Apache, Unicorn & SSL

Having used Apache with Mongrel, Thin and Passenger, I’ve now moved on to Unicorn.  Setting up Apache on Ubuntu to proxy to Unicorn requires the following installation commands:

apt-get install apache2 -y
apt-get install libapache2-mod-proxy-html libxml2-dev -y
a2enmod headers
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_balancer
a2enmod rewrite
a2enmod ssl
/etc/init.d/apache2 restart

With these modules in place a virtual host can be configured something like this:

<VirtualHost *:80>
  ServerName     myhost.example.com
  DocumentRoot   /opt/example/app/public

  RewriteEngine On
  # Redirect all non-static requests to unicorn
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]

  <Proxy balancer://unicornservers>
    Allow from any
    BalancerMember http://127.0.0.1:8080
  </Proxy>
</VirtualHost>

<VirtualHost *:443>
  ServerName     myhost.example.com
  DocumentRoot   /opt/example/app/public

  RewriteEngine On
  # Redirect all non-static requests to unicorn
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]
  RequestHeader set X-Forwarded-Proto "https"

  <Proxy balancer://unicornservers>
    Allow from any
    BalancerMember http://127.0.0.1:8080
  </Proxy>

  SSLEngine     on
  SSLCertificateFile /etc/apache2/ssl/ssl.crt
  SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
</VirtualHost>

mod_headers and the RequestHeader directive are useful if the Rails app is using ssl_requirement.

Rails development with multiple MySQL instances

Sometimes supporting multiple clients or projects can result in a need for more than one version of MySQL on the same workstation. This can be a pain, especially with the Ruby native mysql2 gem that can fail with a cryptic ‘failed to allocate memory’ when used with the wrong client libraries.

To address this I’ve started using Bitnami’s RubyStack.  Bitnami’s stacks provide a graphical installer that allows you to quickly specify a non-standard installation location and ports for your developer infrastructure so you can easily install the stack alongside the project being supported.

Instead of using RVM for development I now prepend the RubyStack to my path before working on the supported project:

RUBYSTACK=~/.../rubystack-3.2.1-0
PATH=$RUBYSTACK/mysql/bin:$PATH
PATH=$RUBYSTACK/ruby/bin:$PATH

Be aware the Bitnami stacks are 32-bit. The stacks include graphical and command line tools to start and stop components, see the Bitnami wiki components for more details. Bitnami AIMs are also available on EC2, various deployment options are discussed in the RubyStack README.

OpenShift, BoxGrinder, SteamCannon and JBoss AS RPMs

Red Hat recently launched their new OpenShift PaaS service based on their acquisition last year of Makara.

Enterprise customers, however, still have more complex requirements, including hybrid in-house/hosted infrastructure, and integration with specialized hardware appliances.

Managing complex infrastructure is increasingly being automated using tools like Puppet and Chef.  However, one of the limitations of Chef is that it does not install and configure the OS: for Fedora, RHEL or CentOS I have discovered and started using BoxGrinder.

It appears that BoxGrinder was being nurtured by JBoss to complement their PaaS development prior to the Makara acquisition.  First BoxGrinder was used last year by a JBoss project called CirrAS that created JBoss AS 6 cluster appliances, and then that appears to have segued along with Cooling Tower into SteamCannon, a Ruby based JavaEE PaaS framework.  Publicly available artifacts from both these projects remain, but now we must wait for OpenShift to be open sourced.

A requirement of projects like CirrAS and SteamCannon has been writing specs to package JBoss into RPMs.  This was done previously by a JBoss employee contributing to the JPackage project but at last Red Hat is finally packaging JBoss AS 7 into Fedora.

Using Apache with Mongrel or Thin and Rails 3

When using mod_proxy to load balance between members of a mongrel or thin cluster it’s important not to pass requests through for static content.  A basic virtual site can be configured like this:

<VirtualHost *:80>

    ServerName myapp.mydomain.com
    DocumentRoot /opt/myapp/public

    <Proxy balancer://thinservers>
        BalancerMember http://127.0.0.1:3000
        BalancerMember http://127.0.0.1:3001
        BalancerMember http://127.0.0.1:3002
    </Proxy>

    ProxyPreserveHost On
    ProxyPass /images !
    ProxyPass /stylesheets !
    ProxyPass /javascripts !
    ProxyPass / balancer://thinservers/
    ProxyPassReverse / balancer://thinservers/

    <Proxy *>
     Order deny,allow
     Allow from all
    </Proxy>

    ErrorLog /var/log/apache2/error.log
    LogLevel warn
    CustomLog /var/log/apache2/access.log combined

</VirtualHost>

Thin with Apache

Having run into compatibility issues between Passenger and RJB and between Mongrel and Rails 2.3.8 I’ve been looking at Thin.

