You are on page 1of 48

Cont e nt s :: I s s ue 6 | Augus t2007

Appl iance s and V irt ual iz at ion
Sim pl e Appl iance St ack s w it h L FS Cre at ing s im pl e , e as y t o de v el op and e as y t o de pl oy appl iance s t ack s t h atrun on any L inux h os t . Th is is s ue l ook s atus ing L inux From Scrat ch t o cre at e appl iance s t ack s .

Dat abas e and St orage
De pl oying Pos t gre SQL Pos t gre SQLis a pow e rf ul ope n s ource dat abas e s ol ut ion. W e l ook atde pl oying Pos t gre SQLf rom s ource , and prov ide t he bas ic 101 on us ing Pos t gre SQL .

Se rv e r Side
W e b Acce l e rat ion w it h V arnis h Cach e Product ion Rail s w it h M ongre l H igh pe rf orm ance re v e rs e proxy f or w e b acce l e rat ion us ing V arnis h Cach e . A s e cond s e rv e r art icl e l ook s atM ongre l w it h Rail s.

W e b Appl icat ions
De pl oying Gl obal l y Dis t ribut e d Rail s Apps Th is art icl e pul l s t oge t h e rt h e com pone nt s int o a s ingl e s ol ut ion, w e l ook atus ing O pe nV PN, Nginx, M ongre l and Rail s t o buil d a gl obal l y dis t ribut e d w e b app arch it e ct ure .

I P Ne t w ork ing
Gl obal H TTP L oad Bal ancing w it h Nginx Al ook atNginx, t he f as tand l igh t w e igh t H TTP/ H TTPS s e rv e rt h ath as s om e am az ing f e at ure s t h atconf igure d in t h e righ tw ay e nabl e Gl obal Se rv e rL oad Bal ancing.

M obil it y
Ent e rpris e W iFi - Th e Th in Acce s s Point Th e Th in Acce s s Point(AP) is t he f oundat ion ofany s e rious Ent e rpris e W iFi de pl oym e nt . Th is is s ue w e l ook atw h ate xact l y a Th in AP is and t h e be ne f it s t o your w ire l ess L AN. I s s ue 7 Agil e ProductM anage m e nt Ev e ryt h ing t h e s e days is Agil e,wh et h e r itis Agil e program m ing t e ch niq ue s or Agil e productm anage m e nt , in orde r t o com pe t e, you h av e t o be agil e and adaptt ot he de m ands ofyour cus t om e rs . Th is m ont hs f e at ure is s ue l ook s atope n s ource s ol ut ions t h ate nabl e Agil e ProductM anage m e ntt o de l iv e rf unct ional incre m e nt al re l e as e s on t im e and re l ev antt o your cus t om e rs ne e ds . Th e f e at ure is s ue t ak e s a s t e p by s t ep approach t ot h e de pl oym e ntofan Agil e ProductM anage m e nts ys t em t h at s 100% ope n s ource , and l ook s ata cas e s t udy t o s e e h ow dram at ic t h e im prov e m e nton a productcycl e can be w it h t h is approach .

Se curit y
Se cure Gl obal Ne t w ork s w it h O pe nV PN O pe nV PN is a pow e rf ul SSL / TL S bas e d V PN s ol ut ion. Th is is s ue w e t h ink out s ide t h e box, and l ook atus ing O pe nV PN t o buil d s e cure priv at e ne t w ork s be t w e e n s e rv e rs .

Ne xtI s s ue
o3 m agaz ine :: page 4

/ * Com m e nt s */:: I s s ue 6 | Augus t2007

Wel com e t ot h e Ne w o3 m agaz ine
I fyou are a re gul ar re ade r ofo3 m agaz ine , t h e n you probabl y al re ady k now t h atw e h av e notonl y ch ange d t he l ook oft h e m agaz ine , buth av e al s o re s t ruct e d and re de s igne d itf rom t h e ground up. W e h av e im prov e d on t h e be s te l e m e nt s ofo3 and incorporat e d s om e ne w one s , t o bring you w h at w e be l ie v e is t h e indus t ry's l e ading O pe n Source m agaz ine f or prof e s s ional s. Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) Whet h e r you're a ne w bie or an e xpe rt , a CI O or s ys t e m adm inis t rat or , you're l ik e l yt of ind s om e t h ing ofint e re s tin t h e page s oft h e al l ne w o3 m agaz ine . W e h av e re de s igne d t he publ icat ion f rom t h e ground up, t ak ing t he be s te l e m e nt s f rom pas tis s ue s and incorporat ing s om e ne w ide as . O ne oft he f irs tt h ings you m ay not ice is t h atw e are no l onge r us ing t h e US L et t e r page f orm at , ins t e ad w e are now us ing t h e int e rnat ional pape r s iz e - A4. I fyou are in t h e Unit ed St at e s and w antt o printo3, you can purch as e A4 pape r f rom a num be r ofs ource s f or approxim at el yt h e s am e price as US L et t er . A4 pape r w ork s in m os tm ode rn US print e rs , incl uding H P l as e r print e rs . W e are now us ing a nice gre e n col or f or h e adings , code s e gm e nt s and URL s . Code s e gm e nt s are in it al ics , h e adings are in bol d, and URL s are in s t andard t ype . Re gul ar re ade rs w il l not ice t h e abs e nce ofa f e at ure art icl e , and t h e abs e nce ofcom m unit y page s s uch as upcom ing e v e nt s . Th e s e f e at ure s h av e notbe e n droppe d, ins t e ad w e h av e de cide d t o dis t ribut e t h e m agaz ine as t wo s e parat e is s ue s e ach m ont h . Th is is s ue is t h e re gul ar is s ue f or Augus t , w it h our re gul ar col um ns . Th is m ont h 's f e at ure is s ue on Agil e ProductM anage m e ntw il l be av ail abl e m idm ont h , and cont ains t he f e at ure art icl e, ev e nt s and ot h e r com m unit y page s . I am pl e as e d t owel com e M ayank Sh arm a t o t h e o3 t e am . M ayank h as j oine d t he t e am as Edit or in Ch ie f , and h e s t art e d w it h t h is I s s ue . M ayank w il l driv e t h e o3 t e am , ins uring t h at s ch e dul e s are k e ptand t h e m agaz ine goe s outon t im e . M ayank is a cont ribut ing e dit or f or Source f orge , I nc and cont ribut es a m ont hl y col um n f or Pack tPubl is h ing.

