James Crisp

Coding, calisthenics, book reviews, mind hacks and the occasional personal bit.

Category: Ruby / Rails (Page 1 of 4)

Moving to HTTPS, Rails force_ssl and Rollback

Background
We recently moved the Getup site from mixed HTTP/HTTPS to completely HTTPS. The primary driver was to ensure that sessions were never sent in plain text over the wire, to avoid session hijacking. There are other benefits too, such as protecting personal details from eavesdropping over the wire, proving site authenticity and generally simplifying the code. Checking around the web, Twitter is HTTPS only, and even Google search is all HTTPS (when you are logged in).

Rails HTTPS and force_ssl
The easiest and simplest way of moving a Rails 3 app to all HTTPS is to simply set force_ssl = true in relevant environment files. This then causes Rack ssl middleware to be loaded as the first middleware. As you can see from the code, this middleware does a variety of good stuff, that really ensures once HTTPS, always HTTPS!

  • 301 permanent redirect to HTTPS (cached forever in most browsers so you never hit the http url again)
  • Secure on the cookies so they can never be sent over HTTP (important they don’t accidentally go with a redirect for example!)
  • HSTS to ensure that in supported browsers, nobody can ever go to HTTP again!

HSTS
HSTS (HTTP Strict Transport Security) is offered by Chrome and Firefox ensures that for a given time (usually a long time, eg 20 years in the case of Twitter!), it is not possible to go to the site over HTTP again. To activate this, the site only needs to send the Strict-Transport-Security header once. You can check and manage what’s in your HSTS store in Chrome with chrome://net-internals/#hsts

Rollback
When moving to HTTPS, we wanted to ensure we could rollback to a previous release in case of problems. Using force_ssl out of the box precludes this – if you roll back after a 301 redirect or HSTS loaded by a client browser, your site will no longer be accessible!

We used a small monkey patch which turns off HSTS and uses a 302 temporary redirect, rather than a 301. This means that rollback to a previous release works fine. Here’s the patch:

require 'rack/ssl'

module ::Rack
  class SSL

    def redirect_to_https(env)
      req        = Request.new(env)
      url        = URI(req.url)
      url.scheme = "https"
      url.host   = @host if @host
      status     = 302
      headers    = { 'Content-Type'  => 'text/html',
                     'Location'      => url.to_s,
                     'Cache-Control' => 'no-cache, no-store'
                   }
      [status, headers, []]
    end

    def hsts_headers
      {}
    end

  end
end

This patch is only needed temporarily, until you decide that you no longer would want to deploy a release before force_ssl.

Performance
So is HTTPS slower than HTTP? It is to start with in initiating the first request, as ssl needs to be negotiated and set up. This leads to a few more round trips. If your clients and servers are in same country, this is pretty insignificant. Round trips from Australia to USA for example are more significant but not a major stumbling block, as long as you use Keep-Alive on the connection to ensure that later requests re-use the set up from the first request.

Assets are fully cacheable over HTTPS using the usual HTTP headers, and have been even since early Internet Explorer versions. You do need to make sure that you always load HTTPS assets though, to ensure you don’t get mixed-mode warnings in the web browser. We found some useful HTTPS performance tips here.

Load on the servers was not an issue for us as we are using Amazon Elastic Load Balancers (ELB) for our HTTPS implementation. The web/app servers don’t get involved as they are just reverse proxied by the ELB, which manages the HTTPS sessions.

Redirect Gotchas!
We have a few other domains which simply redirect to the canonical www.getup.org.au domain. Out of the box, the rack ssl middleware loads first, before our redirect middleware. This meant that for these additional domains, we got a nasty certificate warning in the browser as it is sent to HTTPS first (on the wrong domain), and then gets the redirect to the canonical domain that has the valid certificate. Changing the order of middleware to do redirects first, and then HTTPS is an easy solution.

Conclusion
The move to full HTTPS has gone smoothly and we didn’t end up needing rollback. However, it was worth having the monkey patch so that rollback was possible as an insurance policy against unexpected major problems.