Slicehost has a couple of good articles on setting up a Thin cluster with Apache on Ubuntu.

In summary:

gem install thin
thin install
/usr/sbin/update-rc.d -f thin defaults
thin –h # help
thin -C /etc/thin/${appenv}.yml -c ${apphome} -s 3 -e production config
su – ${appenv}bat ; thin -C /etc/thin/${appenv}.yml start

Installing Phusion Passenger on Ubuntu 10.04 LTS

Before installing Phusion Passenger you will need a working installation of Rails:

apt-get install ruby rubygems # distro packages rubygems 1.3.7
gem install rubygems-update
PATH=$PATH:/var/lib/gems/1.8/bin
update_rubygems
gem install rails -v=2.3.4 # or whatever

The Phusion installation script builds an Apache loadable module by linking various libraries. Make sure these libraries are installed before running the script.

apt-get install build-essential ruby1.8-dev libopenssl-ruby
apt-get install apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev
apt-get install libcurl4-openssl-dev

gem install passenger
passenger-install-apache2-module # compilation dependencies satisfied above

The Passenger installation script displays a message to add some lines to your Apache configuration script. One way to do this with Apache2 on Ubuntu is:

cat > /etc/apache2/mods-available/passenger.load <
   LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-2.2.15/ext/apache2/mod_passenger.so
   PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.15
   PassengerRuby /usr/bin/ruby1.8
EOF
a2enmod passenger
/etc/init.d/apache2 restart

Building a Tomcat 6 Appliance

TurnKey have done a great job of putting together a collection of open source software appliances using Ubuntu JeOS 8.04.  Unfortunately TurnKey’s Tomcat appliance uses only Tomcat 5.5, instead of Tomcat 6 featuring Servlet 2.5 and JSP 2.1 support, which was released in March 2007.  On the plus side, however, Turnkey have also published their appliance core, which you can use as the basis of your own appliances.  The core includes Webmin at port 12321 and SSH.  Turnkey appliances are distributed with no password for root so make sure to set it as as possible.  The hostname for Turnkey Core is ‘core’, but that can be changed by editing /etc/hostname.

Tomcat 6 has been backported to Ubuntu 8.04, so it is easy to add, just edit /etc/apt/sources.list.d/sources.list and uncomment hardy-backports universe, then:

apt-get update
apt-get install tomcat6 # ~70MB

Note Tomcat6 is run with CATALINA_HOME set to /usr/share/tomcat6 and CATALINA_BASE set to /var/lib/tomcat6. If you read the Tomcat RUNNING.txt doc (available at /usr/share/doc/tomcat6-common/RUNNING.txt.gz) you’ll see that Tomcat6 is looking for libraries in CATALINA_HOME/lib and not CATALINA_BASE/lib. Since it is ignored, the presence of a CATALINA_BASE/lib directory is, at best, confusing.

Tomcat defaults to port 8080 and 8443.  As Tomcat is being run on the appliance as root we can change the ports to 80 and 443 by editing /etc/tomcat6/server.xml.

The tomcat service is managed using /etc/init.d/tomcat6 [start|stop], not bin/shutdown.sh.  Remember to turn off tomcat security or configure it for each application.  Turning off security is done by editing  /etc/init.d/tomcat6 and changing TOMCAT6_SECURITY=no.

There is a tomcat6-admin package also, but I do not use, and have not tested it.  To deploy a war file I simply copy it into /var/lib/tomcat6/webapps, eg.

apt-get install wget
cd /var/lib/tomcat6/webapps
wget http://.../...jar

Installing JBoss with Oracle XE on Windows

Both Tomcat and Oracle XML DB use port 8080 by default. Before installing JBoss I first changed the default port for XML DB as suggested here.

call dbms_xdb.cfg_update(updateXML(
            dbms_xdb.cfg_get()
          , '/xdbconfig/sysconfig/protocolconfig/httpconfig/http-port/text()'
          , 8081))
      /

I restarted the Oracle database and verified port 8081 was in use and not 8080.

Scroll to top