o3 m agaz ine ht t p:/ / w w w .o3m agaz ine .com M ayank Sh arm a Edit or in Ch ie f Spl ice d Ne t w ork s L L C Publ is h e r Joh n Bus w e l l Proj e ctM anage r Publ is h e r I nf orm at ion o3 m agaz ine is publ is h e d and dis t ribut ed by Spl ice d Ne t w ork s L L C. o3 m agaz ine is at rade m ark ofSpl ice d Ne t w ork s L L C. Al l ot h e rt rade m ark s be l ong t ot h e ir re s pe ct iv e ow ne rs . Adv e rt is ing I nf orm at ion ht t p:/ / w w w .o3m agaz ine .com / adv e rt is e / Spe cial Th ank s Scribus De v el opm e ntT e am ht t p:/ / w w w .s cribus .ne t Th e GI M P De v el opm e ntT e am ht t p:/ / w w w .gim p.org Fe e dback Re ade rs can com m e nton o3 m agaz ine by v is it ing t h e o3 w e bs it e and cl ick ing on t h e Forum s l ink . Dis t ribut ion in printand e l e ct ronic f orm is pe rm it t e d onl y ifunm odif ie d f rom it s original .
Copyrigh t(c) 2007 Spl ice d Ne t w ork s L L C

o3 m agaz ine :: page 5

Se rv e r Side :: Product ion Rail s /M ongre l

Product ion Rail s w it h M ongre l
M ongre l is a l igh t w e igh tand f as tH TTP s e rv e r int e nde d t o prov ide an al t e rnat iv e t oF as t CGI and t radit ional w e b s e rv e rs . M ongre l s it s be t we e n t h e product ion w e b s e rv e rs and t h e Rail s appl icat ion. Th e art icl e l ook s atrunning M ongre l w it h M ongre l Cl us t e r and Nginx. Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) Th e re are m any rapid W e b de v el opm e nt f ram e w ork s outt h e re t h e s e days , and w e h av e cov e re d s e v e ral oft h e m in pas tis s ue s . O nce you h av e your W e b 2.0 appl icat ion de v el ope d t h ough , h ow do you e f f e ct iv el y de pl oy it ?I fyou are us ing one oft h e Ruby f ram e w ork s , one opt ion is a proj e ctcal l ed M ongre l . Be f ore M ongre l cam e around, t he t radit ional w ay ofde pl oying your Ruby bas e d w e b appl icat ion w as t o us e a w e b s e rv er s uch as Apach e or L igh t t pd, al ong w it h t he F as t CGI f ram e w ork t ot h e w e b appl icat ion. M ongre l s upport s Ruby on Rail s , O g+ Nit ro, Cam ping and I OW A Ruby f ram e w ork s . For t h e purpos e s oft h is art icl e w e w il l conce nt rat e on Rail s. W h atis M ongre l ? M ongre l is a f as tH TTP s e rv e r and l ibrary f or Ruby, int e nde d as a f as t e r and s im pl er al t e rnat iv e t oF as t CGI . M ongre l is t ypical l y de pl oye d in conj unct ion w it h anot h e rw e b s e rv e r s uch as Nginx, L igh t t pd or Apach e , w it h M ongre l s it t ing be t weent h e w e b s e rv er and t h e w e b appl icat ion. M ongre l is f as tand re l at iv el y s im pl e.I fyou w antf e at ure s s uch as SSL / TL S or adv ance d URLins pe ct ion f unct ions s uch as Re w rit e , you'l l ne e d t o us e aweb f ronte nd be t weent h e cl ie ntand M ongre l . I ns t al l ing M ongre l M ongre l is re l at iv el y s im pl e t o ins t al l ,t h e be s t w ay t o ins t al l itis t o us e Ruby Ge m s . Ge m s is a pack aging s ys t em,v e ry s im il ar in principl e t ot h ings l ik e apt -ge tand yum . I fyou don't h av e ge m s ins t al l e d, s im pl y dow nl oad itf rom ht t p:/ / rubyf orge .org/ f rs / ? group_ id=126, unpack itand run ruby s e t up.rb. I ns t al l ing m ongre l is as s im pl e as running ge m ins t al l m ongre l . Sim pl e as t h at , m ongre l _ cl us t e r is anot h e r appl icat ion t h atcont rol s conf igurat ion and m anage m e ntofa group ofm ongre l ins t ance s . I t s a good ide a t o ins t al l m ongre l _ cl us t er , e s pe cial l y w it h Rail s appl icat ions . Running ge m ins t al l m ongre l _ cl us t e r is al l you ne e d t o do. De pl oym e nts t rat e gy As w e m e nt ione d e arl ie r , M ongre l is t ypical l y de pl oye d be h ind s om e ot h e r w e b s e rv er . W h il e Apach e is a popul ar opt ion f or L AM P (L inux Apach e M ySQLPH P), t h e s e days t h e re are m uch f as t er ,l igh t w e igh topt ions av ail abl e t o us . Be f ore l ook ing atde pl oym e nt st rat e gie s , w e ne e d t ot ak e a l ook ate xact l y h ow M ongre l w ork s w it h our Rail s appl icat ion. Rail s is NOT m ul t it h re ade d, but M ongre l is . I nf actde pe nding on h ow m uch you'v e inv e st e d in Rail s in t e rm s of de v el ope rs , you m ay w antt ol ook atot her f ram e w ork s t oo, ifyou w anta f ul l yt h re ade d s ol ut ion f rom e nd t o e nd. Cam ping and O g+ Nit ro are s uppos e d t o be t h re ad s af e. M ongre l us e s one t h re ad pe r re q ue s t , and e ach ins t ance ofM ongre l can h andl e m any re q ue s t s.I fM ongre l be com e s ov e rl oade d, it s im pl y st art s t o cl os e conne ct ions unt il itis capabl e ofh andl ing t he l oad again, ot h e rw e b s e rv e rs do s om e t h ing s im il ar , Apach e doe s t h is w h e n t h e back l og q ue ue h as be e n f il l e d. Ruby on Rail s is nott h re ad s af e,so ev e ryt h ing up t ot h e h andof fand e v e ryt h ing af t e rt h e h andof fw it h M ongre l is m ul t it h re ade d. W h e n M ongre l h ands of f cont rol t ot h e Rail s appl icat ion, itus e s a l ock , ot h e rt h re ads w it h in t h atM ongre l proce s s w il l h av e t o w aitunt il t he l ock is re l e as e d be f ore pas s ing of ft ot h e Rail s appl icat ion. T o ge taround any pe rf orm ance bot t l e ne ck s ,

