|
Earth Matter
|
May 19, 2014 at 1:27 pm
We can’t automatically update Event Espresso as we get this error:
An error occurred while updating Event Espresso: Download failed. couldn’t connect to host
This indicates to us that your update server is in likely in an abusive range blocked by us. We have been able to determine that you redirect to something like new-ee-updates.s3.amazonaws.com…, but we are not able to get a dns fix on any IP address, so we can whitelist you. Since we do have numerous IP entries for the vast amazonaws.com cloud, we will need your IP range for your update servers to resolve this issue.
Thank you for your attention to this matter.
|
|
Darren Ethier
|
May 19, 2014 at 1:53 pm
Hi Kim,
We’ll have someone communicate with you about our ip range. In the meantime, it is possible that your server is setup to not allow redirects on requests. The way our update system works is it actually contacts our server to authorize the download attempt and then redirects to the download hosted on amazon. If your server limits redirects of this fashion then that could be a cause.
|
|
Earth Matter
|
May 19, 2014 at 3:25 pm
Hi Darren,
We just tested this and we can confirm it is firewall related. But the block is at such a high level that we don’t have a log entry for it. Since we had two plugins that needed updating, we disabled the firewall and tried updating one, it worked right away. Then we turned the firewall back on and the second plugin will not update as before. This rules out any server settings or possible redirection issues with non-firewall assets such as .htaccess or httpd.conf directives.
|
|
Josh
|
May 20, 2014 at 12:29 pm
Hi Kim,
Here is some information:
Event Espresso.com IP address:
204.13.110.232
The part about Amazon may be a bit tricky. Please see these threads:
https://forums.zmanda.com/showthread.php?3976-Which-IP-Adress-Ports-is-needed-to-connect-to-S3&s=30bb5c7a7e5f064deca3ee73dc39ed64&p=13538#post13538
https://forums.zmanda.com/showthread.php?2054-Zmanda-S3-IP-addresses
esp. where it says:
Amazon S3 does not use a fixed IP address, or even a small group of IP addresses, making setting up routes difficult. This is part of Amazon S3’s design; it helps provide high availability and spread out the load.
It may help to open outbound connections to http://s3.amazonaws.com on port numbers 80 and 443
and/or possibly use these ranges:
https://forums.aws.amazon.com/ann.jspa?annID=1701
|
|
Earth Matter
|
May 20, 2014 at 4:27 pm
Too bad to use a dynamic range to deliver your product. Maybe you can afford to get hosting with fixed IP addresses someday soon. Since there are so many cloud providers that do offer fixed Ip’s for about $2. It is strange that since we have rather narrow blocks in those ranges, that the requests would consistently fail. Seems like it would only fail sometimes.
Most firewalls do not accept domain names as arguments against IP blocks, so opening outbound connections to s3.amazonaws.com isn’t really an option.
We would have to significantly alter the way our firewalls are setup to allow for reliable outbound communications to such a wide range. Additionally, it would take several automated tasks and convert them to manual ones or require costly customization. Otherwise, we would be in effect opening up a very large haystack (albeit outbound) so that your needle can be found. This is not how security generally works, or at least well.
We will take it under advisement. 🙁
|
|
Darren Ethier
|
May 20, 2014 at 5:26 pm
I’m sorry you are experiencing issues with your firewall setup and the inability to obtain EE updates when its active. I want to explain a few things about our setup so you understand why its setup that way.
1. Our main site is hosted on Firehost which is known for its very secure webhosting packages (which are not cheap by the way). As Josh gave you in his response, we do have a dedicated IP address for our main site.
2. We serve all our plugins through what is known as a Content Delivery Network (in this case Amazon). This is not an uncommon method for delivering software updates for a number of reasons among which is: high availability; redundancy; updates are served from the closest server on the CDN; and security.
If you are unable to perform automatic updates due to your server firewall restrictions, there are other alternatives you can use:
1. Manually update the plugin by ftp or scp.
2. Request access to our github repo and you can setup your server to pull from the repo (github has an ip address you can add to your firewall exclusion rules).
For what its worth, as I stated above we recently moved all our web properties to Firehost which has very restrictive firewall rules and is known for their security. We test auto updates on various sites on those servers and we have not experienced the issues you have experienced. It is entirely possible that your firewall is not setup correctly.
|
