Forum: Ruby on Rails Rails on Mongrel

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-29 11:07
Hi,

After following advice from you good folks, I gave mongrel a try in a
cluster design based on the example on the Mongrel website - and it
worked right out of the box which is great - and it's very fast :)

I have got a bit stuck though. I have two MS Word files in
/public/files/. I can pull back these files no problem but it isn't
sending a mimetype.

I think I have two options, either to tell lighttpd to serve files in
/public/ itself and not pass them on to mongrel ( I have various paths
though i.e /store, /csv and /products to proxy ) or add to mongrels list
of mime types.

I'd prefer to do the former - but if that can't be done, does anyone
have an example mime file in YAML format? I've googled around a bit but
I haven't been able to find any examples of this.

Can anyone help or point me in the right direction?

Thanks in advance!
D810e7436feb302a3e4e6b11895a7f65?d=identicon&s=25 Gael Pourriel (Guest)
on 2006-03-29 14:25
(Received via mailing list)
I would definitly choose the 1st solution, proxy Mongrel to serve
Rails request and use Apache/Lighty to do the static serving, here's a
Apache 2.2 config snippet for it:

################# WebRick/Mongrel ######################
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<Directory "@@DocumentRoot@@">
    Options Indexes FollowSymLinks
    AllowOverride none
    Order allow,deny
    Allow from all
</Directory>

ProxyRequests Off

<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>

ProxyPass /images !
ProxyPass /stylesheets !
ProxyPass /javascripts !
#ProxyPass /whatever_path_you_dont_want_to_send_to_mongrel !

ProxyPass / http://127.0.0.1:9001/
ProxyPassReverse / http://127.0.0.1:9001/

########################################################
6805b35d0a8ea3ede0a7da2d4cf5ae77?d=identicon&s=25 Jonathan Weiss (Guest)
on 2006-03-29 14:45
(Received via mailing list)
>
> I'd prefer to do the former - but if that can't be done, does anyone
> have an example mime file in YAML format? I've googled around a bit but
> I haven't been able to find any examples of this.
>
> Can anyone help or point me in the right direction?

Here is my mime.yaml file:

---
.ai: application/postscript
.asc: text/plain
.asf: video/x-ms-asf
.asx: video/x-ms-asf
.avi: video/x-msvideo
.bin: application/octet-stream
.bz2: application/x-bzip
.c: text/plain
.conf: text/plain
.css: text/css
.doc: application/msword
.dot: application/msword
.dtd: text/xml
.eps: application/postscript
.exe: application/octet-stream
.gif: image/gif
.gtar: application/x-gtar
.gz: application/x-gzip
.htm: text/html
.html: text/html
.jpeg: image/jpeg
.jpg: image/jpeg
.js: text/javascript
.m3u: audio/x-mpegurl
.mov: video/quicktime
.mp3: audio/mpeg
.mpeg: video/mpeg
.mpg: video/mpeg
.ogg: audio/x-wav
.pac: application/x-ns-proxy-autoconfig
.pdf: application/pdf
.png: image/png
.pps: application/powerpoint
.ppt: application/powerpoint
.ps: application/postscript
.qt: video/quicktime
.rtf: application/rft
.swf: application/x-shockwave-flash
.tar.bz2: application/x-bzip-compressed-tar
.tar.gz: application/x-tgz
.tar: application/x-tar
.tbz: application/x-bzip-compressed-tar
.text: text/plain
.tgz: application/x-tgz
.txt: text/plain
.txt: text/plain
.wav: audio/x-wav
.wax: audio/x-ms-wax
.wma: audio/x-ms-wma
.wmv: video/x-ms-wmv
.xbm: image/x-xbitmap
.xls: application/excel
.xml: text/xml
.xpm: image/x-xpixmap
.xwd: image/x-xwindowdump
.zip: application/zip



Jonathan
8c43ed7f065406bf171c0f3eb32cf615?d=identicon&s=25 Zed Shaw (Guest)
on 2006-03-29 17:34
(Received via mailing list)
Also, as Jonathan mentioned previously, the mime setting is broken on
win32.
It'll be fixed tonight.  I would also agree with Gael that you should
really
get lighttpd to do the serving.  Take a look at the CML script in the
lighttpd instructions for some quite nice voodoo to pull this off
simply.

Zed
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-30 17:07
Hi,

I've just been testing the setup and from machines in the main office,
everything is fine. However when people connect from the stores,
request.remote_ip shows "127.0.0.1". When checking lighty's logs, it's
showing the correct IP.

This poses a problem because the application has to go live tomorrow
morning (trust me, had I had my way there'd have been time for proper
testing) and the system uses the remote IPs to determine which store is
connecting to the application :S

There are no proxies in the way and as I've said, lighty shows the
correct IP in its logs - just Mongrel can't see it for some reason.

Any suggestions? :)


Thanks in advance!