o3 m agaz ine :: page 7

Se rv e r Side :: Product ion Rail s /M ongre l

you can run m ul t ipl e ins t ance s ofM ongre l , t h e be s tw ay t o do t h is is w it h m ongre l cl us t er . W it h Apach e 2.x you can us e m od_ proxy_ bal ance r ,t ol oad bal ance inbound re q ue s t s be t w e e n m ul t ipl e m ongre l proce s s e s . Apach e h ow e v e r is n'tl igh t w e igh t , af as t er ,l igh t w e igh tal t e rnat iv e is t o us e Nginx (w w w .nginx.org). Th e h and of fbe t weent henf ronte nd w e b s e rv e r and t h e M ongre l back -e nd is a st andard H TTP conne ct ion ov e rI P . Th is f l e xibil it y m ak e s f or a v e ry s cal abl e s ol ut ion, w h e n you f irs tde pl oy your appl icat ion you m igh tonl y ne e d a s ingl e s e rv e rt o h andl e bot h t he f ronte nd and M ongre l , as your ne e ds grow , itis v e ry e as y t o s cal e t he s ol ut ion. Sim pl y add a s e cond s e rv er ,set up t h e appl icat ion and m ongre l , and ch ange t he f ronte nd conf igurat ion t o pointt ot he I P addre s s oft h e s e cond s e rv er , adding s e rv e rs is as e as y as s im pl y adding a coupl e ofne w conf igurat ion l ine s t ot he f ronte nd. Nginx We sel e ct e d nginx f or t h is art icl e , itof f e rs a l igh t w e igh tH TTP and SSL / TL S s ol ut ion, but unl ik e s im il ar s ol ut ions s uch as L igh t t pd, it al s o h as v e ry good l oad bal ancing capabil it ie s . Th e onl yf l aw t h atnginx h as is t h atith as no h e al t h ch e ck ing capabil it ie s , s o itbl indl yl oad bal ance s w it h outk now ing wh et h e r or nott h e re m ot e s e rv ice is act ual l y up or not . Now m ongre l runs f init e proce s s e s , ifyou conf igure m ongre l cl us t e rt o s paw n 3 proce s s e s , t h e n M ongre l w il l h av e 3 proce s s e s running. Th is m ak e s ite as y e nough t o w ork around t h is f l aw in t he s ol ut ion. Us ing m onit (h t t p:/ / w w w .t il de s l as h .com / m onit / ), you can m onit or t h e back -e nd proce s s e s , and aut om at ical l y corre ctany probl e m s as t hey occur , s o in e s s e nce , you can us e m onitt o pe rf orm t h e h e al t h ch e ck ing w it h outact ual l y im pact ing t h e pe rf orm ance ofnginx. I nmy opinion, t h e cut -ov e r s pe e d dif f e re nce s be t w e e n m onitf ixing m ongre l and a com m e rcial l oad bal ancing s ol ut ion w it h buil t in h e al t h ch e ck ing are non-e xis t e nt . Th e onl y pl ace m onitf al l s s h ortis t h atifitcannotf ix t h e m ongre l proce s s (pe rh aps a bad driv e or

a bot ch e d upgrade ), t h e n Nginx w il l cont inue t o pas s t raf f ic t ot h e bad s e rv er . Nginx is s t il l a re l at iv el y ne w proj e ct , s o w e w il l probabl y s e e addit ional l oad bal ancing al gorit h m s and h e al t h ch e ck ing in t h e ne ar f ut ure . De pl oying M ongre l Us ing m ongre l cl us t e rt o run s e v e ral ins t ance s ofM ongre l is re l at iv el y e as y t o de pl oy. Th e f irs ts t e p is t o conf igure m ongre l cl us t er ,t o do t h is , s im pl y e nt e rt h e dire ct ory w h e re your rail s appl icat ion is s t ore d, f or e xam pl e cd / v ar/ www/ f oo_ corp/ rail s _ app. H e re you s im pl y run m ongre l _ rail s: m ongre l _ rail s cl us t e r::conf igure -e product ion -p 4000 -N 4 -c / v ar/ www/ f oo_ corp/ rail s _ app a 10.10.10.20 So l et s w al k t h rough t h is conf igurat ion, h e re w e 'v e t ol d itw e w antt o us e cl us t e r and run conf igurat ion m ode . Th e e nv ironm e nt(-e ) is product ion, re m e m be r Rail s s upport s product ion, t e st ing and de v el opm e nt e nv ironm e ntm ode s . Th e init ial t cp port num be r (in t h is cas e 4000), and t h e num be r ofm ongre l ins t ance s (-N 4). M ongre l cl us t er w il l s paw n m ongre l ins t ance s us ing port s in s e q ue nt ial orde r ,sof or our 4 ins t ance s of rail s _ app, w e w il l us e port4000, 4001, 4002 and 4003. Th e ne xtopt ion point s t ot h e rail s appl icat ion l ocat ion, and f inal l yt h e addre s s w e w antt o bind t ot he l ocal s e rv ice s t o. Since w e don'tw antout s ide us e rs h it t ing M ongre l dire ct l y, w e 'v e putM ongre l on an int e rnal (non-rout abl e ) addre s s , w h ich t h e web f ront e nd can acce s s . O ne a s ingl e s e rv e r you coul d al s o us e l oopback (127.0.0.1). Ne xt , you ne e d t o cre at e at m p/ pid dire ct ory ins ide your rail s appl icat ion, s o run m k dir -p / v ar/ www/ f oo_ corp/ rail s _ app/ t m p/ pid. Now you are re ady t o run m ongre l , s im pl y st artit w it h m ongre l _ rail s cl us t e r::s t artw it h in t he rootdire ct ory ofyour rail s appl icat ion. You s h oul d s e e M ongre l re portith as s t art e d on e ach port(4000, 4001, 4002 and 4003). Ch e ck t h is w it h ne t st at-nap | m ore and ch e ck t h atm ongre l is running corre ct l y. Th e f inal t e s tis t ot el ne tt ot h e portl ocal l y and m ak e s ure you are ge t t ing t h e righ tout put . You can

o3 m agaz ine :: page 8

Se rv e r Side :: Product ion Rail s /M ongre l

t e s tt h is w it h l ynx (l ynx ht t p:/ / 10.10.10.20:4000/ ) or dire ct l y w it h t el ne t (t el ne t10.10.10.20 4000) and t ype GET / H TTP/ 1.1 (h ite nt e rt w ice ). You s h oul dsee t h e H TM Lout putf rom your rail s appl icat ion. Conf iguring Nginx Th e k e y pie ce oft h e nginx conf igurat ion is t h e ups t re am bl ock , h e re you de f ine t he ups t re am s e rv e rs t h atyou w il l l oad bal ance be t w e e n. H e re w e us e : ups t re am rail s app.f oocorp.com { s e rv e r 10.10.10.20:4000; s e rv e r 10.10.10.20:4001; s e rv e r 10.10.10.20:4002; s e rv e r 10.10.10.20:4003; } As w e m e nt ione d e arl ie r t h is is v e ry s cal abl e, you add anot h e r s e rv er , you can s im pl y add s e rv e rl ine s t ol oad bal ance be t w e e n. Th e s e rv e r bl ock f or H TTP is s t raigh tf orw ard : s e rv e r{ l is t e n 19 2.168.50.80:80; s e rv e rnam e s upport .f oocorp.com ; root / v ar/ www/ st at ic/ s upport .f oocorp.com / ht docs ; inde x inde x.h t ml inde x.h t m; l ocat ion /{ proxy_ s e t _ h e ade r X-Re al -I P $ re m ot e _ addr; proxy_ s e t _ h e ade r X-Forw arde dFor $ proxy_ add_ x_ f orw arde d_ f or; proxy_ s e t _ h e ade r H os t $ ht t p_ h os t ; proxy_ re dire ctf al se; if(!-f$ re q ue s t _f il e nam e ) { proxy_ pas s ht t p:/ / rail s app.f oocorp.com ; } } } Th e v arious proxy_ s e t _ h e ade r opt ions pas s t h e re al cl ie ntI P addre s s be t w e e n nginx and m ongre l ,sot h atyour rail s appl icat ion l ogs t h e prope r I P addre s s . Th e proxy_ pas s l ine m at ch e s t h e h os t nam e in t h e ups t re am bl ock

