Author - Suma G

DDoS Protection

DDoS protection at the server, not just at the edge

Most Magento sites end up behind Cloudflare. It's the path of least resistance — set up the DNS, enable proxying, switch on the WAF, done. For a lot of sites it's enough. But edge protection comes with its own costs: a network hop on every request, rules and decisions you can't see in detail without the Business plan, and a control surface that's the same for everyone on it. The moment something gets serious — a coordinated scrape, a targeted attack, a competitor's bot army — the gaps in that setup start to matter.

luroConnect now ships DDoS protection directly at the host layer, with a control surface exposed through our UI. It's a managed service — luroConnect operates the rules; the UI is something the merchant or agency can use too.

What the rules engine can do?

The protection layer sits in front of Magento and decides, per request, whether to allow, challenge, or block. Decisions can be based on any combination of:

  • Country / geographic region.
  • ASN — the network the request is coming from, useful for blocking cloud providers being used as bot infrastructure.
  • IP address or range.
  • User agent.
  • Bot signatures — known crawlers, scrapers, headless browsers.

These dimensions compose. You can say “block all traffic from these ASNs except requests from our monitoring partner's user agent” and it does the right thing.

Whitelist over blocklist. Whitelist rules win. If you whitelist a specific user agent — say, a partner's integration — and the country it's coming from is on the block list, the request still goes through. This matters more than it sounds. The default in most WAFs is the opposite, and the number of times that's caused a legitimate integration to silently break is not small.

Challenge instead of block. Instead of a hard 403, you can challenge suspect traffic. The challenge is a lightweight JavaScript-based human check — pass it, and the request continues; fail it, and you're out. This is friendlier than blocking for grey-zone traffic (suspicious but possibly legitimate) because real users get through with no visible friction while headless bots don't.

Live logs and the analyzer

The decision layer is built into nginx — specifically, an nginx build with ModSecurity for advanced WAF rules and njs for the request-time logic that drives the allow/challenge/block decision. ModSecurity gets its own post; this one is about the rules engine and what sits on top of it.

Every decision the engine makes is written to an nginx access log in a custom format that captures the things you'd actually want to look at later — the matched rule, the dimensions that triggered it, the action taken, the request signature — alongside the normal access log fields. Same log pipeline as everything else nginx serves, queryable by the same tools.

On top of that log stream sits an analyzer that aggregates per-minute: status code distribution, top IPs, top ASNs, top user agents, request rates per path, ratio of challenges to passes. Patterns surface as they form, not hours later. A burst of 4xx from a single ASN, a spike of /checkout traffic from one user agent, an unusual jump in challenges failing — these are visible in the minute they're happening.

The analyzer also alerts on patterns we've seen elsewhere across the fleet, and with permission acts on them automatically. A sudden surge from a single ASN can be flipped to auto-challenge before anyone needs to look at it. Where the merchant prefers human review, the same signal raises an alert instead. The point is that rules adjust in minutes — observation and response are part of the same loop.

What this means in practice?

For a merchant on luroConnect, the practical experience is: the rules already exist, tuned for the patterns we see across the fleet, and they adjust as new patterns emerge. If there's a specific concern — a known bad actor, a region you don't ship to, a partner integration that needs whitelisting — that's a conversation, not a project.

DDoS protection is one of those things that's invisible when it works and catastrophic when it doesn't. Putting it on the host, on an SLA, with rules powerful enough to actually shape traffic and observation tight enough to keep up — that's the bar we think it should clear.

June 15, 2026By DDoS0 CommentsRead more...

Application Aware Hosting

“Managed Hosting” Doesn’t Mean What It Used To

For eCommerce stores running on Magento, Adobe Commerce, or mission critical custom apps on Shopify Plus — the definition needs to change.

A few years ago, “managed hosting” was a meaningful upgrade. It meant someone else handled the server: patching the OS, monitoring disk space, restarting services when they fell over. For most websites, that was enough. The website was the server.

That is no longer true for eCommerce.

What your store actually is today?

A modern eCommerce operation is not a single application on a single server. It is a constellation of interconnected systems, each of which can fail independently, and several of which sit entirely outside your hosting infrastructure.

