Testing ssl_requirement with pound

ssl_requirement is a Rails gem by DHH to declaratively redirect requests to SSL.  It is useful, for example, to ensure all access to a checkout page is secure.  SSL encryption, however, is usually handled by a webserver such as Nginx or Apache, and these are not typically used in Rails test mode.  It appears most developers simply disable SSL redirects during testing, but this allows certain defects such as correct handling of flash messages to go undetected.  To test SSL redirects I’ve started using a lightweight, secure reverse proxy called pound. The pound configuration file can be kept to a bare minimum to forward requests from port 8443 to 3000 and encrypt the response:

ListenHTTPS
  Address 127.0.0.1
  Port    8443
  Cert    "pound.pem"
  AddHeader "X_FORWARDED_PROTO: https"
  Service
    BackEnd
      Address 127.0.0.1
      Port    3000
    End
  End
End

To run pound:

pound -vf ./pound.conf

Apache, Unicorn & SSL

Having used Apache with Mongrel, Thin and Passenger, I’ve now moved on to Unicorn.  Setting up Apache on Ubuntu to proxy to Unicorn requires the following installation commands:

apt-get install apache2 -y
apt-get install libapache2-mod-proxy-html libxml2-dev -y
a2enmod headers
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_balancer
a2enmod rewrite
a2enmod ssl
/etc/init.d/apache2 restart

With these modules in place a virtual host can be configured something like this:

<VirtualHost *:80>
  ServerName     myhost.example.com
  DocumentRoot   /opt/example/app/public

  RewriteEngine On
  # Redirect all non-static requests to unicorn
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]

  <Proxy balancer://unicornservers>
    Allow from any
    BalancerMember http://127.0.0.1:8080
  </Proxy>
</VirtualHost>

<VirtualHost *:443>
  ServerName     myhost.example.com
  DocumentRoot   /opt/example/app/public

  RewriteEngine On
  # Redirect all non-static requests to unicorn
  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule ^/(.*)$ balancer://unicornservers%{REQUEST_URI} [P,QSA,L]
  RequestHeader set X-Forwarded-Proto "https"

  <Proxy balancer://unicornservers>
    Allow from any
    BalancerMember http://127.0.0.1:8080
  </Proxy>

  SSLEngine     on
  SSLCertificateFile /etc/apache2/ssl/ssl.crt
  SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
</VirtualHost>

mod_headers and the RequestHeader directive are useful if the Rails app is using ssl_requirement.

Rails development with multiple MySQL instances

Sometimes supporting multiple clients or projects can result in a need for more than one version of MySQL on the same workstation. This can be a pain, especially with the Ruby native mysql2 gem that can fail with a cryptic ‘failed to allocate memory’ when used with the wrong client libraries.

To address this I’ve started using Bitnami’s RubyStack.  Bitnami’s stacks provide a graphical installer that allows you to quickly specify a non-standard installation location and ports for your developer infrastructure so you can easily install the stack alongside the project being supported.

Instead of using RVM for development I now prepend the RubyStack to my path before working on the supported project:

RUBYSTACK=~/.../rubystack-3.2.1-0
PATH=$RUBYSTACK/mysql/bin:$PATH
PATH=$RUBYSTACK/ruby/bin:$PATH

Be aware the Bitnami stacks are 32-bit. The stacks include graphical and command line tools to start and stop components, see the Bitnami wiki components for more details. Bitnami AIMs are also available on EC2, various deployment options are discussed in the RubyStack README.

Installing PostgreSQL on Lion

Lion comes with a _postgres system account and PostgreSQL 9.0.4 client tools already installed. Lion Server includes PostgreSQL server, which replaces the MySQL server distributed with earlier versions of OS X. If you want to add PostgreSQL server to a regular Lion installation the easiest way to do this is probably using the EnterpriseDB installer. However, I was inspired by a couple of posts at devoh.com to compile and install it manually:

curl -O http://ftp.postgresql.org/pub/source/v9.0.4/postgresql-9.0.4.tar.bz2
tar xzvf postgresql-9.0.4.tar.bz2
cd postgresql-9.0.4
./configure --enable-thread-safety --with-bonjour
make
sudo make install

To create a database:

sudo mkdir /usr/local/pgsql/data
sudo chown _postgres:_postgres /usr/local/pgsql/data
cd /usr/local/pgsql/bin
sudo -u _postgres ./initdb -D /usr/local/pgsql/data -U postgres -W -A md5 -E UNICODE

To manage PostgreSQL server with OS X launchctl create /Library/LaunchDaemons/org.postgresql.postmaster.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>org.postgresql.postmaster</string>

    <key>RunAtLoad</key>
    <true />

    <key>UserName</key>
    <string>_postgres</string>

    <key>GroupName</key>
    <string>_postgres</string>

    <key>EnvironmentVariables</key>
    <dict>
      <key>PGDATA</key>
      <string>/usr/local/pgsql/data</string>
    </dict>

    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/pgsql/bin/postmaster</string>
    </array>

    <key>StandardOutPath</key>
    <string>/usr/local/pgsql/logfile</string>

    <key>StandardErrorPath</key>
    <string>/usr/local/pgsql/logfile</string>
  </dict>
</plist>


chmod 644 /Library/LaunchDaemons/org.postgresql.postmaster.plist

To load the new launch agent and start up the server for the first time:

sudo launchctl load /Library/LaunchDaemons/org.postgresql.postmaster.plist

If you need to restart the daemon, use the following commands:

sudo launchctl stop org.postgresql.postmaster
sudo launchctl start org.postgresql.postmaster

OpenShift, BoxGrinder, SteamCannon and JBoss AS RPMs

Red Hat recently launched their new OpenShift PaaS service based on their acquisition last year of Makara.