oft h e conf igurat ion. St at ic Cont e ntO v e rl ay O ne w ay t h atyou can im prov e pe rf orm ance is t o ov e rl ay s t at ic cont e ntf rom your rail s appl icat ion in t he ht docs pat h f or t h ats it e in Nginx. For e xam pl e , your / publ ic/ im age s / dire ct ory h as your im age s f or your Rail s appl icat ion, put t ing t h ese f il e s in / v ar/ www/ st at ic/ s upport .f oocorp.com / ht docs pe r our e xam pl e , w il l re s ul tin Nginx s e rv ing t he f il e , ins t e ad ofpas s ing iton t o M ongre l . Th is is cont rol l e d w it h t h e if(!-f $ re q ue s t _f il e nam e ) partoft h e conf igurat ion bl ock abov e. SSL / TL S Of f l oad Nginx can h andl e H TTPS (e ncrypt e d H TTP us ing SSL / TL S) as w e l l as une ncrypt ed H TTP . M ongre l h ow e v e r doe s n'ts upport TL S/ SSL , s o w e can conf igure Nginx t o pe rf orm SSL / TL S of f l oad by h av ing ith andl e t h e H TTPS conne ct ion be t weent h e cl ie nt and Nginx, and t h e n pas s t h e re q ue s ton t o t h e M ongre l back -e nd us ing H TTP . Since t he back -e nd com m unicat ion s h oul d be running ov e r a s e cure priv at e ne t w ork , t h e re is no ne e d t o h av e H TTPS on t h e back -e nd. Th is is s om e t h ing t o k e e p in m ind w h e n de pl oying Nginx w it h M ongre l , ifM ongre l is running on dif f e re nts e rv e rs , you m igh tw antt o cons ide r f as t e r (and m ore ) proce s s ors on t he f ronte nd w e b s e rv e rs , and t henl ow e r-cos ts e rv e rs on t h e back -e nd. Th e f as t e r proce s s ors on t he f ronte nd t o h andl e t h e SSLde crypt ion f as t er , anot h e r opt ion w oul d be t ol ook ath ardw are SSLof f l oad cards . Conf iguring Nginx f or SSLof f l oad is re l at iv el y s im pl e , us ing t h e e xam pl e abov e , you ne e d t oj us tch ange l is t e n 19 2.168.50.80:80 t o 19 2.168.50.80.443 and add t he f ol l ow ing t o t h e s e rv e r bl ock : ssl on; ssl _ ce rt if icat e / pat h/ t o/ your/ ssl .crt ; ssl _ ce rt if icat e_key/ pat h/ t o/ your/ ssl .k e y; Unde r t he l ocat ion bl ock you ne e d t o al so add:

o3 m agaz ine :: page 9

Se rv e r Side :: Product ion Rail s /M ongre l

proxy_ s e t _ h e ade r X-FO RW ARDED_ PROTO ht t ps ; Th is t el l s your w e b appl icat ion t h att he original conne ct ion cam e ov e rt h e H TTPS prot ocol ,t h is is im port ant , as it 'l l f ix any URL m appings t h atm igh ts h ow up as h t t p:/ / ins t e ad ofh t t ps :/ / . Concl us ion M ongre l of f e rs a f as t , e as y t o conf igure and s cal abl e s ol ut ion f or de pl oying w e b appl icat ions w rit t e n w it h Ruby bas e d f ram e w ork s . Th e f l e xibl e s ol ut ion e nabl es M ongre l t o be run on m ul t ipl e back -e nd s e rv e rs , and h av e t h os e l oad bal ance d by h igh -pe rf orm ance f ronte nd s e rv e rs running l igh t w e igh tw e b s e rv e rs . Com bine d w it h a h igh pe rf orm ance , l igh t w e igh ts ol ut ion s uch as Nginx, you can notonl y pe rf orm l oad bal ancing butprov ide adv ance d f e at ure s s uch as TL S/ SSLof f l oad, w h ich norm al l y w oul d cos ta s m al l f ort une on com m e rcial s ol ut ions . Art icl e L ink s Nit ro+ O g Fram e w ork ht t p:/ / w w w .nit roproj e ct .org Cam ping Fram e w ork ht t p:/ / code .w h yt hel uck ys t if f .ne t / cam ping/ I OW A Fram e w ork ht t p:/ / e nigo.com / proj e ct s/ iow a/ Ruby O n Rail s ht t p:/ / w w w .rubyonrail s .org Ruby O n Rail s Bl og ht t p:/ / w e bl og.rubyonrail s .org M ongre l ht t p:/ / m ongre l .rubyf orge .org Ruby L anguage ht t p:/ / w w w .ruby-l ang.org/ e n/ O pe nSSL ht t p:/ / w w w .ope ns s l .org/