Take a Magento store at any meaningful scale. A customer request doesn’t touch one application. It moves through Varnish (full-page cache), Nginx, PHP-FPM (your application pool), Redis (sessions and cache), MySQL via ProxySQL, RabbitMQ (async order processing), and OpenSearch (catalogue search). Six distinct components. Six independent failure modes. A problem in any one of them can manifest as a slow checkout, a broken search, or a stalled order. None of them will necessarily spike your CPU or memory.

Now add what lives around the store. A POS application. A CRM monitoring orders and abandoned carts. An OTP service handling authentication at login and checkout.
Middleware sitting between your store and your payment gateway, managing retries and return processing. A warehouse connector. An ERP sync.

Some of these run on your infrastructure. Some run on third-party platforms. Some are SaaS tools your agency integrated during a project two years ago. All of them are load bearing.

Your hosting provider monitors the server. Who is monitoring the application?

The failure modes that don’t look like infrastructure failures.

A third-party API — shipping estimates, tax calculation, payment gateway — starts responding in eight seconds instead of 800 milliseconds. Your server is healthy. CPU is fine. Memory is fine. But every checkout is eight seconds slower and conversion is falling. The issue is not on your infrastructure at all. It is on a dependency your infrastructure monitoring cannot see.

A Redis replica disconnects silently. Not a crash — a overflow under a write-heavy cron job. The server looks busy because it is busy: rebuilding cache on every request instead of serving it. No infrastructure alert fires. The right signal is in the Redis replication log, cross-referenced against the cron schedule. You find it by reading the application, not the server metrics.

A merchant on Shopify Plus runs custom middleware, an OTP application, a sidecar CRM, or a POS application alongside their store. Shopify itself is up. But the OTP application is down and every transaction is failing. The hosting dashboard shows no problem. The merchant is losing sales.

These are not edge cases. They are the category of incident that causes the most
business damage and gets diagnosed the slowest, precisely because they do not fit the pattern that infrastructure monitoring is built to catch.

What “managed” needs to mean now?

The original definition of managed hosting was appropriate for its time. When an eCommerce store was a single application on a server, managing the server was managing the store. What has changed is the application itself — the number of components, the external dependencies, the custom integrations that are now standard parts of any serious eCommerce operation.

A more complete definition covers the application stack: what each component does, what it depends on, what a failure in it means for the business, and how quickly someone who understands all of that can diagnose and respond.

In practice, this means:

Knowing the dependency map. For a Magento store, that means understanding the full request path from Varnish to MySQL and every layer between. For a merchant running custom middleware and sidecar apps alongside a SaaS platform, it means understanding the components they own and operate — and what breaks when any one of them does.

Monitoring application responses, not just server metrics. Response times and error rates at the application layer are the primary health signal. Upstream dependency health — every external API, every queue, every cache layer — needs to be instrumented and watched. Infrastructure metrics come into the analysis when application signals point there.

Reading the right logs, in the right order. Nginx access logs are the first layer of signal: response times, error rates, IP-level patterns, clients failing security challenges. Anomalies there direct the investigation deeper — into PHP slow logs, application error logs, query logs — each layer narrowing the diagnosis. The incoming request picture tells you whether something is wrong; the deeper logs tell you where.

Understanding the integration layer. When a symptom appears, the question is not just “what component is slow” but “what is that component waiting for.” The answer is often an upstream dependency — an API, a queue, a third-party service — that sits outside the infrastructure entirely.

Why this matters for support?

When something breaks, the path from symptom to cause determines how long the merchant is affected. A support team with application context moves faster through that path because they are not starting from first principles each time.

Consider a real scenario: checkout is slow, but the server looks healthy. The
investigation starts at Nginx access logs — response times are elevated on a specific request path. PHP slow logs confirm the delay is in a particular call. The bottleneck traces to a tax API responding in eight seconds. The third party is degraded.

At that point, resolution is not a hosting task. It is a coordination task: the agency developer needs to implement a timeout and a fallback, or the third-party support team needs to be contacted, or the merchant needs to be informed so they can make a business decision. Application-aware support means arriving at that handoff point in minutes rather than hours, with a precise diagnosis rather than a vague report.

The value is in the speed and accuracy of the diagnosis, and in knowing exactly who needs to act on it.

The standard worth holding providers to

Before your next renewal, ask your hosting provider: if my checkout breaks at 10pm tonight and your infrastructure dashboard shows green, what do you do next?

