Clover13

FYI I updated the post count to 10 posts in 360 minutes to see how long it takes to go in effect.  So far, it is still showing the 2 posts in 9999 minutes.

Very strange.  It seems to be working now, but I changed nothing since I set things up last night.  I even cleared the cache thinking maybe something cache related was blocking it.  Are there some tasks that need to run to calculate the popular posts that may have taken some time to populate the block?

P.S.  I added a block to the main landing page, which does show now.

7 hours ago, Marc Stridgen said:

Please ensure the user on file has full access, and we can then take a look for you. Seems it doesnt at present

Hi @Marc Stridgen, the user on file has been elevated back to have AdminCP access.

Pretty sure I have it configured correctly, but can't get it to show anything.

Plenty of posts on my site, I've tried it as a sidebar block, as a page block, as a subforum block.  Nothing ever appears.

Current settings, 2 posts in the last 9999 minutes.

Is there something else I'm missing to get it working?

5 hours ago, Randy Calvert said:

Something you could do for now if you have access to a WAF is to block non US countries from accessing domain.com/register.  That would deny them access to the signup form. 

Good idea!  I can add a rule via CF for this, even on the free plan 👍

50 minutes ago, Dll said:

That's not spam prevention though is it? It sounds like the sort of thing you'd use a firewall for. Plus, with VPN's and the fact people travel a lot, do you really want to block someone just for not being in the country you may expect them to be in?

This is for registration only.  And really with the objective of non-US accounts (who are not the primary audience) from registering to spam our site.  We very rarely see a non-US person register to post anything meaningful.  In recent months, we have been attacked a number of times by large numbers of sudden bulk registrations and spam posts, so we're just trying to prevent that.  Our only workaround to this has been to put registrations in admin approval for all, which adversely effects engagement from first time users registering with the purpose of posting/replying to something in that moment and can't because they have to wait.  Subsequently, they sometimes simply don't want to wait and never return to post that valued content.

For those of us running country targeted sites, it would be great to have an option to effectively block all other countries.  For example, my site is US based, and I only want US based geo-located IPs to be able to register.  Right now I believe I have to manually add every other country to achieve this effect.

1 hour ago, Driven 2 Services said:

Based on this, I'm inclined to think that even if you have fast transfer rates for your wireless connection with 4G or 5G speeds, there's probably a lot of latency on the connection.  Sometimes this is from many people sharing the same local tower.

One thing that can help is making sure your web server supports HTTP/2 connections.  One of the goals with HTTP/2 was reducing latency with wireless connections.  Brotli compression will help somewhat as well.  If these settings are not available to you (generally you need a dedicated server or VPS), then if you're not using Cloudflare I highly recommend considering it.

The free tier is more than sufficient for most forums, and includes HTTP/2 as well as Brotli.

Thank you.  Yeah this is a high traffic area of the Northeast US, so large numbers of people sharing the same local tower is very common.

I do use Cloudflare for both of my sites, one is on the Pro plan and the other on the Free.  All of these are enabled for them.

• HTTP/2    
• HTTP/3    
• HTTP/2 to Origin    
• Enhanced HTTP/2 Prioritization  (Pro plan only)
• Brotli    
• 0-RTT Connection Resumption    
• Always use HTTPs    
• TLS 1.3    

1 hour ago, Driven 2 Services said:

There are so many different reasons a mobile version might be slower.

Try this on desktop Chrome:

Menu -> More Tools -> Developer Tools -> Network tab

Change the throttle to Fast 3G.  Put the view into a phone view.  Now load your site.  Is the menuing slow?  Turn off throttling, reload and try the menu again.  Is it fast?

In Fast 3G, the longer running server-sided assets are taking anywhere from 2 seconds to almost 6 seconds:

root_front.js: 2.74 seconds
root_framework.js: 5.32 seconds
root_library.js: 5.33 seconds
/uploads/themes/set_resources_2/6124cbf62e7d0ac97bcb319cb54179a7_fa-solid-900.woff2:  5.85 seconds

With no throttle, they're all under 100ms.

The timings above for the Slow 3G do align with the relative time it takes for the menu to become responsive.  There are a lot of clicks that are taken in that time period that just don't register, I'd imagine because the page hasn't completed loading all of it's assets.  The painting of even the small icons and avatar images is also gradual top down fill-in.