Talk on Tues: Moving to HTTPS

I’ll be giving a talk at Sydney ALT.NET on Tues:

After recently moving the Getup site fully to HTTPS, James will share with you security pitfalls, the justification for the move from mixed HTTP/HTTPS, lessons learnt, and performance tips. A romp through the protocols of the web with riffs on status codes, HSTS, domain verification, and interesting headers. This talk could save your bacon.

From 6pm at ThoughtWorks Sydney office on Pitt St. Remember to RSVP on the Sydney ALT.NET site to help with catering. See you there!

VPS Performance Comparison and Benchmarking

What VPS / cloud instance provider gives you the best bang for buck for a small linux server? I’ve been focusing on evaluating providers at the low cost end, and reasonable latency to Australia – Linode Tokyo, Octopus Australia, RailsPlayground USA and Amazon Singapore. From the tech specs on a VPS, most providers look similar. However, when you have an instance, you often find huge variation in performance due to contention for CPU and disk on the node. For a simple test, I ran a small ruby script on each server every 20 minutes on cron, and logged the results to a CSV file over the same 5 days.

Here is the script:

start = Time.now

`man ls`
`ls /`

disk_time = Time.now - start

start = Time.now

(1..200000).each { |i| i*i/3.52345*i*i*i%34 }

cpu_time = Time.now - start

total = disk_time + cpu_time
puts "#{total},#{disk_time},#{cpu_time},#{start.strftime('%Y-%m-%d')},#{start.strftime('%H:%M:%S')}"

It uses ls and man to test wait for disk and then some made up maths to test the CPU. It’s not perfect but gives a good indication of performance.

Results
All times are in seconds, and you can download the full data to get a better picture. I’ve provided a summary and notes for each provider below.

Linde 512mb Tokyo (Zen)

  Average Max
Total time 0.81 1.74
Disk 0.03 0.13
CPU 0.78 1.63

Full Results

This is my second Linode VPS. I asked to be moved to a different node as the first one started fast when I got it but performance degraded (due to contention on the node?) within a few days. Nothing else is running on the VPS besides the script. Overall this is consistent, good performance in both CPU and disk. Latency to this VPS is around ~130ms from my ADSL in Sydney.

Octopus 650mb Australia (VMWare)

  Average Max
Total time 0.74 3.40
Disk 0.19 2.88
CPU 0.54 1.08

Full Results

Octopus is running a site for me with a significant cron job on the hour. I’ve therefore removed results collected on the hour. Despite running my live site, Octopus has the fastest average performance of all VPS tested. The higher max time could have been caused by load on my site. Octopus costs a bit more but is hosted in Australia so has very low latency of around 20ms from my ADSL in Sydney.

Amazon Small Instance 1.7gb Singapore (Zen)

  Average Max
Total time 1.25 2.42
Disk 0.20 0.40
CPU 1.04 2.03

Full Results

Amazon EC2 Small instances are now in the same ballpark cost as small VPS instances, when you go for high usage reserved. Many people think that EC2 disk is poor. However, from my tests (and experience) it is not super fast, but it is consistent and reliable. Amazon is also very generous with memory and provides other benefits like free transfer to S3. Where it falls down is processor speed, which, although fairly consistent, is about 50% slower than Linode and Octopus. Latency from Sydney ADSL is around 120ms.

Rails Playground 640mb USA (Virtuozzo)

  Average Max
Total time 3.53 24.12
Disk 2.44 23.42
CPU 1.09 2.66

Full Results

My RailsPlayground VPS is running various services and sites for me but none of them are high load. As you can see, the CPU performance is similar to Amazon and doesn’t vary too much. The problem is disk which varies hugely and can sometimes lead to unresponsive sites and services while waiting for IO. Latency from Sydney ADSL is around 200ms.

Conclusion
If you want a fast VPS with low latency in Australia and are willing to pay a bit more than the other providers listed, Octopus VPS will serve you well.

For lots of memory but slower CPU, Amazon small instance will be good.

For faster CPU but less memory, Linode is your best choice.

