State of the blog 2020

by Randy Gingeleski

5 minutes to read

Recently I overhauled the underlying technology of this blog, which may be of interest to fellow engineers.

Post featured image

For the longest time, was just a $10/month Digital Ocean droplet running Ghost (version 2.x).

That’s it. You were hitting the live server all the time with minimal-to-no caching.

Back in the day, what is now started as live Wordpress on shared Dreamhost. Note the lack of linking to Dreamhost because they’re not a service I would recommend now, unlike DO which is great for many things.

The whole single-live-server-with-no-cache was not a very 1337 pattern and shame on me for propagating it over here in ~2018.

Though at least with its own VPS that time.

Anyway, here we were running Ghost’s 2.1.2 version. Some breaking changes kept me from bumping to Ghost version 3 — the latest major one for a while now. I’d longed to change my site into static-only so held off on *that* update for the same time.

Summing things up, as of ~60 days ago you were hitting something like this —

Old state network and technology diagram behind
Original technology behind this blog, circa early 2018.

Now you are hitting something like this —

Current state network and technology diagram behind
Implemented late June 2020.

Moving the blog has had me pause on writing for the last couple months. You’ll see there was an April 26 to June 30 gap after starting out 2020 producing a lot.

It’s easier to write a post than actually find solid time to move servers around and what-not. However, now that’s done.

This was an incremental migration with a static copy of the site pushed to a content delivery network (CDN) first then the pipeline for making regular updates laid down after.

Photo credit - Vercel

Hence, right now you’re hitting a CDN. The blog content is based in a GitHub repo, with editing occurring against a live Ghost server I can get to through a virtual private network (VPN) only.

Copies of that Ghost server get made automatically when any live site content changes, then the latest copy goes into GitHub, where it’s elevated to the CDN live.

Why go to static content? Well, it was on the table because there weren’t (aren’t) any dynamic blog features I even use, like comments or search.

The latter might be added via client-side JavaScript someday.

Comments remain something I avoid but could do by standing up a comment service that the client would interact with. Disqus was something used, though not something I loved.

We’ll see. Anyway, what’s so great about static content again?

  • Website speed
  • Security

Let’s talk speed first.

I hoped going static make this site a lot faster. The tool helped me profile this.

First speed test of my website after this CDN change.
First speed report after initially pushing content to the CDN.

That first report post-change was 100s across the board. You can type my domain into Fast or Slow to see – high 90s to 100 are great. Before we were in the 70s.

Speed test results from early June 2020, pre-change.
Speed test results from early June 2020, pre-change.

It’s worth noting too that the site should be more accommodating of huge traffic spikes now. Hypothetically, a million simultaneous readers wouldn’t (won’t?) hit the same VPS in New York City.

Then we have security upside from static content. This is important because I make my living as an application security “expert.”

In short, if my own website gets hacked, then that looks pretty bad.

I could have stuck a web application firewall in front of Ghost to help mitigate the risk of some crazy exploit coming out. Like Cloudflare, Akamai.

And/or restricted access for — the admin area — to just me via VPN. Beyond RCE threats, someone could’ve tried bruteforcing there or whatever.

These were all credible risks given my version of Ghost was old. Also, it’s easy to “fingerprint” an instance of Ghost and its exact version by requesting /sitemap.xml to inspect the “generator” anyway.

Now my static site is virtually “unhackable” because there’s nothing dynamic about it. Even if jQuery becomes out-of-date and vulnerable, no input is being taken and reflected out.

It’s a stretch to say maybe the email subscribe fields or an eventual comment area would be susceptible.

Sample of the threat actors targeting me on the regular.

And speaking of email subscriptions, I am sorry but the old email subscription area never really worked. What’s more, it got carpet-bombed with spam, making it near-impossible to identify legit sign-ups who wanted notifications or letters from me.

This is something I just didn’t look at until it was too late to sort out.

Presently Mailchimp is in use to collect emails instead of the Ghost built-in like before. I turned off as much privacy-infringing stuff there as possible. For example, open rates aren’t being tracked.

There are not automatic messages for new posts yet and I haven’t sent anything out to the couple Mailchimp subscribers either. Feel free to drop your email to me for that eventual contact though.

Further speaking on privacy, my website no longer uses Google Analytics. I still have some love for Google and am invested in their products. However, they shouldn’t be forced on you to stalk you around the Internet.

Honestly I hadn’t checked my Google Analytics in a super long time anyway. Let’s assume my MUD/WTR review post and recipe post are still the most popular.

But — you may have noticed — I just really write what I want here. My only commitment is saving you from most cybersecurity shop talk or any politics on this site.

My totally-separate-very-neglected blog War + Code gets security content.

In the future I may consider a more ethical page view counter like Fathom Lite, which is open source and does not use any intrusive cookies.

Screenshot of Fathom Analytics platform.
Fathom Analytics is a more ethical way I’d consider view tracking.

One last thing to note is my actual CDN now is Vercel. In case that’s interesting to you. Vercel seemed like a new, exciting thing with affordable pricing. I do have their “Pro” offering for more business stuff.

They integrate very easily with GitHub. Just as seamless as GitHub Pages post-setup, but you don’t have to feel guilty about abusing that or that GitHub may suddenly purge your stuff.

The chances of that occurring may be low, though they are non-zero. Higher than Vercel I would say.

Hope this post might help some fellow tech or blog people. Always think for yourself, though.

Thanks for reading. ✌️🕊️