o3 m agaz ine :: page 10

Se curit y :: Gl obal V PNs w it h O pe nV PN

Se cure Gl obal Ne t w ork s w it h O pe nV PN
O pe nV PN is a pow e rf ul TL S/ SSLbas e d V PN s ol ut ion. O pe nV PN is t ypical l y us e d f or prov iding cl ie nt s w it h acce s s t o a corporat e ne t w ork . Th is art icl e goe s out s ide t h e box, and l ook s atus ing O pe nV PN t o buil d s e cure s e rv e rt o s e rv e rl ink s in an e f f ortt o buil d a Gl obal Priv at e Ne t w ork f or product ion s e rv ice s s uch as M ySQL , H TTP Back -e nds e t c. Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) O pe nV PN (h t t p:/ / w w w .ope nv pn.ne t ) is a pow e rf ul SSL / TL S bas e d V PN s ol ut ion. O pe nV PN s upport s cl ie nt s unde r L inux, W indow s and M acO S X. So itis a good opt ion ifyou ne e d t o s upporta w ide v arie t y of cl ie nt s . Th ath ow e v er , is nott he f ocus oft h is art icl e.I ns t e ad, w e are l ook ing atO pe nV PN as a s ol ut ion t o buil d a priv at e gl obal ne t w ork be t w e e n ge ograph ical l y div e rs e s it e s ov e rt he I nt e rne t . W h y do Ine e d t h is ? I nt oday's gl obal e conom y, it 's no l onge r s uf f icie ntt o s im pl yt h row up a s e rv e r ats om e h os t ing prov ide r in t h e Unit e d St at e s , and s e rv e cl ie nt s around t h e gl obe . Cus t om e rs s im pl y don'tl ik e " w e b w ait " .I fyour s it e is n't s uf f icie nt l yf as te nough , t h e y are going t o l ook e l s e w h e re . Th is is part icul arl y im port ant in t oday's w e b 2.0 w orl d ofh igh l y int e ract iv e and dynam ic w e b appl icat ions . Th e s ol ut ion is t o pl ace s e rv e rs atm ul t ipl e l ocat ions , w h ich w e w il l cal l s it e s , around t h e w orl d. Pl ace e nough s it e s , and you w il l be re l at iv el y cl os e t o al m os tany us e r around t h e w orl d. H ow e v er ,f or t h e e xpe rie nce t o be s e am l ess t ot h e us e r , a us e r f or e xam pl e pos t ing in a f orum in t h e Unit e d St at e s , s h oul d h av e t h e ir pos ts e e n in re al -t im e or ne ar re al -t im e by a us e r on t h e ot h e r s ide oft h e gl obe . Th is m e ans t h atyou'l l s om e h ow ne e d t o s ynch roniz e t h e dat a be t w e e n e ach s it e . So you w il l ne e d a priv at e e ncrypt e d gl obal ne t w ork , t o e xch ange back -e nd dat a s e cure l y be t w e e n s it es. Traf f ic Type s Be f ore l ook ing att h e de s ign and de pl oym e nt ofs uch a ne t w ork , w e ne e d t ol ook att he t ype oft raf f ic t h atw il l run ov e r our priv at e ne t w ork . I n m os tcas e s , you w il l h av e m anage m e nt , m onit oring and product ion t raf f ic. De pe nding on t h e num be r ofs it e s you h av e , and h ow your ne t w ork is de pl oye d, you m igh tw antt o s e parat e t h e product ion t raf f ic f rom t h e m onit oring and m anage m e ntt raf f ic, and t h e n priorit iz e t he t unne l t h att he product ion t raf f ic is running t h rough us ing norm al QoS t e ch niq ue s . M anage m e ntt raf f ic w il l us ual l y be pre t t yl ow and w il l prim aril y incl ude SSH conne ct ions t o t h e re m ot e s e rv e rs t o pe rf orm m aint e nance t as k s and de bugging. M onit oring t raf f ic, on t h e ot h e r h and, w oul d inv ol v e s e rv ice ch e ck s ev e ry f e w s e conds . M os tim port ant l yt h ough is t h e product ion t raf f ic t h atre al l y de pe nds on your ne t w ork . I fyour ne t w ork is f as t e nough , you m igh tde pl oy a w e b acce l e rat or and s t at ic w e b s e rv e r atoutt h e e dge , and pas s dynam ic re q ue s t s back t o a ce nt ral dat ace nt e rl ocat ion, w h e re s om e t h ing l ik e M ongre l w oul d h andl e t h e dynam ic w ork , and pas s t h e dat a back t ot h e us e r . W h il e t h is h as t h e adv ant age ofs av ing s om e e f f ortw it h SQLre pl icat ion, as t h e ne t w ork us age grow s , it s notgoing t o be an opt im al s ol ut ion. I n ge ne ral , you w il l probabl y w antt o pus h M ySQLor w h at ev e r dat abas e you are us ing f or your dynam ic w e b appl icat ions outt ot he e dge . Th is m e ans s e t t ing up a com pl ex m as t e r m ul t i-s l av e set up, and pos s ibl y m odif ying your w e b appl icat ions t o pas s SQL w rit es t o a dif f e re ntSQLs e rv er . As you can see t h e m aj orit y oft h e back -e nd t raf f ic ov er your priv at e product ion ne t w ork is going t o be SQL(dat abas e ) or H TTP t raf f ic. You can e xpe cts om e rs ync or s v n /cv s t raf f ic f or dis t ribut ing cont e ntbe t weent h e s e rv e rs .

o3 m agaz ine :: page 12

Se curit y :: Gl obal V PNs w it h O pe nV PN

I P Addre s s ing Th e priv at e back -e nd ne t w ork ov e r O pe nV PN is going t o ne e d a num be r ofpriv at e addre s s e s . You w il l ne e d t o us e t h e nonrout abl e re s e rv e d bl ock s t h atw e 're al l f am il iar w it h - 10.0.0.0/ 8, 19 2.168.0.0/ 16 e t c. W it h t h is t ype ofde pl oym e ntyou w il l ne e d t w o dif f e re ntbl ock s ofI Ps - pointt o point , and product ion s e rv ice s . Th e pointt o point s ubne t s s h oul d be / 30 (t w o h os t ) s ubne t s.T o av oid conf us ion, us e 19 2.168.0.0/ 16 as t he s ource ofyour pointt o point , and 10.0.0.0/ 8 ne t w ork s f or your product ion s e rv ice s . For our e xam pl e , w e w il l us e 19 2.168.19 2.0/ 24 as t h e s ource s ubne tf or our pointt o point s , and 10.43.43.0/ 24 as our product ion s e rv ice s s ubne t . Cach ing v s Re pl icat ion Dat abas e re pl icat ion is t rick y bus ine s s , and k e e ping dat a int e grit y pre s e rv e d can be a ch al l e nge . I n a m ul t i-m as t e r s it uat ion, ifone oft h e m ul t i-m as t e rs drops outf or aw h il e , it can caus e al l s ort s ofprobl e m s . Th e ide al s ol ut ion is t o onl y re pl icat e t h e dat abas e out t ot h e e dge w h e n itis abs ol ut el y ne ce s s ary. I n m os tcas e s , us ing s om e cre at iv e Cach ing t e ch niq ue s , t h e onl y dat at h atne e ds t o be s e ntback and f ort h ov e rt he V PN t ot he ce nt ral w e b appl icat ion s e rv e rs m igh tbe a H TTP re q ue s tand H TTP re s pons e , w it h t he graph ics , cs s , j av as cripte t c, al l be ing s e rv ed l ocal l y. I fyou ge tcom pl aint s f rom cus t om e rs , you m igh tne e d t ot h row s om e addit ional s it e s int ot h e m ix, or pe rh aps re pl icat e t oa ce nt ral l ocat ion in dif f e re ntre gions (e g. one ce nt ral Europe an s it e w it h t h e dat abas e , t hen m ul t ipl e Europe an cach e /h t t p s e rv e rs ). T ypical l y as your ne t w ork grow s , you'l l e nd up w it h s om e f orm ofh ybrid s ol ut ion. Eas yRSA O pe nV PN com e s w it h a k e y m anage m e nt s ys t e m , w h ich is bas ical l y a s e tofs cript s cal l e d Eas yRSA. Th is is t h e be s tw ay t o ge ne rat e k e ys and m anage ce rt if icat es f or O pe nV PN. You s h oul d ins t al l Eas yRSA on a s e cure s ys t e m , ide al l y atyour corporat e h e adq uart e rs , and l im itacce s s t ot h e s ys t em. W e h av e cov e re d O pe nV PN and Eas yRSA in t h e pas t , buts im pl y buil d your l ocal

