Recommended setup of Mongrel_cluster + SSL for multiple apps

I’d like to use Mongrel_cluster with SSL on a green-field application
(it
can be configured however is best - initially, “ease of setup” is
important,
but then soon after will be scaling and response time). I’ve read a lot
of
emails on this topic, and checked out the Mongrel pages, etc, but I’m
left
with this question of what is recommended:

For a client-login application (no pages/images/anything are accessible
without logging in first - and the authentication is being done in
Rails,
not in Apache/Lighttpd):

  1. Is there a recommended setup to put SSL in front of a mongrel
    cluster?

(pound is said to be somewhat slow and therefore won’t scale well;
lighttpd
has ssl built in, but there are some problems with mod_proxy so on the
mongrel website it says to connect to one port which is running balance;
pen
has only experimental SSL built into it; Apache seems like overkill if
it is
ONLY being used as an SSL front end)

  1. if all pages are protected by login (being done in Rails using
    session
    variables to make sure that someone is logged in before serving a page),
    then pages caching in Lighttp/Apache isn’t really feasible since they
    serve
    pages without checking with Rails first (i.e., without making sure the
    person is logged in) unless you want to have lighttpd/apache do the
    authentication (which I don’t want). Given that lighttpd / apache are
    usually recommended to be in front of mongrel is in the case of serving
    up
    static content. but without that, then the only reason to use them is as
    a
    SSL front end, but then there are other options.

  2. if you’re going to run multiple apps on the setup (as:
    app1.eyetools.com,
    app2.eyetools.com, etc) does that change the recommendation?

Greg E.

CTO, Eyetools Inc.

[email protected]

(916) 792 4538

Howdy, answers below…

On 5/2/06 4:01 PM, “Greg E.” [email protected] wrote:

(pound is said to be somewhat slow and therefore won¹t scale well; lighttpd
has ssl built in, but there are some problems with mod_proxy so on the mongrel
website it says to connect to one port which is running balance; pen has only
experimental SSL built into it; Apache seems like overkill if it is ONLY being
used as an SSL front end)

You’ve got three options that seem to be coming out as the best
practices
for mongrel clusters (whether you need SSL or not):

  1. Use apache with mod_proxy_balancer. Jonathan wrote a great article
    with
    a huge URI that covers this really well.
    http://blog.innerewut.de/articles/2006/04/21/scaling-rails-with-apache-2-2-m
    od_proxy_balancer-and-mongrel

  2. litespeed web server with mongrel, written up by Rick
    http://weblog.techno-weenie.net/2006/4/11/setting-up-litespeed-with-mongrel

  3. Simple little pound setup with mongrel. Written up by nobody yet.

There have also been mixed reviews of the following two options for
people
not needing SSL:

A) pen + mongrel written up by Ezra
http://brainspl.at/articles/2006/04/26/dead-simple-deployment

B) balance + mongrel with no write-up but pretty simple to get going

And, while you’re at it, take a look at Bradley of railsmachine.net who
has
a spiffy cluster management plugin for mongrel:
http://www.forbiddenweb.org/viewtopic.php?id=93239

That should keep you busy for a while.

Most of the folks I talk with have found that lighttpd is start to lack
in
the stability department, especially with it’s mod_proxy backends. Man
I
wish Jan would discover the love valgrind shines on C code.

  1. if all pages are protected by login (being done in Rails using session
    variables to make sure that someone is logged in before serving a page), then
    pages caching in Lighttp/Apache isn¹t really feasible since they serve pages
    without checking with Rails first (i.e., without making sure the person is
    logged in) unless you want to have lighttpd/apache do the authentication
    (which I don¹t want). Given that lighttpd / apache are usually recommended to
    be in front of mongrel is in the case of serving up static content? but
    without that, then the only reason to use them is as a SSL front end, but then
    there are other options.

Not sure if this is a question Greg, but yeah, authenticated pages pose
a
problem. Read the above linked article on mod_proxy_balancer. Jonathan
does a great job of showing his architecture and talking about how he
has to
use fragment caching and memcached for nearly the same reason.

  1. if you¹re going to run multiple apps on the setup (as: app1.eyetools.com,
    app2.eyetools.com, etc) does that change the recommendation?

Options 1-3 all handle this situation just fine, but with varying
degrees of
complexity. Apache is probably the most complex, followed by litspeed,
then
pound (but I’m sure others have different opinions).

Options A & B can’t do this since they just proxy tcp. You could
potentially do the rails trick where you can give conditional content
based
on the host, but I’m not really sure how you hook that one up.

Hope that helps. If you get one working, please write it up for
everyone so
that we can start to build more knowledge around deployments.

Zed A. Shaw

http://mongrel.rubyforge.org/

On May 2, 2006, at 5:20 PM, Zed S. wrote:

question of what is recommended:
snip…

You’ve got three options that seem to be coming out as the best
practices
for mongrel clusters (whether you need SSL or not):

  1. Use apache with mod_proxy_balancer. Jonathan wrote a great
    article with
    a huge URI that covers this really well.
    http://blog.innerewut.de/articles/2006/04/21/scaling-rails-with-
    apache-2-2-m
    od_proxy_balancer-and-mongrel

This was really helpful, thanks Zed (and Jonathan of course!)

I just finished creating an Apache config that handles static
requests and
only proxies dynamic content:

Serve static request with Apache

RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} -f

Serve server-info and server-status with Apache

RewriteRule . - [last]
RewriteCond %{REQUEST_URI} ^/(server-info|server-status)

Everything else goes to Mongrel

RewriteRule . - [last]
RewriteRule ^/(.*)$ balancer://proxy_group/$1 [proxy]

This defines where the mongrels are

<Proxy balancer://proxy_group>
BalancerMember http://127.0.0.1:7000
BalancerMember http://127.0.0.1:7001

This handles the reverse proxying

ProxyPassReverse / balancer://teaser/


– Tom M.

On May 4, 2006, at 3:55 PM, Tom M. wrote:

RewriteRule . - [last]

This handles the reverse proxying

ProxyPassReverse / balancer://teaser/

Oops! Last line should be:

ProxyPassReverse / balancer://proxy_group/


– Tom M.

Zed,

Thanks for your answer. I’ll keep you posted!
-Greg