5 March 2018, I bought a lifetime-hosting subscription from Arch Hosting
Terms are 2 GB storage and 500 GB/month bandwidth. No monthly or annual hosting charge, for life. If you want
to buy a domain through them, first year is free, subsequent years cost somewhat above market rate (so they can make a profit).
If you want a free-first-year domain from them, there is a list of about 8 TLD's it can be in.
My TLD, ".me", is not one of them.
I already had a domain registered with GoDaddy, so I selected "I will use my existing domain and update my nameservers".
Ended up with three sets of username/password for Arch: one for the account, one for the control panel, and one for FTP.
Had to wipe out files on my old host before switching domain to point to new host, because only access
I had to old host was via FTP. That means my site will be down for several hours during
the changeover. Maybe I could have done FTP to old site later by using IP address instead of domain name,
but I didn't think of that.
Switched domain's IP and nameserver IPs in GoDaddy to point to Arch's servers,
and suddenly GoDaddy says "we can't show you anything
about DNS because now you're on someone else's DNS". Maybe that wouldn't have happened if I'd changed only the
domain's IP and left the nameserver IPs unchanged (which I think would have worked, but
not been optimal). Now my DNS info is accessed
through Zone Editor in Arch's cPanel. Domain still is registered at GoDaddy.
Took about an hour for the updated DNS info to percolate through the system; GoDaddy had a TTL of 1 hour on it.
In Arch file manager, site files must reside under /public_html folder.
If you want to FTP directly into there,
when creating FTP account, specify home directory "public_html".
Couldn't figure out how to get the SFTP to work, used FTP instead, it worked fine. I'm using a client (WinSCP)
that they don't support, so none of their supplied config files help me. Maybe I need SSH enabled on my site
in order to use SFTP. And maybe I need an encryption key, too. [Eventually asked Support, they said yes need SSH,
no key, they'll enable SSH on my account. Login details a bit different, but now SFTP works.]
About 24 hours later, got email that Arch's "AutoSSL" had generated an SSL certificate for me (from Let's Encrypt)
and installed it, all automatically with no request by me. Went to browser, and both HTTP and HTTPS work.
When I go to HTTP site,
HTTPS Everywhere add-on does not automatically send me to HTTPS site. Turns out HTTPS Everywhere works
off a set of rules, it doesn't automatically switch over for every random site.
Info in browser says the certificate expires in 3 months ? Answer from Support:
"The SSL certificate expires in 3 months, but the system automatically renews it before that.
As long as your site points to our hosting, the certificate will always renew before the expiration date."
Site test gets an "A" rating from
Qualys SSL Labs' "SSL Server Test"
No problems with
Received an automated "you're close to your disk space limit" email. Looks like the limit
is 1.95 GB, not 2.0, and I've used 1.62 GB. Also a limit of 100K files, and I have about 9K.
Ran moarTLS on HTTP version of my site, and it correctly detects that an HTTPS version is available.
Change to HTTPS version, and moarTLS says all internal links are secure.
Added some Apache "Rewrite" directives to ".htaccess" file, and now any access to my site using HTTP
gets changed to HTTPS automatically.
I wonder if I should delete some superfluous CNAME records in my DNS entry. I haven't enabled any
additional features: email, etc. But my site is accessible through both "www.mydomain.tld" and "mail.mydomain.tld", and
probably other sub-domains too. Wikipedia's "List of DNS record types"
There's no "AAAA" record in my DNS entry, so I think my site is not accessible via IPv6.
By end of 2nd day, I've interacted with Support on about 6 questions, with good results each time. Very satisfied.
And my site is completely up and running, no issues remaining. Of course, my site is pretty simple, no server-side code,
not using their email or Wordpress or database or other features.
Looks like I can upgrade to 10 GB storage and 1 TB/month bandwidth for $20. This would change
my lifetime account from "Startup" to "Business".
After a week, everything still fine.
Traffic to my site has consumed about 4 GB of bandwidth. So I won't
be anywhere near hitting the 500 GB/month limit.
After 2+ weeks, received email invoice saying "Pay $0.00". Followed by another
email saying "Thank you for your payment of $0.00".
A month after that email invoice, received another pair of emails, same thing.
I guess it will happen every month.
11 days later, got ANOTHER email invoice/paid pair.
6/16: Noticed that HSTS is not enabled on my site. Support says add
'Header set Strict-Transport-Security "max-age=31536000" includeSubDomains env=HTTPS'
to the .htaccess file. Did that and it worked.
7/1: No DNSSEC on my domain; I tested it with
VeriSign's "DNSSEC Analyzer"
But my domain was registered through GoDaddy; not sure if that matters, I think
Arch's DNS servers are serving it now.
Arch's "Do you support DNSSEC?"
8/29: Found that Arch offers 2FA (software TOTP) on the CPanel login, so I enabled that.
They're hoping to offer 2FA on the main account login in the future.
8/29: Arch doesn't support onion (Tor) access to your web site, and doesn't plan to do so, opposes it.
'Header set X-Frame-Options "deny"'
'Header set X-XSS-Protection "1; mode=block"'
to .htaccess file.
'Header set X-Content-Type-Options "nosniff"',
'Header set Content-Security-Policy "object-src 'self';"',
'Header set Content-Security-Policy "script-src 'unsafe-inline';"',
'Header set Content-Security-Policy "style-src 'self' 'unsafe-inline';"',
'Header set Content-Security-Policy "frame-ancestors 'none';"'
to .htaccess file.
'Header set Referrer-Policy "no-referrer-when-downgrade"'
'Header set Feature-Policy "payment 'none'; notifications 'none'; microphone 'none'; camera 'none'"'
'Header set Expect-CT "enforce; max-age=600"'
to .htaccess file.
12/30: Added a /.well-known/security.txt file.