All Activity

Hello Admin, I am currently hosting project (https://tanzilskill.helioho.st/) on johnny.heliohost.org. To extend its functionality, I need to run a Node.js and npm. Could you please enable Node.js (preferably the latest LTS version, e.g. 18 or 20) and npm for my account, or guide me on how to access a Node.js runtime on the server? Having these tools available will allow me to install dependencies and build the service properly. Thank you for your support. Best regards, Zacharia

Glad to see you got it working. Please let us know if you need anything else.

Yeah /tmp is shared by everyone. It's just how Plesk servers work (I know some other products put a user's /tmp inside the home folder which IMO would make more sense, but it is what it is). You shouldn't be able to save things anywhere besides /tmp and ~ though, and there are certain commands, files, and folders that can trigger a permanent ban if their account is seen messing with them. In fact, people tend to fill up /tmp accidentally quite a bit with broken Node apps (passenger logs get saved there, and when people do things like write bad apps, or delete their node app without turning node off, passenger sits there slowly filling /tmp with logs until the server breaks). You'll get suspended for filling /tmp, and monitoring to automatically handle /tmp filling up is a project currently on our radar since its a common issue. We had an outage on Morty due to a full /tmp the other day. As for the space limit not changing in Plesk, consumed disk space is only recalculated a few times a day, so you can technically exceed the limit up front, but it will automatically suspend you when the next recalc happens.

I have genuine security problems... for bypassing the storage limit, the problem itself is that Plesk does not „see” anything outside the home directory. Thus, I was able to create a rather huge file in /tmp (by running a Bash-based CGI script), which is continuously accessible between two restarts, and Plesk has still shown that my account has the same amount of disk space remaining. Methinks it is an issue. And there are a few other problems as well...

Users that bypass the storage limit face a Plesk suspension. That said, if you have genuine security problems to bring up, a root administrator might reach out directly.

Good day! I have detected a few – closely linked – security issues on the Johnny server. First question: where could I contact the developers privately? Of course, it is possible that only I am concerned about insignificant problems, but, for example, being able to bypass the storage limit does not seem to be good. Thank you!

Got it, thank you! I've removed that block and added the empty indexes.html and also removed the options calls on the other files which I see got rid of the error and disabled directory listing. All solved

MoneyBroz tried to do a backup for you last night, and was having trouble with it so I told him to give up and I'd take a look at it today. I took a look at it myself just now, and I'm unable to access the filesystem either. It looks like it locked up too many times, and was forcibly rebooted too many times and it destroyed the filesystem. I went ahead and started the rebuild for you. You'll get an email in a few minutes when it's done.

Just let us know when you're ready to increase your Morty balance and we can provide a link to set up the payment. For something like a Morty balance increase it's not that big of a deal if the money takes a couple weeks to arrive. We will send you an email when you have about a month's worth of balance left.

Domains added. it can take up to 2 hours for them to start working.

The .well-known folder is a weird folder, I've run into a few different things that behave strangely in there. You'll need to remove the below section (or at least add a second condition that allows access to the acme-challenge folder and anything inside) if you want Lets Encrypt SSL certificates to work properly. # Block directory browsing in .well-known paths RewriteCond %{REQUEST_URI} ^/\.well-known(/openpgpkey(/hu)?)?/?$ RewriteRule ^ - [F,L] Plesk creates things in /.well-known/acme-challenge to verify the domain, so you cannot restrict access to that folder. Some other services you might want to use also need access to .well-known too, so we generally recommend not restricting .well-known at all. Also, be aware the Options line in .htaccess doesn't behave very well on Plesk, so that line may or may not do what you expect. Usually if they're not supported, they're either ignored entirely (why you had directory listings despite Options -Indexes being in there), or will cause a 500 error (which will have a line in the logs saying "Options directive not allowed here").

Hi, I would like to add the following domains to my account (apa240): hcwgandsmores.com lrtaylorstudio.com gathering.band pixelatedthoughts.com Thank you!

Perfect! I will do that next time then, don't mind the wait time ^^ how can I get the Stripe details to submit that for next time? (In about ~6 months probably haha).

Thank you, I will do that! Anything else I should fix on those .htaccess files?