Pete Palmer
D810e7436feb302a3e4e6b11895a7f65?d=identicon&s=25 Gael Pourriel (Guest)
on 2006-03-30 17:15
(Received via mailing list)
I guess because you're proxying Mongrel behind Lighty so Mongrel sees
a request coming from Lighty and not your actual users....
Not sure you can do anything about this....

Gael
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-30 17:21
Gael Pourriel wrote:
> I guess because you're proxying Mongrel behind Lighty so Mongrel sees
> a request coming from Lighty and not your actual users....
> Not sure you can do anything about this....
>
> Gael

I would tend to agree - yet it works perfectly for machines in the
office. I really can't see how this can happen. The office network is on
90.1.* and the store network is 10.*  - they both have direct
connections to the server. Lighty can see both real IPs - but Mongrel
can't see the store IPs.
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-30 17:27
Gael Pourriel wrote:
> I guess because you're proxying Mongrel behind Lighty so Mongrel sees
> a request coming from Lighty and not your actual users....
> Not sure you can do anything about this....
>
> Gael

Works okay with just mongrel i.e if I remove lighty from the picture.
Still, that kills my cluster of nice mongrel backend servers :)
8c43ed7f065406bf171c0f3eb32cf615?d=identicon&s=25 Zed Shaw (Guest)
on 2006-03-30 17:42
(Received via mailing list)
Pete,

I actually don't track any of the REMOTE_USER, REMOTE_IDENT, or
REMOTE_HOST
parameters from CGI because the first two are security holes and all
three
are huge performance hits on Mongrel.  Typically the last one is used by
web
servers to log requests, but since Mongrel is behind a faster real web
server logging or tracking this again is a double waste.  Because this
(and
the fact that lighttpd hides the remote host) you get no remote host.

Also, I hope you realize that this is not a way to do a security check.
Remote IP addresses are easily faked.

Now, you have a real problem but there is a possible win-win solution.
Lighttpd supports mod_proxy (which you're already using), but it also
lets
you pick backends according to the $HTTP["remoteip"].  Rather than have
mongrel pick this, what you can do is setup one mongrel instance per
remote
site, and then have lighttpd proxy based on each using this variable.

So, if you had this before:

$HTTP["host"] == "www.example.org" {
  proxy.balance = "hash"
  proxy.server  = ( "" => ( ( "host" => "10.0.0.10" ),
                            ( "host" => "10.0.0.11" ),
                            ( "host" => "10.0.0.16" ),
                            ( "host" => "10.0.0.17" ) ) )
}

You'd change it to:

$HTTP["remoteip"] == "10.0.0.0/8" {
    proxy.balance = "hash"
    proxy.server = ( "" ( ( "host" => "127.0.0.1", "port" => 9000 ) ) )
}

$HTTP["remoteip"] == "10.0.1.0/8" {
    proxy.balance = "hash"
    proxy.server = ( "" ( ( "host" => "127.0.0.1", "port" => 9001 ) ) )
}

And so on.  The /8 is to pick a network rather than a single remoteip.

The docs for this are:

http://www.lighttpd.net/documentation/proxy.html
http://www.lighttpd.net/documentation/configuration.html

Two other options are:

1)  Give each remote site their own special DNS entry and then do what
37signals does with basecamp to setup their access.  There's a wiki
entry on
this.
2) Use the same $HTTP["remoteip"] but use it to rewrite the request to
pre-pend a "remote site id" to the request.  Then change your routes.rb
so
that you got something like:  /:remotesite/:controller/:action/:id.
This
then lets you avoid one backend per site but still gives you site
specific
stuff.
3)  Totally experimental, but look at the mod_setenv ability to
setenv.request_header and see if you can just set some header to the
remote
IP.  Ask in the #lighttpd IRC channel on irc.freenode.org.

Hope that helps, and good luck.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-30 18:02
Hi,

I really appreciate the long reply. In this case it is reasonably secure
to use the remote IPs as each store (there are over a thousand) has a
specific IP and changing that IP would break a lot of stuff - plus they
don't have acces to make those changes etc etc - but yes, I would never
use this to do a security check for an app on the Internet.

I will go through your examples and give them all a try and see which
works best.

Thanks again for all your help and kudos for mongrel - it is definately
my server of choice.