Ce rt if icat e Aut h orit y (CA) w it h t h e s criptin Eas yRSA, and t h e n you s im pl y us e buil d-k e y t o buil d cl ie nts ide k e ys , and buil d-k e y-s e rv er w h e n you ne e d t o ge ne rat e akeyf or a ne w s e rv er . Com e up w it h an e as y t o re m e m be r nam ing s ch e m e f or your k e ys , s om e t h ing l ik e v pn-s Xl ocat ion, w h e re X is t h e s e rv e r nam e or num be r , and l ocat ion is t h e nam e oft he l ocat ion (f or e xam pl e at l ant a, h ous t on, l ondon). Th e n s im pl y buil d your k e ys : ./ buil dkeyv pn-s 2-l ondon f or e xam pl e , w il l produce v pn-s 2-l ondon.crt ,v pn-s 2-l ondon.k e y and v pn-s 2-l ondon.cs r . You ne e d t ot rans f e rt he .k e y and t h e .crtf il e s al ong w it h t h e ca.crt f rom Eas yRSA t o your s e rv er . Cl ie nts ide Conf igurat ion Conf iguring O pe nV PN on t h e cl ie nts ide , w h ich w oul d be t h e re m ot e " e dge " s e rv e rs , is re l at iv el y s im pl e . You ne e d t o s pe cif yt he O pe nV PN s e rv e r's publ ic I P ,t h e pointt o pointI P addre s s inf orm at ion f or t he l ocal and t h e re m ot e , and t h e portnum be r . H e re is an e xam pl e conf igurat ion f il e: de v t un re m ot e 172.16.55.20 if conf ig 19 2.168.19 2.2 19 2.168.19 2.1 t l s -cl ie nt ca / et c/ ssl v pn/ ce rt / ca.crt ce rt/ et c/ ssl v pn/ ce rt / v pn-s 2-l ondon.crt key/ et c/ ssl v pn/ k e ys / v pn-s 2-l ondon.k e y port19 21 prot ot cp-cl ie nt us e r nobody group nogroup com p-l zo pe rs is t -t un pe rs is t -k e y v e rb 3 I t 's re l at iv el y st raigh tf orw ard. Th e if conf ig l ine t el l s O pe nV PN t h atw e are 19 2.168.19 2.2 and t h e re m ot e s ide oft he t unne l is 19 2.168.19 2.1. Port19 21, t el l s O pe nV PN w e are running on port19 21 on t h e s e rv e r s ide , com p-l z o s pe cif ie s l z o com pre s s ion, pe rs is t e ntk e ys and pe rs is t e ntt unne l .

o3 m agaz ine :: page 13

Se curit y :: Gl obal V PNs w it h O pe nV PN

Se rv e r s ide Conf igurat ion Th e s e rv e r s ide h as it s ow n ce rt if icat e and keyf il e s , al ong w it h ca.crt . Th e s e rv e r s ide al s o h as a dh 1024.pe m f il e , w h ich is ge ne rat e d by Eas yRSA. Each re m ot e s it e is going t o h av e it s ow n ins t ance ofO pe nV PN running on t h e ce nt ral iz e d V PN s e rv er . For e ach re m ot e s e rv e r (or s it e ) you w il l h av e a s e parat e conf igurat ion f il e . H e re is an e xam pl e conf igurat ion f il e t o go w it h our cl ie ntconf igurat ion: l ocal 172.16.55.20 de v t un if conf ig 19 2.168.19 2.1 19 2.168.19 2.2 t l s -s e rv er dh / et c/ ssl v pn/ crypt o/ dh 1024.pe m ca / et c/ ssl v pn/ ce rt / ca.crt key/ et c/ ssl v pn/ k e ys / v pn-s e rv er .k e y port19 21 prot ot cp-s e rv er us e r nobody group nogroup com p-l zo pe rs is t -t un pe rs is t -k e y v e rb 3 As you can s e e , t h e conf igurat ion is v e ry s im il ar t ot h e cl ie nts ide , w it h j us ta f e w m inor ch ange s . St art ing t he V PN M ak e s ure you bunch a h ol e in your ipt abl es conf igurat ion t o al l ow t h e s ource I P oft he re m ot e s it e t o acce s s t o TCP portw e h av e conf igure d f or O pe nV PN, in t h is cas e it s 19 21. I fyou are us ing a Re d H atbas e d s ys t e m (Ce nt O S, Fe dora, RH EL ), you can e dit/ et c/ s ys conf ig/ ipt abl e s and add : -A RH -Fire w al l -1-I NPUT -p t cp --dport19 21 s 172.16.56.9 9 -d 172.16.55.20 -jACCEPT w h e re 172.16.55.20 is t h e e xam pl e publ ic I P (it s notre al l y a publ ic I P butw e don'tpubl is h re al publ ic I Ps in e xam pl e s ) oft h e s e rv er , and 172.16.56.9 9 is t h e e xam pl e publ ic I P of t he V PN cl ie nt . Firs t ,st artope nv pn on t he s e rv e r s ide :

ope nv pn --conf ig / et c/ ssl v pn/ v pn-s 2l ondon.conf1>>/ v ar/ l og/ v pn/ v pn-s 2l ondon.l og 2>>/ v ar/ l og/ v pn/ v pn-s 2l ondon_ e rr .l og & You w oul d s paw n t h is w it h t h e re s pe ct iv e conf igurat ion f il e s and l og re dire ct s f or e ach re m ot e s it e . Th e n on t h e cl ie nts ide : ope nv pn --conf ig / et c/ ssl v pn/ v pn-at l ant as e rv er .conf1>>/ v ar/ l og/ v pn/ v pn-at l ant a.l og 2>>/ v ar/ l og/ v pn/ v pn-at l ant a_ e rr .l og & I fyou l ook att he l ogs , you s h oul dsee: At t e m pt ing t o e st abl is h TCP conne ct ion w it h 172.16.55.20:19 21 TCP conne ct ion e s t abl is h e d w it h 172.16.55.20:19 21 ... Pe e r Conne ct ion I nit iat e d w it h 172.16.55.20:19 21 I nit ial iz at ion Se q ue nce Com pl et ed Te s t ing t he L ink Th e q uick e s tw ay t ot e s tt he l ink is t o ping t he re m ot e s ide 's pointt o pointI P .I n our cas e , t h e cl ie nts ide s h oul d be 19 2.168.19 2.2 and t h e s e rv e r s ide 19 2.168.19 2.1. Bounce a f ew I CM P pack e t s around w it h ping. Us ing s cp, you can al sot e s tt h e dat a rat e by t rans f e rring a dum m y f il e t o and f rom t h e s e rv er . Th is w il l giv e you a bas ic ide a ofh ow w e l l t he l ink is going t o pe rf orm . Adding Rout es Righ tnow you j us th av e a pointt o point conne ct ion, butyou w antt o be abl e t o acce s s re s ource s on t h e re m ot e s ide . Th is is w h e re t h ings w il l v ary de pe nding on w h atyou w ant t o do. I fyou are doing M ySQLre pl icat ion, you w il l w anta product ion s ubne ton bot h s ide s (re m ot e " e dge " s it e and t h e ce nt ral dat a-ce nt e rl ocat ion). I nt h atcas e , you'l l ne e d t oset up a priv at e s ubne ton bot h e nds . I f h ow e v e r you are s im pl y us ing t h e re m ot e " e dge " s it e as a cach e and s t at ic H TM L s e rv er ,t h e n you'd probabl y onl y ne e d a s ubne ton t h e re m ot e e nd, unl e s s you h ad m ul t ipl e s e rv e rs att h e re m ot e e dge s it e, w h ich is of t ent h e cas e .