17 minutes ago, Joel R said:

You may want to ping providers like @ASTRAPI or @Driven 2 Services who specialize in hosting.  

Is your mobile site slower than, say, IPS or another Invision site like Cruise critic? 

I occasionally see similar menu lag here on the IPS site but not as bad or frequent as on mine. But IPS isn't running ads or much third party JS.  I'll try to locate some other IPS sites to compare 👍

24 minutes ago, Jim M said:

Keep in mind that anything that you load on your page on a mobile device is going to delay interaction. You have quite a few advertisements which can cause slowness waiting for them to load and/or as they are interactive advertisements going to be heavier too for mobile users' devices

 

Understood.  I did push the primary ads from async to deferred loading.  I also eliminated some ad JS from other networks where maybe the cost (performance degradation to members) to benefit (revenue) wasn't worthwhile.  That definitely knocked down blocking time.  There is something else that is holding up interactions that I'm tracking down, I see it on mobile where the page has not fully loaded and the menus, link clicks, etc don't respond as result OR they respond very laggy (likely due to resource/bandwidth contention).  

I know some of this is the nature of mobile vs desktop related hardware and network, but are there any other areas I can look to tune for getting more responsiveness out of the hamburger menu, notifications, and reactions popups?  Seems like on mobile, these are really slow to popup when clicked.  I can't tell if it's a server resource issue, a config issue, or simply a device/network issue.

Any suggestions on where to look would be great!

@Marc Stridgen any other ideas on how to clean things up?  Since I see no failure/errors, I can't easily tell what is being referenced unless I remove things from S3 and see if anything breaks (as issues arise and get reported).  Anything I can run (SQL, command line, etc) to identify and update any references?

1 hour ago, Marc Stridgen said:

Im not sure what you mean by duplicates there. Files themselves would not be duplicated

I do see many of the same files in both locations (S3 and local).  S3 also has a .gz version of the file that is not on local.

Example from S3

And local:

Overall it seems like there are quite a few duplicates because the deletions did not succeed (despite the log messages indicating it).  It's hard to tell what is active without querying all the IPS tables to try and find defined links.

What's the best way to determine what is used versus unused to verify proper link references (local vs S3) when it comes to "Theme Resources" in File Storage?

On 8/29/2023 at 4:25 AM, Marc Stridgen said:

Your server error logs maybe

Nothing in the server logs.

I set up another S3 File Storage configuration to point to a bucket path of "themes".  Then I moved to the themes/JS/CSS to that new (empty) S3 config.  Then I moved them back from S3 to local again.

The move to S3 broke my theme and the page wouldn't render properly (missing artifacts), but bringing it back to local restored it.

There are no errors in the Logs for Amazon for that configuration, only Log type messages.

Not sure where to go from here, at this point I want my files back on local and off Amazon but not sure if I can simply copy them back.  The fact that the files moved to a new S3 config and broke the theme makes me believe some parts of the DB update still point to local despite the files being moved to S3 (CDN URL path).  Then when I move back to local, they seem to be referenced correctly.

1 hour ago, Nathan Explosion said:

Well, I mistakingly made the assumption that hadn't worked for you...

Sorry my fault, I had no idea that X would do anything more than simply close out the window in the active browser window/tab.  Hard to tell there that the X is a "clear" and not just a "close" popup.

Turns out this was even easier 🤦‍♂️

Just click the X to the right of the popup at the bottom right of the screen that has the number of Quoted Posts selected.  That clears them all out.  Note you can multi Quote posts across topics and that list gets carried around.  Seems a bit odd, as you can selected quoted posts from one topic and use them in another topic where they wouldn't have any context.  Not sure if that's by design or not.

@Marc Stridgen sorry for the delay in getting back to this.  I was able to test it again and when I moved from local to S3, there were files remaining in local storage.   When I moved from S3 back to local again, files still remained on S3.  I see no indication of errors in the System Logs or Error Logs.  Is there anywhere else there might be logging to review?

7 hours ago, Nathan Explosion said:

If not a mobile, then clear the following from "Local Storage" (screenshot from Firefox, developer tools accessible via Ctrl + Shift + I)

Is there a non-technical "easy" mode for doing this?  I have to explain to a non-technical member, once I get into Dev Tools, they're going to be lost in the sauce.