Enterprise customers, however, still have more complex requirements, including hybrid in-house/hosted infrastructure, and integration with specialized hardware appliances.

Managing complex infrastructure is increasingly being automated using tools like Puppet and Chef.  However, one of the limitations of Chef is that it does not install and configure the OS: for Fedora, RHEL or CentOS I have discovered and started using BoxGrinder.

It appears that BoxGrinder was being nurtured by JBoss to complement their PaaS development prior to the Makara acquisition.  First BoxGrinder was used last year by a JBoss project called CirrAS that created JBoss AS 6 cluster appliances, and then that appears to have segued along with Cooling Tower into SteamCannon, a Ruby based JavaEE PaaS framework.  Publicly available artifacts from both these projects remain, but now we must wait for OpenShift to be open sourced.

A requirement of projects like CirrAS and SteamCannon has been writing specs to package JBoss into RPMs.  This was done previously by a JBoss employee contributing to the JPackage project but at last Red Hat is finally packaging JBoss AS 7 into Fedora.

Converting from MyISAM to InnoDB

To change the default table engine add the following to my.cnf:

default-storage-engine=InnoDB

To check the engines being used:

SHOW TABLES STATUS

Each existing table has to be converted explicitly:

user='mydba'
db='mydb'
mysql -u ${user} -p -e "SHOW TABLES IN ${db};" \
| tail -n +2 | xargs -I '{}' echo "ALTER TABLE {} ENGINE=INNODB;" > alter_table.sql
mysql -u ${user} -p -D ${db} < alter_table.sql

BoxGrinder Chef

BoxGrinder is a JBoss Community project to build appliances based on Fedora, Red Hat and/or CentOS. It appears to build on an earlier project called ThinCrust.  It takes a simple BoxGrinder appliance configuration (‘.appl’) file and uses it to generate a Red Hat kickstart file, which it then uses to build a KVM VM. Additional plugins can then convert the VM to other formats like Amazon EC2 AMI.  BoxGrinder itself is supported on Fedora only, though it can create CentOS 5 appliances.  As of writing a critical bug stops BoxGrinder from building CentOS 6.x images.

The best way to build appliances for Amazon EC2 is to use the provided BoxGrinder meta-appliance AMI to create an EC2 instance:  BoxGrinder meta works best with at least 2G RAM to build i386 appliances.

I created a basic appliance with the Chef client preinstalled by using an appliance definition file as follows:

name: CentOS-chef
summary: "CentOS RBEL Chef"
version: 1
release: 1
hardware:
  partitions:
    "/":
      size: 4
os:
  name: centos
  version: 5
packages:
  - ruby-devel
  - rubygem-chef
repos:
  - name: "rbel5"
    baseurl: "http://rbel.frameos.org/stable/el5/#BASE_ARCH#/"
    ephemeral: true
  - name: "epel"
    baseurl: "http://download.fedoraproject.org/pub/epel/#OS_VERSION#/#BASE_ARCH#/"

Having gems pre-converted to RPMs is better than trying to use gem install during build post-processing.

Configuring the EC2 plugin is done in ~/.boxgrinder/config after which the appliance can be built with

export LIBGUESTFS_MEMSIZE=2048
boxgrinder-build CentOS-chef.appl -p ec2 -d ebs -b --debug

Installing Ruby Enterprise Edition on RHEL

RHEL5 is packaged with ruby 1.8.5 which is now outdated. To replace it with REE:

rpm -e `rpm -qa|grep ruby` # remove outdated ruby packages
sudo yum install wget -y
sudo yum install gcc-c++ make patch zlib-devel -y
sudo yum install openssl-devel readline-devel -y
cd /tmp
wget http://rubyenterpriseedition.googlecode.com/files/ruby-enterprise-1.8.7-2011.03.tar.gz
tar xzvf ruby-enterprise-1.8.7-2011.03.tar.gz
sudo ./ruby-enterprise-1.8.7-2011.03/installer --dont-install-useful-gems --auto=/opt/ruby-enterprise
cat > /etc/profile.d/ruby-enterprise.sh <<EOF
if ! echo ${PATH} | /bin/grep -q /opt/ruby-enterprise/bin ; then
PATH=/opt/ruby-enterprise/bin:${PATH}
fi
EOF

. /etc/profile.d/ruby-enterprise.sh

Optware

I’ve finally bought myself a Buffalo wireless router with DD-WRT pre-installed. The hardware specs include a 680MHz Qualcomm Atheros CPU (using a MIPS32 core) and 128MB RAM. For connectivity the unit has dual band 2.4GHz/5GHz support and 5x1Gbps ports.  It also has a USB port for an external hard drive. Standard features include a Dnsmasq DHCP/DNS server and NTP.  DD-WRT uses an OpenWrt kernel based on Linux but adapted for a firmware environment.  Optware  installation for Atheros is described in a DD-WRT forum and the preferred package manager is Opkg.  Using the external USB port for storage is discussed in detail on the DD-WRT wiki.

Chef 0.10 on CentOS 5.x

My experience with Chef on CentOS 5 recently confirmed this is still a beta product. The bootstrap instructions are incomplete, leaving you hanging half-way down the page at "CentOS 5.x users will need to have version 4.2 or better of gcc in order for this to function. This may be a newer version of gcc than that which is installed via yum."  To finish the installation detour to this page that provides links to the FrameOS RBEL repository and installation instructions for the Chef server that worked for me. After completing the server install return to Bootstrap instructions and resume from ‘Verify All Components are Running’.

Posts navigation

1 2 3 4 5 6 7 8 11 12 13
Scroll to top