Your previous balance was $1.4062 plus $6.00 ($1.00 bonus) means you have $7.4062 now. Thanks. Yes, if you have a routing number and an account number you could send us the money via Stripe with much less fees than a credit card. PayPal does not allow payments like this. The only downside to this e-check method of payment is it can take up to 2 weeks to verify the payment went through.

The supported way to turn off directory listings on our service is to put an empty index.html file in the folder to hide the listing.

Krydos will be able to answer that with more certainty, but to my recollection, the fees between PayPal and Stripe were comparable, so we largely offer Stripe as a more flexible option for those who can't use PayPal for one reason or another.

Hi there, I made a Paypal donation of $5, 65661466R5271464S can the $6 be added to my Morty credit account please? Also I saw that yall have stripe, in the future, is the $5 worth doing over stripe instead of paypal due to lower transaction costs for yall? I can do the ACH transfer/withdrawl e-check option (I think... I'm not in the US but got a US bank acct with ACH).

Hi there! I am setting up somee WKD on my domain. I've got the following file structure /httpdocs/.well-known/openpgpkey/hu/ There are two keys inside /hu with their respective hashes as names, that's all okay. But, the validators I've tried are complaining about: So I've tried setting up a few htaccess, but haven't been able to get rid of that one. The email is turin@ my site. https://turinglen.site/ Here's the .htaccess files: root # BEGIN LSCACHE # END LSCACHE # BEGIN NON_LSCACHE # END NON_LSCACHE <IfModule mod_rewrite.c> RewriteEngine On # Block directory browsing in .well-known paths RewriteCond %{REQUEST_URI} ^/\.well-known(/openpgpkey(/hu)?)?/?$ RewriteRule ^ - [F,L] # Allow .well-known files to bypass WordPress RewriteRule ^\.well-known/.+ - [L] </IfModule> # BEGIN WordPress # The directives (lines) between "BEGIN WordPress" and "END WordPress" are # dynamically generated, and should only be modified via WordPress filters. # Any changes to the directives between these markers will be overwritten. <IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress /.well-known has no .htaccess /.well-known/openpgpgkey has this: Options -Indexes # Deny all files by default <FilesMatch ".*"> Require all denied </FilesMatch> # Only allow the policy file <Files "policy"> Require all granted <IfModule mod_headers.c> Header set Access-Control-Allow-Origin "*" </IfModule> </Files> and finally /.well-known/openpgpkey/hu has this: Options -Indexes -MultiViews DirectorySlash Off # Deny all by default Require all denied # Only allow 32-character hash files <FilesMatch "^[a-z0-9]{32}$"> Require all granted <IfModule mod_headers.c> Header always set Access-Control-Allow-Origin "*" Header always set Content-Type "application/octet-stream" </IfModule> </FilesMatch> The two validators I tested that are throwing the error are: https://www.webkeydirectory.com/ and https://wkd.dp42.dev/. GPG succesfully locates the key on request (testing locally). I'm not sure what's up anymore with that error and what else I can do here (if anything). Appreciate any help with the .htaccess, I'm not fully sure what I'm doing there

What domain would you like to add?

I believe all my website, database, aaPanel, and Docker (MongoDB) data are located under /www. Please back up the entire /www directory Thank you very much for your assistance

Please dear admin could you add a new domain to my account ? My username is Emmanuelfosso205.

Account has been reset, and a new invite has been sent to your email address. You can also download a backup of your account before the reset at https://heliohost.org/backup

Sure, that would be great, thank you. Maybe that is something that could be adjusted at some point, where when you delete your account, it actually deletes the username, so if you decide to come back in the future, you can enter your email and password on the login page and then receive an invite to create your account on the same server. I mean, what if you delete your account and come back at a later time and want a brand new account with a different domain and all that, I do like how you can log back in and recreate it so you don't have to donate for tommy again, but I think if you're going to do that, it should let you recreate it from scratch, and not just recreate the old account, in case you want a whole new domain, username, and even password, so you don't have to reset the account, just a thought.

Since your account was hacked our policy is to require an account reset. Are there any files or databases that you need backed up? A root admin will need to check each file by hand to make sure it doesn't contain any credit card numbers, passwords, social security numbers, etc. so we're not going to check 20k files. If you need just a couple files they can be backed up though.