Forum: Ruby Mongrel Web Server 0.3.12.1 -- Iron Mongrel

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Zed S. (Guest)
on 2006-04-04 10:15
(Received via mailing list)
Hello All Mongrel Users,

For the unintiated, Mongrel is a web server that runs Ruby web
applications
really fast.  Read http://mongrel.rubyforge.org/ to get find out more
about
it.

This is the Iron Mongrel release.  It is the result of trying to trash
Mongrel until it can't move and then fixing anything that comes up.  The
work was done on EastMedia's and VeriSign's upcoming project in order to
make sure it can handle heavy loads and potentially malformed requests.
The
project is a security and identity project so having a web server that
is
able to block bad requests is very important.

The testing methods used were (are):

1.  Unit testing what I can.  Mongrel is a server so many tests have to
be
done "live".
2.  Thrashing Mongrel's HTTP parser internally with random or
near-random
data (called fuzzing).
3.  Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash
several
live apps with randomness.
4.  Running several extensive little scripts to explore the edges of
death
for Mongrel.
5.  Heavy code audits covering as much code as possible to find any
possible
loose ends.

The end result is a lot of little fixes which make Mongrel more robust
against badly behaving clients and possibly against many potential
security
risks in the future.  In general Mongrel 0.3.12.1 behaves more
consistently
compared to past releases when given random data or maliciously
formatted
data.

The main changes are related to how IO is processed and how the HTTP
parser
rejects "bad" input.  What the parser now blocks is:

* Any header over 112k.
* Any query string over 10k.
* Any header field value over 80k.
* Any header field name over 256 bytes.
* Any request URI (the file part, not the whole thing) greater than 512
bytes.

As soon as these conditions are detected the client is disconnected
immediately and a log message is printed out listing the IP address, the
exact cause, and the data that caused it. I'll remove the data dump
later,
but I want people to shoot me valid requests that cause parser errors.

That's not all though.  I've started a "security":security.html page
where
I'll publish the results of security threats, tests, and improvements as
well as any advice for folks.

This release also features a few little features here and there:

* Initial support for a "config script".  I'll be documenting this more,
but
it basically lets you use the Mongrel::RailsConfigurator to augment your
application's config via a small script.  Just pass "-S
config/mongrel.rb"
and put any Mongrel::RailsConfigurator statements that are reasonable.
* Mongrel will report the correct REMOTE_ADDR variable, but it does a
little
trick where if there is an X-FORWARDED-FOR header then it sets
REMOTE_ADDR
to that.
* Fixes for little bugs like double log messages, but not a lot of
changes
to the overall core.

Go ahead and install the usual way:  gem install mongrel *or* gem
upgrade


Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/

P.S. The snazzy Iron Mongrel logo is courtesy court3nay from
http://caboo.se/
Toby DiPasquale (Guest)
on 2006-04-04 16:11
Zed S. wrote:
> This is the Iron Mongrel release.  It is the result of trying to trash
> Mongrel until it can't move and then fixing anything that comes up.  The
> work was done on EastMedia's and VeriSign's upcoming project in order to
> make sure it can handle heavy loads and potentially malformed requests.
> The
> project is a security and identity project so having a web server that
> is
> able to block bad requests is very important.

Any plans for an Mongrel XML-RPC hook, a la XMLRPC::WEBrickServlet? I
didn't see any other than what comes with ActionWebService. I am using
XML-RPC with WEBrick now and I'd love to move off of it and onto
Mongrel. Would you accept a patch if submitted?

--
Toby DiPasquale
pat eyler (Guest)
on 2006-04-04 19:26
(Received via mailing list)
Heh, a new version on the day my mini writeup of 0.3.12 went live.
Isn't
that the way things always go?   ;^)

On 4/4/06, Zed S. <removed_email_address@domain.invalid> wrote:
> project is a security and identity project so having a web server that is
> 4.  Running several extensive little scripts to explore the edges of death
> for Mongrel.
> 5.  Heavy code audits covering as much code as possible to find any possible
> loose ends.

This sounds very cool.   any chance you could write up some of your
testing
activity in more detail?   I think this would be a great way to learn
more about
testing beyond unit testing.

>
> The end result is a lot of little fixes which make Mongrel more robust
> against badly behaving clients and possibly against many potential security
> risks in the future.  In general Mongrel 0.3.12.1 behaves more consistently
> compared to past releases when given random data or maliciously formatted
> data.

Again, seeing more specific examples (show us the code man!) would be
awesome.

>
[deleted]
Zed S. (Guest)
on 2006-04-05 10:34
(Received via mailing list)
On 4/4/06 11:23 AM, "pat eyler" <removed_email_address@domain.invalid> wrote:

> Heh, a new version on the day my mini writeup of 0.3.12 went live.  Isn't
> that the way things always go?   ;^)
>
Where's your write-up?  Yeah, I'm pushing hard to 0.3.13 (and then 0.4
hopefully before or on Canada on Rails).  The core functionality won't
change, just stability and mostly debugging enhancements.

> This sounds very cool.   any chance you could write up some of your testing
> activity in more detail?   I think this would be a great way to learn more
> about testing beyond unit testing.
>

I'll see if I can write it up.