It’s worth testing out any new VPS and keeping an eye on performance over time. Contention on your node could change dramatically without you being aware of it, dramatically impacting performance of your VPS.

Rails Refactor is now a Gem!

Rails Refactor, a small command line tool to make rails refactoring more fun, is now available as a gem. To use:
gem install rails_refactor

More info available on github.

VIM is Sydney Rails Devs’ Favourite Editor

Outstanding news! As part of the rails refactor talk at RORO (Sydney Rails Group) tonight (great evening by the way!), I asked for a show of hands on people’s favoured editors. I was amazed to discover the vim has edged out TextMate with just over half of the people at the group using it as their editor of choice! As an aside, Netbeans had one supporter, RubyMine and Emacs had zero. The groundswell of support for vim (and the cheering) was impressive!

PS – this is a very nerdy post, but as a long time vim fan, I had to report on it 🙂

Short Talk on rails_refactor at Rails group

I’ll be giving a short talk with Ryan Bigg on Rails Refactor at the next Sydney Rails Group (RORO) meet (Tuesday, Feb 8 from 7pm) . We’ll be talking about Rails Refactor’s birth at a hack night last year, what it can do for you right now, and its bright future as your refactoring tool of choice. Hope to see you there.

nRake Microsoft Case Study

nRake is now the subject of a Microsoft case study. Check it out here:

UPDATE: Now on the Microsoft Case Study site.

Rails Refactor & Hack Night

During the RORO hack night last Wednesday, Ryan Bigg (@ryanbigg) and I worked on a Rails Refactor, something I’ve been meaning to get going for a long time.

How often have you wasted time doing renames in rails? Sure it’s hard to automate everything without understanding the code, but there sure are a lot of mechanical steps that you can easily automate. Ryan and I took on controller renames and got a fair way in the few hours we spent on the night.

Code is on github

To rename a controller:
$ rails_refactor.rb rename OldController NewController

  • renames controller file & class name in file
  • renames controller spec file & class name in file
  • renames view directory
  • renames helper file & module name in file
  • updates routes

To rename a controller action:
$ rails_refactor.rb rename DummyController.old_action new_action

  • renames controller action in controller class file
  • renames view files for all formats

Looking to extend it with model renames, and then more complex refactoring.
If you like it, please fork and contribute 🙂

Odd Date and Time Comparisons in Rails & Hack night

While comparing Dates and Times in Rails (both 2.3 and 3), I came across an odd behaviour:

>> Time.parse("Mon, 26 Jul 2010 9:59") == Date.new(2010, 7, 26)
=> false
>> Time.parse("Mon, 26 Jul 2010 10:00") == Date.new(2010, 7, 26)
=> true
>> Time.parse("Mon, 26 Jul 2010 10:01") == Date.new(2010, 7, 26)
=> false

Also

>> Date.new(2010, 7, 26) == Time.parse("Mon, 26 Jul 2010 10:00")
=> false (Rails 2.3)
=> nil (Rails 3)
>> Date.new(2010, 7, 26) == Time.parse("Mon, 26 Jul 2010 0:00")
=> false (Rails 2.3)
=> nil (Rails 3)

Tonight, we’ll be having the RORO hack night in the ThoughtWorks Sydney office, with a focus on open source projects (your own or contributing). A patch for this date/time behaviour might be an interesting area to pursue.

Ruby 1.8 Scoping and Blocks

Quick ruby quiz.. after these two lines execute, what is the value of number?

>> number = 5
>> (1..10).each {|number| print number}

Well, number will be 10, thanks to the block being run and re-assigning the value of number. This can cause you some pretty subtle bugs if you happen to have the same name for a local/function argument, and as a variable name in a block.

In C#, the compiler is kind enough to tell you that this would be a very bad idea and give you an error.

And thanks to Sudhinda for commenting – this has been fixed in Ruby 1.9. In 1.9, the variable used as the argument in the block does not affect the variable outside the block.

