Cloud Availability Platform v3.12
Posted on August 2, 2017
Today we released version 3.12 of our Cloud Availability Platform. Yes, it is true that version 3.11 never made it to production, so don’t worry about the minor version jump. It is intentional. This update includes a few bug fixes, new features and enhancements as well as back-end improvements that we’ve been working on for the last few months. Because Total Uptime is critical to so many organizations, we focused our efforts on improving stability as well as security. We know you’ll like the changes we’ve been working on this summer.
Here is a summary of the most notable changes in this version:
General System/Account Changes
- Alert List Management: We modified the alert list tab so resellers can now create alert lists for their sub-company accounts. Previously a reseller would need to log into the sub-company account to create one.
- Two Factor Security: We enhanced the security of our two factor authentication to limit the number of unsuccessful retries to 5. Even though you can only get to the 2FA confirmation page after successfully entering your email and password, we now lock the account for 5 minutes after 5 failed two factor codes. If you can’t enter it correctly 5 times, something is clearly amiss.
- Change Password: We enhanced security a little bit by now requiring that you re-enter your existing password before changing it. Even though you must already be logged in to reach the change password dialog, this better protects account takeovers.
- Change Log additions: We continue to add further information to the change log. We now track failed login attempts with the IP as well as two factor authentication attempts. We also better track edit and delete actions for DNS Failover Pool entries in addition to a few other minor adjustments.
- Secondary Email Address: We removed the requirement for a secondary email on user accounts. The initial objective was to ensure a way of reaching a user, but many customers have been entering fake emails to circumvent this requirement anyway, so it is now entirely optional. If we can’t reach you via email for whatever reason, we’ll try to call or text you.
- API Account feature: We added a feature to user accounts that now allows you to specify if the account is for API usage only. When enabled, it allows the account to be used for API access only, not for logging into the UI. It also eliminates the requirement for certain data fields, like a phone number, and bypasses two factor authentication (if enabled for your company). The API user will only have the permissions configured per the attached role, and we continue to advise that administrators create a separate role for the API user to lock down access to required sections only.
- Built-in Monitors in search: We changed the behavior of searching for monitors so that built-in monitors do not show up in the search results any longer.
- API Error Messages: We made a few minor changes to the API to provide better feedback when invalid or improperly formatted posts are made to better help the developer to identify the issue.
DNS Changes
- TYPE257 (CAA) Resource Record: We added a new record type called TYPE257 which can be used to create Certificate Authority Authorization (CAA) records. This is in response to the February 2017 CA/Browser Forum vote making it mandatory that Certificate Authorities (CAs) look for this record type as part of the SSL issuance validation. It will be a few more months before we complete the official CAA record implementation across our entire network, but this record will work perfectly to help customers meet the deadline.
- DNS Importer: We deployed numerous enhancements to our DNS Zone import tool to accept additional third party formats (specifically those with very poor formatting, errors or corrupt/invalid data) and support additional record types. With this upgrade, it is now possible to import and export Web Redirect records (a much anticipated request) as well as TYPE257 (CAA) records. We also corrected an issue with importing domains into reseller accounts with custom name servers. Previously these domains would not have the correct nameserver records created. This is now handled the way it should be. Lastly, we now better handle file-based imports that may contain more than one copy of the same zone.
- Domains Page Double Click Bug: We fixed a strange UI bug that would result in the domains tab locking up when a specific double click action was taken. Our UI doesn’t support any double click actions, but if done inadvertently, it certainly shouldn’t lock things up. This has been corrected.
- DNS/Networking Link: For customers subscribing to both Networking solutions and DNS, an easy drop-down menu exists for DNS ‘A’ and ‘AAAA’ records to reference a network config. Previously, when you linked to your config this way, you could not unpublish your config. We’ve now modified this behavior to support this action.
- DNS Failover: We patched a bug that would accidentally re-activate a disabled failover pool entry if it was first in the list (priority 1) and a cloud node double reported an UP status.
- A, AAAA & CNAME: We corrected a regression from our last release that would allow entering the same hostname in a record between CNAME and A or AAAA. This is not permitted per RFC and has been remedied.
- DNS Propagation Grouping: Previously, with every API call made to add, delete or edit records, a change was also queued to the DNS network to push the change to all of the DNS servers. This behavior has now been modified so changes made in rapid succession are now grouped and pushed to the DNS network as a group vs. individual changes. This allows for more efficient propagation across our network and less repetitive work.