>>
>> The end result is a lot of little fixes which make Mongrel more robust
>> against badly behaving clients and possibly against many potential security
>> risks in the future.  In general Mongrel 0.3.12.1 behaves more consistently
>> compared to past releases when given random data or maliciously formatted
>> data.
>
> Again, seeing more specific examples (show us the code man!) would be
> awesome.
>

The majority of the changes were to simply stop accepting elements that
were
above certain fixed lengths and to read smaller chunks of IO so that
errors
are detected earlier.  I'll do a more complete write-up later when I can
breath.  Or maybe a BOF at CoR?

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
pat eyler (Guest)
on 2006-04-05 17:51
(Received via mailing list)
On 4/5/06, Zed S. <removed_email_address@domain.invalid> wrote:
>
>
>
> On 4/4/06 11:23 AM, "pat eyler" <removed_email_address@domain.invalid> wrote:
>
> > Heh, a new version on the day my mini writeup of 0.3.12 went live.  Isn't
> > that the way things always go?   ;^)
> >
> Where's your write-up?

It was a short blurb in my latest Ruby article at Linux Journal:
http://www.linuxjournal.com/article/8970

I'd love to to a larger piece on it though at some point though.

> Yeah, I'm pushing hard to 0.3.13 (and then 0.4
> hopefully before or on Canada on Rails).  The core functionality won't
> change, just stability and mostly debugging enhancements.
>

Maybe this is a good time for me to put together an outline/proposal
then.

> >> risks in the future.  In general Mongrel 0.3.12.1 behaves more consistently
> breath.  Or maybe a BOF at CoR?
I wish I could make CoR ... If you're interested on inut for a writeup,
I'd
love to see:

  What kinds of tests you ran and why you ran them
  Examples of problems you found, why they were important, and
how you fixed them.
  Thoughts on automating this kind of testing and integrsating it
into your release process.
Zed S. (Guest)
on 2006-04-06 17:54
(Received via mailing list)
Hey Toby,

Part of Mongrel's design is that you don't have to send me patches to
give
people these kinds of features.  You can use the GemPlugin system to
create
your own handlers, commands, and pretty much anything else Mongrel needs
to
implement this.  Then, provide some simple instructions and people can
get
XML-RPC by just installing your gem and doing a bit of configuration.

This keeps Mongrel light and lets people extend it for their own needs.
There's already people using GemPlugins to implement management commands
through Capistrano, security enhancements, and monitoring for Mongrel.

So, if you're feeling DIY then first read this:

  http://mongrel.rubyforge.org/docs/gem_plugin.html

Which will get you started with the actual plugin.  Then read the
Mongrel::Configurator.uri and Mongrel::Configurator.plugin
documentation:

  http://mongrel.rubyforge.org/rdoc/index.html

You write the Handler slightly different when you do it as a GemPlugin:

  class XmlRpcHandler < GemPlugin::Plugin "/handlers"
    include Mongrel::HttpHandlerPlugin
  end

Everything else is the same as with plain HttpHandler.

Once you have your plugin written, install it like a normal gem and then
go
to your Rails app directory.  In there write a config/mongrel.conf file.
This will actually be a Ruby file but we name it .conf so Rails doesn't
try
to load it.

This mongrel.conf file acts like it's a chunk of code run inside the
mongrel_rails boot process (inside Configurator).  In your case you'd
have
something like this:

  uri "/myxmlrpcthing", :handler =>
plugin("/handlers/toby::xmlrpchandler",
:op1 => true)

Your handler's init.rb file should load any of the libraries it needs
and it
should use the GemPlugin configuration and resource loading to do any
extra
configs.

Finally, you load this mongrel.conf file with:

  mongrel_rails start -S config/mongrel.conf

And your handler gets loaded and attached to /myxmlrpcthing with op1 =>
true.

Now, if you don't want to run rails you'll just write either your own
starter script using Mongrel::Configurator or add a command plugin (seen
the
above docs for an example) so people can run it manually. Take a look at
the
mongrel_rails source to get inspiration.

And that's about it.  Let me know if you hit problems and I'll help you
out.
It'll be a good test of how easy this is and help me write the docs.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
Michael Schoen (Guest)
on 2006-04-08 08:54
(Received via mailing list)
Zed S. wrote:
> This keeps Mongrel light and lets people extend it for their own needs.
> There's already people using GemPlugins to implement management commands
> through Capistrano, security enhancements, and monitoring for Mongrel.

Do you know if those folks would mind sharing the Capistrano and
monitoring plugins?

Also, are you planning on something like scgi_cluster, to make it easier
to configure and manage clusters of Mongrels (eg, proxied behind
lighttpd)?
Zed S. (Guest)
on 2006-04-08 23:18
(Received via mailing list)
Bradley Taylor says he's using these Capistrano tasks with Mongrel and
that
they work at least on Debian:

task :mongrel_start, :roles => app do
  run "mongrel_rails start --chdir #{release_path} -d"
end

task :mongrel_stop do
  run "mongrel_rails stop --chdir #{release_path}
end

task :mongrel_restart do
  run "mongrel_rails restart --chdir #{release_path}
End

As for cluster stuff, it's planned but not on the list for now.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
This topic is locked and can not be replied to.