Forum: Ruby on Rails recommended setup of Mongrel_cluster + SSL for multiple apps

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
426035b86dd65d126b3281621560d09d?d=identicon&s=25 Greg Edwards (Guest)
on 2006-05-03 19:01
(Received via mailing list)
I'd like to use Mongrel_cluster with SSL on a green-field application
(it
can be configured however is best - initially, "ease of setup" is
important,
but then soon after will be scaling and response time). I've read a lot
of
emails on this topic, and checked out the Mongrel pages, etc, but I'm
left
with this question of what is recommended:



For a client-login application (no pages/images/anything are accessible
without logging in first - and the authentication is being done in
Rails,
not in Apache/Lighttpd):

1) Is there a recommended setup to put SSL in front of a mongrel
cluster?

(pound is said to be somewhat slow and therefore won't scale well;
lighttpd
has ssl built in, but there are some problems with mod_proxy so on the
mongrel website it says to connect to one port which is running balance;
pen
has only experimental SSL built into it; Apache seems like overkill if
it is
ONLY being used as an SSL front end)



2) if all pages are protected by login (being done in Rails using
session
variables to make sure that someone is logged in before serving a page),
then pages caching in Lighttp/Apache isn't really feasible since they
serve
pages without checking with Rails first (i.e., without making sure the
person is logged in) unless you want to have lighttpd/apache do the
authentication (which I don't want). Given that lighttpd / apache are
usually recommended to be in front of mongrel is in the case of serving
up
static content. but without that, then the only reason to use them is as
a
SSL front end, but then there are other options.



3) if you're going to run multiple apps on the setup (as:
app1.eyetools.com,
app2.eyetools.com, etc) does that change the recommendation?





Greg Edwards

CTO, Eyetools Inc.

gedwards1@eyetools.com

(916) 792 4538
8c43ed7f065406bf171c0f3eb32cf615?d=identicon&s=25 Zed Shaw (Guest)
on 2006-05-03 19:05
(Received via mailing list)
Howdy, answers below...


On 5/2/06 4:01 PM, "Greg Edwards" <gedwards1@eyetools.com> wrote:

> (pound is said to be somewhat slow and therefore won¹t scale well; lighttpd
> has ssl built in, but there are some problems with mod_proxy so on the mongrel
> website it says to connect to one port which is running balance; pen has only
> experimental SSL built into it; Apache seems like overkill if it is ONLY being
> used as an SSL front end)
>

You've got three options that seem to be coming out as the best
practices
for mongrel clusters (whether you need SSL or not):

1) Use apache with mod_proxy_balancer.  Jonathan wrote a great article
with
a huge URI that covers this really well.
http://blog.innerewut.de/articles/2006/04/21/scali...
od_proxy_balancer-and-mongrel

2)  litespeed web server with mongrel, written up by Rick
http://weblog.techno-weenie.net/2006/4/11/setting-...

3)  Simple little pound setup with mongrel.  Written up by nobody yet.

There have also been mixed reviews of the following two options for
people
not needing SSL:

A) pen + mongrel written up by Ezra
http://brainspl.at/articles/2006/04/26/dead-simple...

B) balance + mongrel with no write-up but pretty simple to get going
http://www.inlab.de/balance.html

And, while you're at it, take a look at Bradley of railsmachine.net who
has
a spiffy cluster management plugin for mongrel:
http://www.forbiddenweb.org/viewtopic.php?id=93239

That should keep you busy for a while.

Most of the folks I talk with have found that lighttpd is start to lack
in
the stability department, especially with it's mod_proxy backends.  Man
I
wish Jan would discover the love valgrind shines on C code.

> 2) if all pages are protected by login (being done in Rails using session
> variables to make sure that someone is logged in before serving a page), then
> pages caching in Lighttp/Apache isn¹t really feasible since they serve pages
> without checking with Rails first (i.e., without making sure the person is
> logged in) unless you want to have lighttpd/apache do the authentication
> (which I don¹t want). Given that lighttpd / apache are usually recommended to
> be in front of mongrel is in the case of serving up static content? but
> without that, then the only reason to use them is as a SSL front end, but then
> there are other options.
>

Not sure if this is a question Greg, but yeah, authenticated pages pose
a
problem.  Read the above linked article on mod_proxy_balancer.  Jonathan
does a great job of showing his architecture and talking about how he
has to
use fragment caching and memcached for nearly the same reason.

> 3) if you¹re going to run multiple apps on the setup (as: app1.eyetools.com,
> app2.eyetools.com, etc) does that change the recommendation?
>
>

Options 1-3 all handle this situation just fine, but with varying
degrees of
complexity.  Apache is probably the most complex, followed by litspeed,
then
pound (but I'm sure others have different opinions).

Options A & B can't do this since they just proxy tcp.  You could
potentially do the rails trick where you can give conditional content
based
on the host, but I'm not really sure how you hook that one up.

Hope that helps.  If you get one working, please write it up for
everyone so
that we can start to build more knowledge around deployments.


Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
7f71224fad4b2b28809650165bd37836?d=identicon&s=25 Greg Edwards (other box) (Guest)
on 2006-05-05 00:18
(Received via mailing list)
Zed,

Thanks for your answer. I'll keep you posted!
-Greg
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-05-05 00:58
(Received via mailing list)
On May 2, 2006, at 5:20 PM, Zed Shaw wrote:

>> question of what is recommended:
snip...

> You've got three options that seem to be coming out as the best
> practices
> for mongrel clusters (whether you need SSL or not):
>
> 1) Use apache with mod_proxy_balancer.  Jonathan wrote a great
> article with
> a huge URI that covers this really well.
> http://blog.innerewut.de/articles/2006/04/21/scali...
> apache-2-2-m
> od_proxy_balancer-and-mongrel

This was really helpful, thanks Zed (and Jonathan of course!)

I just finished creating an Apache config that handles static
requests and
only proxies dynamic content:

   # Serve static request with Apache
   RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} -f

   # Serve server-info and server-status with Apache
   RewriteRule . -                                          [last]
   RewriteCond %{REQUEST_URI} ^/(server-info|server-status)

   # Everything else goes to Mongrel
   RewriteRule . -                                          [last]
   RewriteRule ^/(.*)$ balancer://proxy_group/$1            [proxy]

   # This defines where the mongrels are
   <Proxy balancer://proxy_group>
     BalancerMember http://127.0.0.1:7000
     BalancerMember http://127.0.0.1:7001
   </Proxy>

   # This handles the reverse proxying
   ProxyPassReverse / balancer://teaser/

--
-- Tom Mornini
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-05-05 01:04
(Received via mailing list)
On May 4, 2006, at 3:55 PM, Tom Mornini wrote:

>   RewriteRule . -                                          [last]
>   </Proxy>
>
>   # This handles the reverse proxying
>   ProxyPassReverse / balancer://teaser/

Oops! Last line should be:

   ProxyPassReverse / balancer://proxy_group/

--
-- Tom Mornini
This topic is locked and can not be replied to.