The answer to that question defines whether you have infrastructure support or
application-aware support.

For eCommerce stores where the application is the revenue, the distinction matters considerably.

June 15, 2026By Managed Hosting0 CommentsRead more...

Why we don’t use cloudflare

The biggest myth in the Magento Agency world is to pass traffic through cloudflare.

Don’t get me wrong – I am not a cloudflare critic. Indeed, we have customers on their business and enterprise accounts that we recommended. The issue is that cloudflare is not a magic wand many agencies make to believe it is.

The free or Pro accounts are not meant for production eCommerce websites.  Here are the problems of this approach when managed by an Agency

  • Cloudflare free & pro accouts can throttle as there is no SLA.
  • If you go through WAF on the internet, you have an additional internet hop.
  • Rules have to be manually managed on cloudflare.

How luroConnect addresses security and caching concerns

  • luroConnect builds its own nginx from sources, with modsecurity and geoip plugins. Modsecurity is maintained by OWASP – the same organization that publishes the TOP-10 threats. They also publish rules in modsecurity format which we use.
  • A benefit cloudflare gives is not exposing IP of the server. luroConnect architecture uses a Cloud platform load balancer which then internally directs traffic to the server. The servers don’t have a public IP.
  • Traffic analysis tools (and soon with AI help) to identify and flag malicious traffic.
  • Ability to block IP, User Agent, ASN and complex rules such as filter parameters without referrer url, whitelist before blacklist – block AWS, digital ocean, linode, etc except whitelisted IPs for example.
  • luroConnect uses varnish for frontend page cache (FPC)
  • Use of HTTP/3 is inbuilt into our stack.
  • Use of CDN for static and media resources.

Result: Secure website that “just opens”

Examples:

Would you like to switch to a modern hosting platform?

Schedule a call of a free evaluation!

Enterprise Class Hosting that does not hurt your bank!
With features like ~0 downtime code deploy and autoscale to reduce your hosting costs, luroConnect offers you unparalleled hosting environment for Magento.

Schedule a call and we will show you how we can

  • Improve your hosting, possibly with autoscale
  • Have a managed dev, staging and production environment
  • Server performance measured every minute with alerts for a slowdown
  • A multi point health check every day
  • Optimized hosting costs
Click here to schedule the call
February 19, 2026By caches, varnish0 CommentsRead more...

Amazon RDS v/s Amazon EC2

When hosting Magento on AWS, RDS is often assumed to be the default database.

At luroConnect we do not use RDS and have saved thousands of $ for many of our customers, each month. We wrote up a RDS vs EC2 focussed on Magento - born out of migrating a customer from RDS to EC2.

The story we had was interesting - as we onboarded the customer over a year ago, the agency insisted that we use RDS. We had calls trying to convince them we could handle the db on EC2. The Magento database was over 500GB, with a lot of products and 1000ish orders a day.

However, a year later, we were asked to see how we could reduce the AWS costs. And the RDS costs stuck out very prominently. A RDS + a read only replica of a busy website can cost a lot! However, the agency was ready to try - provided we gave them a ~0 downtime transition and an option of ~0 downtime rollback to RDS.

The feedback when we moved to EC2? "We find uncached pages are served faster".

The migration learnings will lead to more articles, but this one focusses on the argument of why we use EC2 instead of RDS for Magento. Needless to say, we have built devops tools and processes which makes this decision a no brainer if you host on luroConnect

It is about marketing, isn’t it? A feature you can sell at a premium, a feature not easy for competitors to emulate, a feature you may never use!

RDS is one of them! Anyone with or without having worked with AWS tells me it is a no brainer to use RDS for your mariadb database – in our case for Magento websites. No questions, no arguments. I do get into arguments, and I am shown AWS documentation.

Ofcourse RDS has features not easy to emulate. But AWS has been good in its documentation, so for those who care to read, it is possible to replicate, at least where it matters.