ACS Alm Talk: Presentation Wrap Up & Slides

Thanks everyone who came along last night. It was a fun session, with a lot of lively discussion, especially around project management and software design. As mentioned during the talk, you might want to check out nRake for .NET builds and psDeploy for Powershell deployments. Here are the slides from the talk. If you have any more questions or areas to discuss, please feel free to drop me a line.

nRake now on IronRuby

nRake, the premier project and build template for .NET projects using the Rake build system now has a branch for .NET4 using IronRuby. Projects are also updated to VS2010 format, and Albacore gems are now updated to 0.1.5.

Check out the IronRuby .NET 4 branch of nRake.

or the check out the IronRuby .NET 2 / 3.5 branch of nRake.

Master branch is still using MRI ruby 1.9. However, plans are to change over to IronRuby for master branch in the future. IronRuby is now performing well enough and sufficiently compatible to support .NET builds. IronRuby has advantages around size (smaller download) and more exciting interop possibilities with .NET code.

Podcast from ALM Conference

At the ALM Conference, Richard interviewed me for a podcast on the Ultimate ALM Environment circa 2010 as well as a little on build and deployment automation. Check out the podcast on Talking Shop!

nRake – Rake builds for .NET

Fed up with XML based builds that are hard to maintain, refactor and extend? Rather than trying to fix this with more xml and community tasks, or re-invent the wheel, let’s use Rake. Rake is a mature build system developed by the ruby community which can be applied equally well in the .NET world.

To help you get started quickly, I’ve put together nRake. nRake provides a template C# .NET solution with a nice directory structure (src, tools, lib, etc), a Rake build, NUnit tests, templated app and web configs for different environments (eg, dev, uat, prod, etc) and Continuous Integration server sample config files. It comes with everything you need – no additional libraries or downloads required, and all the plumbing work has been done for you.

How to use

  • Git clone or Download nRake as a Zip
  • Rename PlaceHolder app and tests to reflect your project
  • Run rake in the root of the project. This will clean, compile, template config files and run unit tests.
  • Start developing your app! How easy was that 🙂
  • Note: nRake currently uses Ruby 1.9 since IronRuby start up time was prohibitively slow. Hopefully IronRuby will get faster, and then nRake can make use of it. Also nRake uses the Albacore Gem for .NET build tasks. Documentation on Albacore tasks here.

    Also check out the IronRuby update!

Monitoring MySQL Slave Replication Status with Ruby and Cron

When offering higher levels of uptime on a web site backed by MySQL, a good approach is to set up a MySQL master-slave configuration for failover between servers. This generally works quite well, but once in a while, there is a problem or error that causes the replication to cease. The slave then ceases to process updates and gets out of sync with the master.

The script below is a quick and easy approach to monitoring the status of replication on the slave. If the slave thread or IO ceases, the slave gets more than 120 seconds behind the master, or there is an error, the script will email all the slave status information to an email address you specify to alert you that you need to log in and sort things out. I run the script from cron so that I get notified fairly soon if a problem arises.

RAILS_ENV = 'production'
ALERT_EMAIL_ADDRESS = [email protected]'

require 'open3'
require 'socket'
require "#{File.dirname(__FILE__)}/../../config/environment.rb"

r = ActiveRecord::Base.connection.execute("show slave status").fetch_hash
unless  r["Slave_IO_Running"] == "Yes" && r["Slave_SQL_Running"] == "Yes" &&
  r["Last_Errno"] == "0" && r["Seconds_Behind_Master"].to_i < 120

    status = "*** STATUS ***\\n" + r.to_a.collect { |i| "#{i[0]}: #{i[1]}\\n" }.join
    subject = "MySQL Slave Replication Down on #{Socket.gethostname}"

    Open3.popen3("mail -s \"#{subject}\" #{ALERT_EMAIL_ADDRESS}") do |stdin, stdout, stderr|
       stdin.write(status)
    end
end

Note: This script relies on being part of a rails app to get a database connection. It would be fairly easy to modify it to include db credentials and open the connection.

Page 1 of 4

Powered by WordPress & Theme by Anders Norén