The Ruby Reflector

Last week, one of our application servers died. We have four app servers, so in theory, the death of one app server shouldn't bring the entire platoon down. However, real-life had other plans: 95% of requests were handled fine, but around 5% were being dropped. Here's the story of how we diagnosed and fixed the issue with our realtime charts.

The Problem

Our web stack looks like this: A web server running HAProxy (using Apache to process HTTPS requests), which then uses round-robin …

• Topics: Apache HTTP Server, Haproxy, Laborer, ScoutApp.com, Scout
• A Fresh Cup: Double Shot #792
• New Relic: Getting Started with Drupal: Optimizing Your Drupal Application
• Phusion Corporate Blog: The Road to Passenger 3: Technology Preview 3 - Closing the gap between development and production & rethinking the word "easy"
• NetManiac: Paperclip, passenger and "not recognized by the ‘identify' command"
• Kalzumeus Software: Running Apache On A Memory-Constrained VPS
• zargony.com: Let browsers cache static files to greatly speed up your site

…to enable non-ssl mode has no effect. This commit ensures we render a both an HTTP and HTTPS version of the Chef API lb config. This behavior now also matches Private Chef.

This fixes the following issues:

CHEF-4029 configurable bookshelf url & nginx ssl port issue

Ensure Nginx config respects configured ports.

This patch makes Nginx's rewrite and proxy set header directives respect the configured SSL port ( node['chef_server']['nginx']['ssl_port'] …

• Topics: PostgreSQL, Nginx, Ruby on Rails, Chef, Hypertext Transfer Protocol
• Rails Envy » Home: Rails Envy Podcast - Episode #097
• Global Nerdy: ClearFit's Looking for a Rails Developer
• Peppy Heppy - Home: Ruby 1.9.2, Encoding UTF-8 and Rails: invalid byte sequence in US-ASCII
• Ruby Inside: The Mega April 2012 Ruby and Rails News Roundup
• A Fresh Cup: What's New in Edge Rails #56
• DevInterface Blog: How to install PostgreSQL and psycopg2 on Osx Snow Leopard

§ Absolutely! 14 lessons after five years of professional programming :

6. If you feel one use-case scenario will "probably be ok", that's the one that's going to lead to catastrophic failure a month in production. Trust your paranoid gut, test and verify.

§ 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data) . A follow up to, SSL is not about encryption :

It's about assurance. It's about establishing …

• Topics: Open source, Line, Assaf, SSD

…for yourself. Use the FQDN of your newly installed Chef Server, with HTTPS. The validation key needs to be copied over from the Chef Server from /etc/chef-server/chef-validator.pem to ~/.chef to use it for automatically bootstrapping nodes with knife bootstrap . % knife configure -i WARNING: No knife configuration file found Where should I put the config file? [/home/jtimberman/.chef/knife.rb] Please enter the chef server URL: [http://chef.example.com:4000] https://chef.example.com Please …

• Topics: Chef, API, RabbitMQ, PostgreSQL, Ubuntu
• Opscode Blog: Turn it to 11: Upgrading From Chef 10
• paperplanes: The Virtues of Monitoring

…acceleration is slower than a normal UIScrollView. Caching data with HTTPS didn't seem to work, so we dropped in SDURLCache . Handling refreshes with content that pops in "above" the current scroll position like a UITableView/ UICollectionView is not perfect yet. Despite these issues, there's plenty of benefits :

Rapid iteration on our mobile web views without pushing a new build

All mobile web users on any device benefit …

• Topics: UI, UIWebView, HTML5, UIScrollView, Communication
• Engine Yard Developer Blog: Leveraging iPads for Data Collection
• Luke Redpath: OAuth2 for iPhone and iPad applications

…the TCP handshake is complete, and if we're connecting to a secure destination ( HTTPS), then the SSL handshake must take place. This can add up to two additional roundtrips of latency delay between client and server. If the SSL session is cached, then we can "escape" with just one additional roundtrip.

