Your Personal Web Site.     web site     Contact me.








Ways to make your content appear on the web:

Can you have one web site which is accessible through both clearnet and onion (Tor) ? See Tor Server section of my Connection Security page.

Rest of this page will mostly focus on the "HTML-only site" case.



Parts of your HTML-only site presence:

Don't have the same company be your domain registrar and your site host. If the site host disables your account for some reason, you want to be able to point your domain to some other host and get the site back online quickly.

Do not use a free email account provided by your domain registrar or your site host. If they disable your account for some reason, you don't want to lose both email and web site.



Web site hosting choices:




Your site settings:




Your page content:


Periodically check your site:




Moved my web site to Arch Hosting, just to change to SSL:

5 March 2018, I bought a lifetime-hosting subscription from Arch Hosting for $25.

Terms are 2 GB storage and 500 GB/month bandwidth. No monthly or annual hosting charge, for life. If you want to buy a domain through them, first year is free, subsequent years cost somewhat above market rate (so they can make a profit).

If you want a free-first-year domain from them, there is a list of about 8 TLD's it can be in. My TLD, ".me", is not one of them.

I already had a domain registered with GoDaddy, so I selected "I will use my existing domain and update my nameservers".

Ended up with three sets of username/password for Arch: one for the account, one for the control panel, and one for FTP.

Had to wipe out files on my old host before switching domain to point to new host, because only access I had to old host was via FTP. That means my site will be down for several hours during the changeover. Maybe I could have done FTP to old site later by using IP address instead of domain name, but I didn't think of that.

Switched domain's IP and nameserver IPs in GoDaddy to point to Arch's servers, and suddenly GoDaddy says "we can't show you anything about DNS because now you're on someone else's DNS". Maybe that wouldn't have happened if I'd changed only the domain's IP and left the nameserver IPs unchanged (which I think would have worked, but not been optimal). Now my DNS info is accessed through Zone Editor in Arch's cPanel. Domain still is registered at GoDaddy.

Took about an hour for the updated DNS info to percolate through the system; GoDaddy had a TTL of 1 hour on it.

In Arch file manager, site files must reside under /public_html folder. If you want to FTP directly into there, when creating FTP account, specify home directory "public_html".

Couldn't figure out how to get the SFTP to work, used FTP instead, it worked fine. I'm using a client (WinSCP) that they don't support, so none of their supplied config files help me. Maybe I need SSH enabled on my site in order to use SFTP. And maybe I need an encryption key, too. [Eventually asked Support, they said yes need SSH, no key, they'll enable SSH on my account. Login details a bit different, but now SFTP works.]

About 24 hours later, got email that Arch's "AutoSSL" had generated an SSL certificate for me (from Let's Encrypt) and installed it, all automatically with no request by me. Went to browser, and both HTTP and HTTPS work.

When I go to HTTP site, HTTPS Everywhere add-on does not automatically send me to HTTPS site. Turns out HTTPS Everywhere works off a set of rules, it doesn't automatically switch over for every random site.

Info in browser says the certificate expires in 3 months ? Answer from Support: "The SSL certificate expires in 3 months, but the system automatically renews it before that. As long as your site points to our hosting, the certificate will always renew before the expiration date."

Site test gets an "A" rating from Qualys SSL Labs' "SSL Server Test".

Received an automated "you're close to your disk space limit" email. Looks like the limit is 1.95 GB, not 2.0, and I've used 1.62 GB. Also a limit of 100K files, and I have about 9K.

Ran moarTLS on HTTP version of my site, and it correctly detects that an HTTPS version is available. Change to HTTPS version, and moarTLS says all internal links are secure.

Added some Apache "Rewrite" directives to ".htaccess" file, and now any access to my site using HTTP gets changed to HTTPS automatically.
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.billdietrich.me/$1 [R,L]
I wonder if I should delete some superfluous CNAME records in my DNS entry. I haven't enabled any additional features: email, etc. But my site is accessible through both "www.mydomain.tld" and "mail.mydomain.tld", and probably other sub-domains too. Wikipedia's "List of DNS record types"

There's no "AAAA" record in my DNS entry, so I think my site is not accessible via IPv6. ipv6 test and chair6 confirm that.

By end of 2nd day, I've interacted with Support on about 6 questions, with good results each time. Very satisfied. And my site is completely up and running, no issues remaining. Of course, my site is pretty simple, no server-side code, not using their email or Wordpress or database or other features.

Looks like I can upgrade to 10 GB storage and 1 TB/month bandwidth for $20. This would change my lifetime account from "Startup" to "Business".

After a week, everything still fine. Traffic to my site has consumed about 4 GB of bandwidth. So I won't be anywhere near hitting the 500 GB/month limit.

After 2+ weeks, received email invoice saying "Pay $0.00". Followed by another email saying "Thank you for your payment of $0.00".

A month after that email invoice, received another pair of emails, same thing. I guess it will happen every month.

11 days later, got ANOTHER email invoice/paid pair.

6/16: Noticed that HSTS is not enabled on my site. Support says add
Header set Strict-Transport-Security "max-age=31536000" includeSubDomains env=HTTPS
to the .htaccess file. Did that and it worked. Later changed to
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

7/1: No DNSSEC on my domain; I tested it with VeriSign's "DNSSEC Analyzer". But my domain was registered through GoDaddy; not sure if that matters, I think Arch's DNS servers are serving it now.
Arch Hosting Wiki's "DNSSEC"

8/29: Found that Arch offers 2FA (software TOTP) on the CPanel login, so I enabled that. They're hoping to offer 2FA on the main account login in the future.

8/29: Arch doesn't support onion (Tor) access to your web site, and doesn't plan to do so, opposes it.

9/20: Added
Header set X-Frame-Options "deny"
Header set X-XSS-Protection "1; mode=block"
to .htaccess file.

10/1: Added
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "object-src 'self';"
Header set Content-Security-Policy "script-src 'unsafe-inline';"
Header set Content-Security-Policy "style-src 'self' 'unsafe-inline';"
Header set Content-Security-Policy "frame-ancestors 'none';"
to .htaccess file.

12/28: Added
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Feature-Policy "payment 'none'; notifications 'none'; microphone 'none'; camera 'none'"
Header set Expect-CT "enforce; max-age=600"
to .htaccess file.

12/30: Added a /.well-known/security.txt file containing:
Contact: mailto:bill_dietrich+websitesec@protonmail.com
# PGP key:
Encryption: https://api.protonmail.ch/pks/lookup?op=get&search=bill_dietrich@protonmail.com
3/4/2019: Realized directives were blocking Google add/search/analysis features, changed .htaccess file to have:
Header set Content-Security-Policy "default-src 'self';"
Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.googlesyndication.com *.google.com *.googletagmanager.com *.gstatic.com *.addthis.com;"
Header set Content-Security-Policy "style-src 'self' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.googlesyndication.com *.google.com *.googletagmanager.com *.gstatic.com *.addthis.com;"
6/1/2019: Realized my site had a DNS MX record, and a default email account in the hosting account. Support says they are harmless and can't be removed.







This page updated: August 2019

Home     Site Map

Privacy policy