other services
  • Must provide some form of object caching for Mediawiki (php-apcu, Redis, memcached).
  • Must allow .htaccess, notably mod_rewrite.