RDS from my perspective, has these features:

  • Easy to change configuration values. The UI tells you clearly what parameters need a restart and what don’t. In any case, you expect the change is committed so a restart will retain that. The last bit is crucial – especially when a restart is not needed. You make a change in a parameter and forget to commit. A restart and you lose your changes.
  • Atomic writes – not needing “double write buffers”. What are double write buffers? “This buffer was implemented to recover from half-written pages. This can happen in case of a power failure while InnoDB is writing a page (16KB = 32 sectors) to disk. On reading that page, InnoDB would be able to discover the corruption from the mismatch of the page checksum. However, in order to recover, an intact copy of the page would be needed.” Double write buffers are for safety but leads to performance issue “Both the checksum calculation and the double writing consume time and thus reduce the performance of page flushing. The effect becomes visible only with fast storage and heavy write load.” For magento this is websites with a large catalog and higher IOPs disks. AWS RDS gives atomic writes. But, AWS also documents how this can be implemented in EC2. Please click here to access the AWS documentation.
  • Easy to create a readonly replica, reliably. If you have worked with mysql / mariadb, you know issues with creating a readonly replica (slave). Lots of documentation, but when it actually comes to making a slave, there is always a doubt if it will work. The key reason is getting a consistent snapshot or a backup. Even using AWS snapshot, we have not found a way to do this reliably and without downtime – either by creating a write lock, take (or start) a snapshot and release the lock or stop mysql, take (or start) a snapshot and restart mysql. Taking a RDS slave on the other hand seems to work without a downtime. Alternatively, a backup strategy also requires some locking – provided in the mysql command line. When using a backup as a strategy we have always found it better to take backups when indexing or setup upgrade is not running.
  • AWS RDS is also quicker in making the slave – even though we may use a snapshot strategy. AWS snapshots can takes time based on the size of the (occupied) disk. For large disks it can take long.

Easy to add proxy Again it is just an option to select and a proxy starts. There is no need to configure CPU/RAM of the proxy. However, there is no guide to tell you a proxy will give a performance improvement.

But let us look at the flip side – costs. This was part of analysis we did for an existing customer in June 2025. If you use RDS the only savings option is a Reserved Instance. EC2 gives a “lighter” commitment with savings plan. (RDS estimate is for single AZ, no proxy. All disks are 12000 iops, 500Mbps. All in Ohio region.)

A 50% month-on-month cost difference cannot be ignored!

A few seconds downtime during slave creation, an external proxy (we use proxysql on EC2) has to be set and configured. Managing configuration values with discipline can possibly accomplished by a shell script – with knowledge of what values are dynamically updating and which are not. Values are always written to the my.cnf file, ensuring a restart will keep new values.

NOTE: We have had many devops swear RDS is faster. That has not been my experience – for same configurations, etc. Open to discussion on this topic. RDS Aurora is a different product and a new blog for later!

Would you like to switch to a modern hosting platform?

Schedule a call of a free evaluation!

Enterprise Class Hosting that does not hurt your bank!
With features like ~0 downtime code deploy and autoscale to reduce your hosting costs, luroConnect offers you unparalleled hosting environment for Magento.

Schedule a call and we will show you how we can

  • Improve your hosting, possibly with autoscale
  • Have a managed dev, staging and production environment
  • Server performance measured every minute with alerts for a slowdown
  • A multi point health check every day
  • Optimized hosting costs
Click here to schedule the call
November 21, 2025By Horizontal Scaling, Linux System Administration0 CommentsRead more...

Magento Upgrade

Worried about Magento major version upgrade risk and downtime?

Customers have some basic requirement

  • During go live have a very short downtime.
  • Give me a way to rollback when there is a problem in the upgrade

Here is a blueprint that we follow.

  • Create a parallel environment for new staging and new prod
  • Make sure code is deployed using CI/CD
  • Make sure staging is tested often by taking a live db backup
  • Do a dry run before actual go live
  • For reducing downtime use a mysql read-only replica strategy. During go-live (or dry run) simply promote the database and run setup upgrade (with keep-generated) flag

Would you like to switch to a modern hosting platform?

Schedule a call of a free evaluation!

Enterprise Class Hosting that does not hurt your bank!
With features like ~0 downtime code deploy and autoscale to reduce your hosting costs, luroConnect offers you unparalleled hosting environment for Magento.

Schedule a call and we will show you how we can

  • Improve your hosting, possibly with autoscale
  • Have a managed dev, staging and production environment
  • Server performance measured every minute with alerts for a slowdown
  • A multi point health check every day
  • Optimized hosting costs
Click here to schedule the call
October 30, 2025By CI CD, Magento, Site Speed0 CommentsRead more...