o3 m agaz ine :: page 14

Se curit y :: Gl obal V PNs w it h O pe nV PN

For our e xam pl e , w e are going t o us e 10.43.43.0/ 24 on t h e ce nt ral dat a-ce nt er l ocat ion, and 10.43.100.0/ 24 on t h e re m ot e s it e . On t he V PN s e rv er , you j us tne e d t o add an int e rf ace and a rout e: ip addr add 10.43.43.1/ 24 de v l o ip rout e add 10.43.100.0/ 24 v ia 19 2.168.19 2.2 Not ice t h atw e h av e n'tadde d a de v s t at e m e nt t ot h e rout e . Th e re as on f or t h is is t h att he t unne l can re s paw n and pe rh aps note nd up on t h e s am e de v ice e ach t im e . Th is w ork s , and is s af e . W e 'v e adde d 10.43.43.1 t ol o, s o t h atw h e n pack e t s f rom t h e re m ot e s ide com e in, w e h av e s om e t h ing t ot e s tw it h. On t h e cl ie nts ide : ip addr add 10.43.100.1/ 24 de v l o ip rout e add 10.43.43.0/ 24 v ia 19 2.168.19 2.1 Again, t h e s am e t h ing. Th e f inal pie ce is t h at you w il l ne e d t o add s t at e m e nt s t o your / et c/ s ys conf ig/ ipt abl es f il e t o e nabl e t he V PN t raf f ic t o pas s back and f ort h. Concl us ion Rat h e rt h an bouncing product ion back -e nd t raf f ic, al ong w it h m anage m e ntand m onit oring t raf f ic ov e rt he I nt e rne t , w e 'v e cre at e d our ow n m anage d priv at e ne t w ork of int e r-conne ct edV PNs . O pe nV PN is ide al f or t h is t ype ofs ol ut ion, t h e re are ot h e r s ol ut ions outt h e re s uch as I Ps e c.

o3 m agaz ine :: page 15

M obil it y :: Th in Acce s s Point s

Ent e rpris e W iFi - Th in Acce s s Point s
Th in Acce s s Points ol ut ions pl ace v e ry l it t l e 802.11 int el l ige nce on t h e Acce s s Point , ins t e ad t h ese Th in Acce s s Point s pas s t h e 802.11 pack e t s t o a ce nt ral iz e d cont rol l e r or s w it ch t h rough s om e f orm ofI Pt unne l ing or e ncaps ul at ion. Th in APs h av e m any adv ant age s incl uding ce nt ral iz e d m anage m e nt ,l ow e r cos tAPs and a w ide v arie t y ofEnt e rpris e grade f e at ure s . Gre g Jordan (gj ordan@ o3m agaz ine .com ) Th e w ire l e s s acce s s point(AP), is t h e de v ice w h ich conne ct s t h e w ire l e s s ne t w ork t ot he w ire d ne t w ork . I tis a k e y com pone ntoft he 802.11 w ire l ess L AN. Unl e s s you are in a v e ry s m al l of f ice s pace , m os tbus ine s s e s w il l ne e d t o de pl oy m ul t ipl e acce s s point s, e nabl ing m obil e us e rs t o roam around t he of f ice . Tradit ional acce s s point s , of t e n cal l ed " F AT" ," s m art " or " t h ick " acce s s point s , are sel f -cont aine d s ol ut ions t h ath av e f ul l s upport f or t rans it ioning pack e t s be t weent h e 802.11 and w ire d e t h e rne tne t w ork t h att h e y are conne ct edt o. Th e dow n s ide t o" Th ick " APs is t h att h e y do nots cal e v e ry w e l l . M anaging a s ingl e acce s s pointin your h om e of f ice , or e v en5 acce s s point s in a s m al l of f ice , is n'ta big probl e m . H ow e v e r w h e n you h av e al arge m ul t i-buil ding cam pus , m anaging h undre ds or e v ent h ous ands ofacce s s point s be com e s a s e rious probl em.I tj us tis n'tpract ical t o h av e m any indiv idual l y m anage d de v ice s t rying t o prov ide a com m on w ire l e s s ne t w ork . Th ick APs s im pl y don'ts cal e j us tf rom a m anage abil it y st and-point . M ul t ipl e SSI Ds V e ry f ew " Th ick " APs s upportm ore t h an one SSI D. An SSI D is bas ical l yt h e publ ic nam e f or t h e w ire l e s s ne t w ork . I n m any cas e s you m igh th av e a s h are d are a, w h e re you ne e d t o prov ide acce s s t o dif f e re ntgroups w h o h av e t h e ir ow n SSI D (f or e xam pl e s al es, e ngine e ring, gue s t s ). Unl e s s your " Th ick " AP s upport s m ul t ipl e SSI Ds , you w il l ne e d t o de pl oy m ore and m ore acce s s point s . Th e m ore acce s s point s you de pl oy, t h e m ore probl e m s you run int o w it h RF int e rf e re nce and m anage abil it y is s ue s . Th in AP Th e Th in AP is t ypical l yj us ta de v ice w h ich h as one or m ore 802.11 radio(s ), and a w ire d ne t w ork port(t ypical l yF as tEt h e rne t ). Th in APs ge ne ral l y s upportPow e r ov e r Et h e rne t (PoE), s o you don'tne e d t o w orry about running pow e r brick s t ot h e de v ice s . V e ry l it t l e , ifany oft h e 802.11 s t ack is h andl e d by t h e Th in AP . W h ath appe ns is t h att h e Th in AP is us e d w it h a ce nt ral iz e d s w it ch or cont rol l er . Th e 802.11 f ram e s are t ak e n f rom t h e radio, e ncaps ul at e d and s e ntdow n t he w ire t ot h e cont rol l er . Al l oft h e 802.11 int el l ige nce is h andl e d att h e ce nt ral iz e d cont rol l er . O ne k e y adv ant age t ot h is is t h at you can pl ace a Th in AP ph ys ical l y on a ne t w ork t h att h e act ual w ire l e s s us e rs ne v er h av e acce s s t o. Th e 802.11 f ram e is pas s e d ov e rt h atne t w ork , and t h e n on t ot he ce nt ral iz e d cont rol l er , w h e re t h e cont rol l er t ypical l y h as one or m ore upl ink s t ov arious ne t w ork s t h e w ire l e s s us e rs are s uppos e d t o h av e acce s s t o. Al l oft h e aut h e nt icat ion and e ncrypt ion is h andl e d by t h e cont rol l er . Ce nt ral iz e d Cont rol I m m e diat el y itbe com e s cl e ar t h att h e Th in AP w it h a ce nt ral iz e d cont rol l e r is a m uch be t t e r s ol ut ion t h an t rying t o m anage h undre ds ofde v ice s indiv idual l y. Ev e n on a re l at iv el y s m al l ne t w ork ofm aybe 10 t o 30 APs , itm ak e s s e ns e , iff or no ot h e r re as on t h an t o re duce h um an e rror t o s w it ch t oa ce nt ral l y m anage d s ol ut ion. Conf igurat ion and m onit oring are m anage d f rom t he cont rol l er . Som e com m e rcial product s w il l hel pt une and av oid RF int e rf e re nce probl e m s , and s upportm ul t ipl e SSI Ds . Som e product s , s uch as t h os e f rom Aruba Ne t w ork s , w il l hel p you s e l e ctt h e num be r and t ype ofTh in acce s s point s you ne e d