A member must have been accidentally multi quoting posts and hit the limit.  Now they don't know where the quoted anything.   Is it possible to clear their multi quote selection?  Seems to span multiple topics. 

13 hours ago, DawPi said:

Why everyone speaking about exploits form 3rd party developers still? When someone did something like this? This is a definite exaggeration and I ask you to stop such claims.

To be clear, as I was one who brought up the security concerns in this topic, I absolutely was not referring to any known instances or developer here, but merely the potential for it to occur and increasingly so when IPS becomes 100% hands off with third party applications.  Apologies if it came across that way.  I've seen enough security exploits in my own career (not anything IPS or IPS third party related) to warrant the concern.  Again not a reflection of any developer here or the quality of their code, I'm simply proactively thinking about the possibility and considerations regarding preventative measures.  If anyone feels such a security concern is  completely unnecessary or overkill, I would appreciate your particular insight as to why.  I certainly don't know the underpinnings of IPS code, so perhaps there is a reason a client doesn't need to have an elevated concern over it.

I'd still like to know what IPS corporate customers do, if it's anything like the corporations I've worked with (unrelated to my IPS projects), there is full fledged InfoSec and AppSec scanning of all application code before any deployment with Production (real user/member) data.  Generally for a hobby site, I'm not very concerned with data loss (with regular backups available to restore as needed), but I am concerned about data breaches involving PII.

42 minutes ago, LiquidFractal said:

In the end, though, I don't think anything can eliminate the question of vetting - whether Invision did it or a 3rd-party dev does it.  Whether there's a Marketplace or not, it comes down to reputation and trust.

There are automated tools that can be run against code bases to scan for vulnerable code and libraries.  Reputation and trust alone are not enough when it comes to software.  Developers with the best intentions can still unknowingly use something they are unaware of has an exploit (in deep dependencies, it can be something they aren't even using directly, but is included in their code base).  It's simply good practice to run scans (code, infrastructure, app testing, etc) regularly to ensure security.  Doesn't mean there's no risk, but it does greatly reduce it.

10 minutes ago, CodePixel said:

if IPS Staff didn't check if apps/plugins are safe for end user, can you even imagine how many more problems would they have from community owners that used said app/plugin and got hurt by it, even more chargebacks, even more tickets/emails, even more problems.

Would you want that for your company?

Chargebacks and tickets are the least of their concern.  Legal issues jump right to the front of the line.  Again, this could be an added reason for them to effectively exit all responsibility by closing their Marketplace.  They reduce their own cost of maintaining it and eliminate their own risk (as noted in their own notes in the Provider directory).

32 minutes ago, LiquidFractal said:

I'm not sure what you mean here.  As far as I know IPS never "validated" the "safety" of any third-party app; they only checked to make sure that devs weren't using existing code contra IPS rules.  The "safety" of 3rd-party apps has never been Invision's responsibility (and for good reason!).

I think that's quite a bad gap to have.  With PII on the line, it's important to check for any potential vulnerabilities that could put it at risk.  IPS clearly has a security and PII focus in their own code (right?), meanwhile you're saying they blindly host apps/plugins in their own Marketplace with the only requirement being not exhibiting any IP theft, while at the same time facilitating the sale of unchecked code?  Why is that a good thing to not be their responsibility?

Clearly, IPS is moving entirely away from any level of responsibility (IMO a case could be made they do indeed have responsibility in their current Marketplace).

Now, how much of an issue this WILL be is debatable.  How much of an issue it CAN be is not.  Third party code is a risk and always will be.  We can rely on trusted developers, which is great for those who exist already and have built up such trust.  It's quite bad for new developers trying to enter the game and raise the level of competition and quality in applications.  We are still taking risks using unchecked third party code.  I am trusting the IPS Marketplace, reviews, etc on my own sites currently, but it certainly doesn't make me feel warm and fuzzy inside knowing it hasn't been vetted at a code/exploit/security level.  It's more of a "I kinda need this functionality and sure hope nothing bad happens" and that honestly isn't a good mode of operation. 

I'd be curious to know what IPS has observed with their corporate clients.  Yes they are built in house or by private consultants, but that doesn't mean it's immune from human error, outdated libraries, exploits, etc.  Are they doing any level of suite wide testing to guarantee their own security?