Magento merchants – let us declare freedom from codefreeze. Deploy-at-will.

This holiday season, Magento merchants - let us declare freedom from codefreeze. Deploy-at-will.

It is 2025 and this is not an unreasonable expectation. No more code freeze before the holiday season. Heck, changes are needed right during a sale. A UI update, a new marketing plugin integration.

Before you get that freedom, you need to ensure you take are of this small list.

  • A staging environment "12factor app" similar to prod. (Same software versions and connections, same code, similar db). Ensure you deploy to staging before you deploy to prod.
  • A horizontally scalable architecture. Does not need to autoscale, but atleast on demand add and remove CPU. No more "make it large" before the sale as you really don’t know what is large.
  • CI/CD with true 0-downtime deployment - along with rollback.

If you don’t have these, good luck.
Or, you can move to luroConnect and enjoy a holiday season like it should be - lots of sales, lots of fun, none of the headaches that pull you away from your family.

Would you like to switch to a modern hosting platform?

Schedule a call of a free evaluation!

Enterprise Class Hosting that does not hurt your bank!
With features like ~0 downtime code deploy and autoscale to reduce your hosting costs, luroConnect offers you unparalleled hosting environment for Magento.

Schedule a call and we will show you how we can

  • Improve your hosting, possibly with autoscale
  • Have a managed dev, staging and production environment
  • Server performance measured every minute with alerts for a slowdown
  • A multi point health check every day
  • Optimized hosting costs
Click here to schedule the call
October 28, 2025By Magento0 CommentsRead more...

Partnering with luroConnect has its benefits.

At luroConnect, we’re more than just a managed hosting provider — we’re your growth partner. Our goal is to create a collaborative ecosystem where agencies, consultants, and digital solution providers can thrive alongside us.

Whether you build eCommerce stores, offer digital strategy, or manage client infrastructure, our partner program is built to support your growth while delivering dependable, high-performance hosting to your clients.

1. Social Media Cross-Promotion:

At luroConnect, we believe in amplifying our partners' success. Through active social media collaboration, we help extend your reach and visibility. Here’s how we support you:

  • Post Sharing:
    We regularly share your posts on our official social media channels (LinkedIn, Twitter, Facebook, etc.), helping your content reach a wider, relevant audience.
  • Content Engagement:
    We actively engage with your posts by liking, commenting, and starting conversations to boost visibility and encourage interactions.
  • Reposting and Featuring:
    Important updates, project launches, or success stories from your end get a special spotlight through reposts and feature posts on our feeds.
  • Collaborative Campaigns:
    We plan joint social media activities like announcing new projects, celebrating milestones.
  • Partner Highlights:
    We dedicate posts to introduce our partners to our audience — highlighting your services, success stories, and areas of expertise.
  • Hashtag and Tagging Strategy:
    We use strategic hashtags and tag your profiles in relevant posts to drive higher engagement and better discoverability.
  • Story Mentions and Quick Shares:
    For time-sensitive news or quick wins, we mention your brand in stories or short posts to keep your audience updated and connected.

2. Cross Blogging Opportunities:

Got insights, experience, or success stories to share? We co-create blog content that highlights your expertise and showcases how our collaboration delivers results. You can also publish guest blogs on our platform, increasing your visibility in the eCommerce and hosting community.

3. Technical Trust You Can Count On:

Our managed hosting comes with advanced features like zero-downtime deployment, performance optimization, automated backups, and proactive monitoring — so you can focus on building, not firefighting. Your clients will notice the difference.

4. Case Studies

Let’s tell the story of your success together. We work with you to create high-quality, co-branded case studies that you can use in your marketing and sales efforts.

Would you like to switch to a modern hosting platform?

Schedule a call of a free evaluation!

Enterprise Class Hosting that does not hurt your bank!
With features like ~0 downtime code deploy and autoscale to reduce your hosting costs, luroConnect offers you unparalleled hosting environment for Magento.

Schedule a call and we will show you how we can

  • Improve your hosting, possibly with autoscale
  • Have a managed dev, staging and production environment
  • Server performance measured every minute with alerts for a slowdown
  • A multi point health check every day
  • Optimized hosting costs
Click here to schedule the call
May 6, 2025By Social0 CommentsRead more...