- Mismatched TTL for identical record type and host: To better conform to RFC, we now disallow different TTLs for records of the same type and hostname. For example, two ‘www’ ‘A’ records might have different IPs, but must now have the same TTL value. Previously we accepted a different TTL but changed it to the lower of the two on the back-end to conform to RFC. We now require the user to make this decision.
Networking Changes
- Load Balancing Method Update: We updated the load balancing methods to remove a couple that are no longer supported and modified others to add more precision control.
- Connection Monitor (beta): We added a new tab (still in beta) to show a snapshot of active connections to your packs/configs. This is not a live list, but we are working toward that goal. Source IP addresses that are continuously active will most likely be visible all the time. Source IP addresses that quickly connect and disconnect may not show up in this version. The table shows the origin country, IP address with detail pop-out as well as one-click shortcuts to block an entire country or even an IP address (if subscribed to the WAF). Not all of our cloud nodes are reporting data to the connection monitor yet, but this will be complete over the next few months.
- Network Quick Start Wizard: We updated the quick-start wizard to improve functionality and fix a couple bugs that affected how monitors were attached to newly created devices. The quick start wizard is generally used by new customers, so it should be as intuitive as possible.
- Firewall ACL Check: We added a check and balance in the Firewall ACL to alert users when they attempt to block IP addresses that they shouldn’t, like one of our proxy IPs. We’re not quite sure why customers have been adding Total Uptime proxy IPs to their ACLs, but now it is prevented.
- Change Propagation: We improved how updates made via the UI and API are pushed out to our global network, which should provide a 10% improvement in deployment time. This is something we are continually working on and hope to have a vast improvement in early 2018 as we completely rewrite the code that pushes changes out to our global network.
- SSL Certificate/Key Validation: We added more validation to the SSL and Key upload system to better detect unsupported file types. We support most keys and certificates, but now the obscure ones that we do not allow will generate an appropriate warning.
- WAF Profile table: We made a minor enhancement to the WAF profile table by adding a column that displays the number of security checks that are enabled for easier reference.
- WAF Profile name: You can now edit the name of a WAF profile after creating it.
- SSL Session Persistence: We enhanced the SSL Session Persistence option to now include an adjustable timeout setting. This timeout determines when we should expire the session database for that user.
- Modify IP Server to FQDN: We patched a bug that would occasionally create an issue with a server that was originally created with a static IP and later changed to a FQDN.
- Duplicate Ports: We further enhanced our detection of duplicate ports to prevent them from being utilized in networking. It is simply not possible to use the same port twice.
- SSL Links: We added a column to the SSL certificate/key pair table to clearly display whether certificates are properly linked (chained) to intermediates or not. While most web browsers have root certificates built-in and trusted, other applications do not have them all (e.g. Android devices). In these situations, properly linking to an Intermediate certificate is essential to avoid SSL errors.
- SSL SNI Status: When adding and removing SSL Certificates with SNI enabled, we now display the status of the SNI flag for the ports in the public port options dialog.
- Failover Group Reordering: We patched a bug where reordering multiple failover groups would occasionally not propagate the network correctly.
- WAF Profile ordering: We corrected an issue where multiple WAF profiles bound to a config would not reorder properly if certain security checks were configured. This was by design since certain checks must be processed in a specific order, but it was not intuitive to the user. This is now completely transparent.
- FQDN Server in multiple configs: Previously when a server created using a FQDN was used in multiple configs, it would not always save properly. This has been corrected.
- Public/private port mapping table: We made a cosmetic change to the public/private port mapping table. Now the public ports are on the left and private on the right. We debated even making this change, but it just seemed backwards the other way, so we changed it.
- Mixed Port Device Add/Remove: We corrected an issue where adding and removing devices from a server group with mixed mapped ports (e.g. SSL/443 on the public side mapped to SSL/4433 on the server side) would not properly save.
- Monitor binding: When a previously created server is added into a server group, the existing monitor on the server would occasionally get overwritten if new ports were also being added at the same time (to accommodate a server group that had ports the server did not yet have). This has now been corrected so that these automatically added ports use the same monitor as existing ports and as defined on the server.
- Burst Protection feature: We added a new feature within a server called Burst Protection. When editing a server you will see a checkbox where you can control this on a per-port basis. This feature provides additional protection to your servers to mitigate DDoS attacks or other rapid traffic bursts. In a normal situation, a large burst of traffic is immediately sent to the server(s) without delay. But with burst protection enabled, a rapid burst of traffic is now queued and sent to the server with a slight delay, making it easier for the server to handle.
- SIP-UDP Monitor: We patched a bug in the SIP-UDP monitor that did not properly validate the SIP URI when creating or editing the monitor. This monitor is available both to networking and DNS Failover configurations.