Cheers,


Pete




Zed Shaw wrote:
> Pete,
>
> I actually don't track any of the REMOTE_USER, REMOTE_IDENT, or
> REMOTE_HOST
> parameters from CGI because the first two are security holes and all
> three
> are huge performance hits on Mongrel.  Typically the last one is used by
> web
> servers to log requests, but since Mongrel is behind a faster real web
> server logging or tracking this again is a double waste.  Because this
> (and
> the fact that lighttpd hides the remote host) you get no remote host.
>
> Also, I hope you realize that this is not a way to do a security check.
> Remote IP addresses are easily faked.
>
> Now, you have a real problem but there is a possible win-win solution.
> Lighttpd supports mod_proxy (which you're already using), but it also
> lets
> you pick backends according to the $HTTP["remoteip"].  Rather than have
> mongrel pick this, what you can do is setup one mongrel instance per
> remote
> site, and then have lighttpd proxy based on each using this variable.
>
> So, if you had this before:
>
> $HTTP["host"] == "www.example.org" {
>   proxy.balance = "hash"
>   proxy.server  = ( "" => ( ( "host" => "10.0.0.10" ),
>                             ( "host" => "10.0.0.11" ),
>                             ( "host" => "10.0.0.16" ),
>                             ( "host" => "10.0.0.17" ) ) )
> }
>
> You'd change it to:
>
> $HTTP["remoteip"] == "10.0.0.0/8" {
>     proxy.balance = "hash"
>     proxy.server = ( "" ( ( "host" => "127.0.0.1", "port" => 9000 ) ) )
> }
>
> $HTTP["remoteip"] == "10.0.1.0/8" {
>     proxy.balance = "hash"
>     proxy.server = ( "" ( ( "host" => "127.0.0.1", "port" => 9001 ) ) )
> }
>
> And so on.  The /8 is to pick a network rather than a single remoteip.
>
> The docs for this are:
>
> http://www.lighttpd.net/documentation/proxy.html
> http://www.lighttpd.net/documentation/configuration.html
>
> Two other options are:
>
> 1)  Give each remote site their own special DNS entry and then do what
> 37signals does with basecamp to setup their access.  There's a wiki
> entry on
> this.
> 2) Use the same $HTTP["remoteip"] but use it to rewrite the request to
> pre-pend a "remote site id" to the request.  Then change your routes.rb
> so
> that you got something like:  /:remotesite/:controller/:action/:id.
> This
> then lets you avoid one backend per site but still gives you site
> specific
> stuff.
> 3)  Totally experimental, but look at the mod_setenv ability to
> setenv.request_header and see if you can just set some header to the
> remote
> IP.  Ask in the #lighttpd IRC channel on irc.freenode.org.
>
> Hope that helps, and good luck.
>
> Zed A. Shaw
> http://www.zedshaw.com/
> http://mongrel.rubyforge.org/
8f4e0904722e18816f374297430b8446?d=identicon&s=25 Calle Dybedahl (Guest)
on 2006-03-30 20:15
(Received via mailing list)
>>>>> "Pete" == Pete  <miggyx@peteslan.net> writes:

> Works okay with just mongrel i.e if I remove lighty from the picture.
> Still, that kills my cluster of nice mongrel backend servers :)

Have Lighty rewrite the IP into the URL and Rails extract it into a
parameter with a route?
--
		     Calle Dybedahl <calle@cyberpomo.com>
		 http://www.livejournal.com/users/cdybedahl/
     "I wish more lesbians were normal and valued firm boobs over
		intellectual development." -- babycola
Ef31136ad29b9ce06c9f718109a584cc?d=identicon&s=25 Pete (Guest)
on 2006-03-31 11:26
Oddly everything worked great on Mongrel until this morning when I
restarted it with the new version - now it can't see any IPs :)

So I'm back with webrick atm. I'm hoping it will handle the load, but
it's a shame I can't use mongrel without updating the application and
unfortunately I don't have time right now.

I appreciate that most people won't even need this feature, but perhaps
it could be added to Mongrel as an option so that people who do need it,
can get to it?

Thanks all for your help :)


Cheers,


Pete





Calle Dybedahl wrote:
>>>>>> "Pete" == Pete  <miggyx@peteslan.net> writes:
>
>> Works okay with just mongrel i.e if I remove lighty from the picture.
>> Still, that kills my cluster of nice mongrel backend servers :)
>
> Have Lighty rewrite the IP into the URL and Rails extract it into a
> parameter with a route?
> --
> 		     Calle Dybedahl <calle@cyberpomo.com>
> 		 http://www.livejournal.com/users/cdybedahl/
>      "I wish more lesbians were normal and valued firm boobs over
> 		intellectual development." -- babycola
8c43ed7f065406bf171c0f3eb32cf615?d=identicon&s=25 Zed Shaw (Guest)
on 2006-03-31 19:48
(Received via mailing list)
Pete.

As I mentioned before I took REMOTE_ADDR since it was redundant and a
huge
performance hit.  I'll look at adding a flag so people can turn it on if
they need it.

But, in your case it wouldn't help since you have lighttpdin front of
your
servers.  What you'll see is always 127.0.0.1.  Take a look at this
patch
for lighttpd:

http://trac.lighttpd.net/trac/attachment/wiki/Rele...
d-1.4.10-mod_extforward.c

It seems that they are working on a way to pass this on, but that Apache
has
support for doing this right now.  I'll investigate this further and get
back to you on it.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
8c43ed7f065406bf171c0f3eb32cf615?d=identicon&s=25 Zed Shaw (Guest)
on 2006-03-31 20:59
(Received via mailing list)
Pete,

Simple solution to your problem.  Change any code where you need to get
the
remote host to:

request.params["HTTP_X_FORWARDED_FOR"]

And that should be the IP of the remote client.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
This topic is locked and can not be replied to.