Finally, Chrome is able to dispatch the HTTP request ( requestStart in the Nav Timing figure above). Once received, the server can process the request and then stream …

• Topics: Chrome, Domain name system, Transmission Control Protocol, Hypertext Transfer Protocol, SSL
• till's blog: Google Chrome: useful extensions for developers
• Transcending Frontiers: Why you need to care about web browsers
• Momoro Machine: access control allow origin localhost 3000
• New Relic: [INFOGRAPHIC] Browser Wars: What is the fastest web experience? End User Data from New Relic
• Signal vs. Noise: This week in Twitter
• JJinuxLand: Documentation Sucks, Video Games Rule!

I hate dealing with server mysteries.

Squash - Online bug trackers with some interesting new capabilities.

How to: Configure Burp and Chrome for HTTPS ( SSL) packet inspection and web site debugging on Mac OSX - A useful trick to know.

Case Study: Pro-active Log Review Might Be a Good Idea - A cute story of developer malfeasance.

jQuery 1.9 final, jQuery 2.0 beta, Migrate final released - Big updates from the jQuery folks.

Thredis - Threaded fork of redis.

• Topics: jQuery, BIG, Migrate, SSL, .Mac
• Trevor Turk: Links for 5-17-11
• On the Path: JQuery scrollTo + HTML5 not working in IE
• Jake Scruggs: Ruby Midwest 2010 Friday
• Engine Yard Developer Blog: Building Mobile Web Applications With Kendo UI And Engine Yard
• JJinuxLand: HTML5 Dev Conf
• Global Nerdy: The jQuery Online Conference: Monday, July 12th - Everywhere!

Configure Elastic Beanstalk for HTTPS

Our application uses HTTPS to secure our users from snoopers. It's highly recommended that all portions of your site be served over HTTPS (not just the registration/login portions). To setup HTTPS on Elastic Beanstalk requires two steps. First, create and upload an SSL certificate, then configure Elastic Beanstalk to use your certificate.

For a production application, you should use a purchased certificate from a reputable Certificate Authority…

• Topics: AWS, Elastic Beanstalk, Ruby on Rails, Beanstalk, MySQL
• High Scalability: PaaS on OpenStack - Run Applications on Any Cloud, Any Time Using Any Thing
• Engine Yard Developer Blog: Simple DNS for AppCloud

Configuring HAProxy for HTTP, HTTPS, and SPDY

What we want to do is to configure our HAProxy as an SSL termination proxy . Meaning, HAProxy will be the one serving our SSL certificate back to the client, and all traffic forwarded to our internal servers will flow unencrypted . This also means that HAProxy will need to handle the NPN handshake. In fact, ideally, it should handle and route all types of traffic: HTTP, HTTPS, and SPDY.

defaults log 127 .0.0.1 local0 …

• Topics: SPDY, SSL, Haproxy, Hypertext Transfer Protocol, WebSocket
• Labnotes: Rounded Corners 380 - The Slow Web
• Pragmatic Bookshelf: Web Development Recipes AND The SPDY Book: Making Websites Fly
• A Fresh Cup: Double Shot #894
• New Relic: Community News: August is Speed Awareness Month and More
• Ruby Inside: The Past 2 Weeks in the World of Ruby: 40 Links to Bring You Up to Speed (January 2012)

§ Well written and with an interactive map you can explore, hopefully this will drive the point home. Latency: The New Web Performance Bottleneck :

when it comes to your web browsing experience, it turns out that latency, not bandwidth, is likely the constraining factor today.

§ HTTP Strict Transport Security is nifty:

HSTS tells browsers to always make requests over HTTPS to HSTS sites. Sites become HSTS either by being built into the browser, or by advertising a header

• Topics: Transport, .Mac, CoffeeScript, Assaf, Sites
• A Fresh Cup: Double Shot #915