Anatoly Mikhailov's Profile

I'd like to share Unicorn+Nginx configuration with preload_app and optimized deployment scripts: https://gist.github.com/3052776

SSL offload is a common practice to reduce load on non-edge servers

for non-heroku users: If you want to get an access all-site through HTTPS-only what is the reason to handle SSL detection through Rack and ActionDispatch? All that code can be simplified by using redirection through web-server 301 permanent redirect.

server {
    listen       80;
    server_name  host.com *.host.com;
    rewrite ^(.*) https://$host$1 permanent;

    access_log /dev/null;
    error_log /dev/null;
}

A specific header Strict-Transport-Security tells the browser that all future requests (and cookies as well) should go through SSL only. Don't use SSL for partly access, because cookies can be hacked while you are non-SSL page.

Don't forget about scaling patterns such as SSL offload, so every application servers should not used an SSL, but edge load balancers only. So permanent redirection on web-server side only (not application) can help with scaling without any modifications of Rails codebase.

ssl_protocols SSLv2 SSLv3 TLSv1;

Ryan, are you sure about SSLv2? It's pretty unsecured protocol.
I spent a time on Nginx security and would like to share my config

    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
    add_header                Strict-Transport-Security "max-age=16070400; includeSubdomains";
    add_header                X-Frame-Options DENY;

To enable TLS 1.1/1.2 protocols you need to compile Nginx with openssl > 1.0.x.
Some useful headers can help with interaction through HTTPS only (from all feature requests) and prevent an option to load your site into iframe.

  $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
  $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
  $ configure --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c

No-krb5 to disable Kerberos 5 authentication protocol which causes Nginx segfaults by Internet Explorer request (rarely bug)

Qualys SSL test can help in the search for vulnerabilities in web-server configuration.

I'm trying to use rack-pjax on the top div container and I can see the performance difference even the pushState reload whole body (header still loaded)

yes, I'm actually using Vagrant, so "config.ssh.max_tries = 150" can be helpful sometimes

Virtualbox has some bugs with SSH dhclient to get a proper IP address (https://github.com/mitchellh/vagrant/issues/455)

anyway, Vagrant is a pretty good interface to build distributed local environment and to provide production mirror servers setup

will wait for jquerymobile railscasts!

I'd like to use that Redis installation script:

  $ cd /tmp
  $ git clone --depth=1 git://github.com/defunkt/resque.git
  $ cd resque
  $ rake redis:install dtach:install
  $ vim /etc/redis.conf
        "daemonize yes
         bind 127.0.0.1
         loglevel notice
         logfile /var/log/redis.log
         dir /home/app/public_html/application/shared/db_backup/" 
  $ cd /tmp
  $ wget https://gist.github.com/raw/892578/bf55748800e3ca812c5ad8233b933bd6283d3aff/redis.sh
  $ adduser --system --no-create-home --disabled-login --disabled-password --group redis
  $ mv /tmp/redis.sh /etc/init.d/redis
  $ chmod +x /etc/init.d/redis
  $ touch /var/log/redis.log
  $ chown redis:redis /var/log/redis.log
  $ update-rc.d -f redis defaults

  $ /etc/init.d/redis start

Ryan, is the "force_ssl" needed if nginx setup with force ssl redirection?

why not to use retry within rescue block?