Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Anatoly Mikhailov's Profile

GitHub User: mikhailov

Site: http://sonru.com

Comments by Anatoly Mikhailov

Avatar

I'd like to share Unicorn+Nginx configuration with preload_app and optimized deployment scripts: https://gist.github.com/3052776

Avatar

SSL offload is a common practice to reduce load on non-edge servers

Avatar

for non-heroku users: If you want to get an access all-site through HTTPS-only what is the reason to handle SSL detection through Rack and ActionDispatch? All that code can be simplified by using redirection through web-server 301 permanent redirect.

nginx (http block)
server {
    listen       80;
    server_name  host.com *.host.com;
    rewrite ^(.*) https://$host$1 permanent;

    access_log /dev/null;
    error_log /dev/null;
}

A specific header Strict-Transport-Security tells the browser that all future requests (and cookies as well) should go through SSL only. Don't use SSL for partly access, because cookies can be hacked while you are non-SSL page.

Don't forget about scaling patterns such as SSL offload, so every application servers should not used an SSL, but edge load balancers only. So permanent redirection on web-server side only (not application) can help with scaling without any modifications of Rails codebase.

Avatar

ssl_protocols SSLv2 SSLv3 TLSv1;

Ryan, are you sure about SSLv2? It's pretty unsecured protocol.
I spent a time on Nginx security and would like to share my config

nginx (http block)
    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
    add_header                Strict-Transport-Security "max-age=16070400; includeSubdomains";
    add_header                X-Frame-Options DENY;

To enable TLS 1.1/1.2 protocols you need to compile Nginx with openssl > 1.0.x.
Some useful headers can help with interaction through HTTPS only (from all feature requests) and prevent an option to load your site into iframe.

bash
  $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
  $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
  $ configure --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c

No-krb5 to disable Kerberos 5 authentication protocol which causes Nginx segfaults by Internet Explorer request (rarely bug)

Qualys SSL test can help in the search for vulnerabilities in web-server configuration.

Avatar

I'm trying to use rack-pjax on the top div container and I can see the performance difference even the pushState reload whole body (header still loaded)

Avatar

yes, I'm actually using Vagrant, so "config.ssh.max_tries = 150" can be helpful sometimes

Avatar

Virtualbox has some bugs with SSH dhclient to get a proper IP address (https://github.com/mitchellh/vagrant/issues/455)

anyway, Vagrant is a pretty good interface to build distributed local environment and to provide production mirror servers setup

Avatar

will wait for jquerymobile railscasts!

Avatar

I'd like to use that Redis installation script:

bash
  $ cd /tmp
  $ git clone --depth=1 git://github.com/defunkt/resque.git
  $ cd resque
  $ rake redis:install dtach:install
  $ vim /etc/redis.conf
        "daemonize yes
         bind 127.0.0.1
         loglevel notice
         logfile /var/log/redis.log
         dir /home/app/public_html/application/shared/db_backup/" 
  $ cd /tmp
  $ wget https://gist.github.com/raw/892578/bf55748800e3ca812c5ad8233b933bd6283d3aff/redis.sh
  $ adduser --system --no-create-home --disabled-login --disabled-password --group redis
  $ mv /tmp/redis.sh /etc/init.d/redis
  $ chmod +x /etc/init.d/redis
  $ touch /var/log/redis.log
  $ chown redis:redis /var/log/redis.log
  $ update-rc.d -f redis defaults

  $ /etc/init.d/redis start
Avatar

Ryan, is the "force_ssl" needed if nginx setup with force ssl redirection?

Avatar

why not to use retry within rescue block?