o3 m agaz ine :: page 17

M obil it y :: Th in Acce s s Point s

bas e d on param e t e rs aboutyour buil dings t h atyou giv e it . Th e Th in AP s ol ut ion f rom Aruba al s o s upport s an Air M onit or (AM ) m ode , w h e re an acce s s pointcan be conv e rt e d int o an air m onit or , w h e re itw il l m onit or t raf f ic on t h e w ire l e s s s ide f or w ire l ess I DS and ot h e r s e curit y appl icat ions . Ce nt ral iz e d cont rol prov ide s a m e ans t o de f ine and e nf orce ne t w ork acce s s cont rol pol icie s f rom a ce nt ral l ocat ion, rat h e rt h an at t e m pt ing t o s ynch roniz e pol icie s acros s m any de v ice s . Ch ange in s t andards I fyou de pl oy " t h ick " acce s s point s , w h at h appe ns w h e n t h e re is a ch ange in 802.11 st andards or a ne w f e at ure is m ade av ail abl e ?I n s om e cas e s , t he " t h ick " acce s s point s w il l notbe pow e rf ul e nough or l ack m e m ory t o im pl e m e ntt he f e at ure . H ow e v er , f or " t h in" acce s s point s,t h e 802.11 f ram e s are h andl e d by t h e cont rol l er . So a s im pl e s of t w are upgrade on t h e cont rol l e r can be done t o im pl e m e ntt h e ne w s t andard. I n s om e cas e s , s uch as 802.11n, t h e acce s s point s us e dif f e re ntt ype s ofradios . So t o s upport802.11n, ne w acce s s point s w oul d h av e t o be de pl oye d, but802.11n is a dif f e re nts it uat ion. Ne w e ncrypt ion m e t h ods Encrypt ion m e t h ods are cre at e d and de f e at e d, ov e rt h e pas tf e w ye ars w e 'v e seen W EP , TK I P , W PA, and W PA2. W it h t h ick acce s s point s,t h e e ncrypt ion t e ch nol ogy is t ypical l y h andl e d by a ch ip. Th is w arrant s a h ardw are re pl ace m e ntt o s w it ch t o a ne w e ncrypt ion m e t h od. O n t h e ot h e r h and, w it h t he " Th in" AP s ol ut ion, t h e e ncrypt ion is h andl e d on t h e cont rol l er , w ors e cas e you m ay ne e d t o re pl ace a bl ade or a cont rol l er . Ev ent hent h is is a f ar be t t e r s it uat ion t h an h av ing t o re pl ace h undre ds ofAPs , s om e of w h ich m aybe h anging in l ess t h an acce s s ibl e l ocat ions . L ow e r cos tofow ne rs h ip W h e n de pl oying a w ire l e s s ne t w ork , e s pe cial l y ov e ra l arge are a s uch as a m ul t ibuil ding cam pus , t h e m os te xpe ns iv e partof t h atne t w ork is going t o be t h e acce s s point s.

I n orde r t o ge tt h e cov e rage t o s upportt he us e rs ov e rt h e cov e rage are a, m any APs are going t o be ne ce s s ary. Th e " t h in" acce s s points ol ut ion of f e rs a l ow e r cos tof ow ne rs h ip pe r AP ,t h an a " t h ick " AP s ol ut ion, as t h e re is n'tt oo m uch t oa" Th in" AP . Al l of t h e int el l ige nce is h andl e d back att he cont rol l er . W h il e t h e cont rol l e r m ay init ial l y seem l ik e a h igh e r cos t , w h e n you f act or in t he l ow e r cos tpe r AP , ov e ra l arge de pl oym e nt ,t h e cos ts av ings are obv ious . Re m ot e Acce s s Point s O ne oft h e ne at e s tf e at ure s t h atce nt ral iz e d cont rol can prov ide is a f e at ure cal l ed Re m ot e AP . Re m ot e AP e nabl e s an adm inis t rat or t o prov is ion an AP , and t hen pl ace itata h om e or re m ot e of f ice . Th e Re m ot e AP com m unicat e s ov e r a s e cure V PN conne ct ion t ot h e ce nt ral iz e d cont rol l er , and prov ide s t h e s am e w ire l e s s ne t w ork (s ) at t h e re m ot e l ocat ion t h atyou w oul d h av e at t h e of f ice . Th is e nabl e s re m ot e e m pl oye e s pe rh aps t h ous ands ofm il e s aw ay, t o h av e t h e s am e SSI Ds av ail abl e t ot hem t h att hey w oul d h av e ift h e y w e re l ocat e d in a cube at t h e ir h e adq uart e rs ! Re m ot e AP is one of m any cool and int e re s t ing capabil it ie s t h ank s t ot h e Th in AP arch it e ct ure t h at s av ail abl e f rom Aruba Ne t w ork s . Adv ance d Se rv ice s and Fe at ure s Th e " Th in" AP arch it e ct ure m ak e s a num be r ofot h e rf e at ure s pos s ibl e . Aruba Ne t w ork s of f e rs re al -t im e l ocat ion s e rv ice s w h e re t he Th in APs are us e d t o re ports ignal m e as ure m e nt s f or t he t rack e d de v ice , and t hent h e coordinat e s are cal cul at e d. For de t ail s on t h e adv ance d s e rv ice s av ail abl e, v is ith t t p:/ / w w w .arubane t w ork s .com . Me s h Se v e ral oft he l e ading w ire l e s s m obil it y com panie s are of f e ring M e s h s ol ut ions us ing Th in APs . A w ire l e s s M ESH is a w ire l ess ne t w ork w h e re pack e t s are re l aye d ov er w ire l ess l ink s , as itis t oo dif f icul tor cos t l yt o run w ire d ne t w ork s t ot h e APs . Th is is an ide al s ol ut ion f or out door v e nue s or indoor v e nue s w h e re w iring is e xt re m e l y dif f icul t . Th e ge ne ral conce ptw it h M ESH is t h at

o3 m agaz ine :: page 18

M obil it y :: Th in Acce s s Point s

ins t e ad ofus ing a w ire d back h aul ,t h e back h aul is w ire l ess. 802.11n M any l arge e nt e rpris e de pl oym e nt s e xis tout t h e re w it h V oI P and dat a on t h e s am e 802.11g, 802.11a ne t w ork s us ing t h e Th in AP s ol ut ion. Th e upcom ing int roduct ion of 802.11n of f e rs ne w ch al l e nge s t ot h e Th in AP arch it e ct ure , as incre as e d bandw idt h is ne e de d on t h e back h aul . H ow e v er , s om e com panie s h av e s ugge s t edt h at802.11n w il l m ark t h e e nd oft h e Th in AP . O ne s uch com pany is Xirrus w h o of f e r a s ortofh ybrid s ol ut ion f or 802.11n, w h ich is m ore or l ess a f ancy Th ick AP .I tis h igh l y unl ik e l yt h at 802.11n w il l be t h e de at h ofTh in AP arch it e ct ure s . I nf act , 802.11b/ g/ a is m ore t h an capabl e ofh andl ing t h e de m ands oft he corporat e WL AN. As t h e 802.11n s t andard is rat if ie d, w e w il l s e e 802.11n Th in APs , and w it h m any ne t w ork s al re ady s upport ing gigabite t h e rne t , as w e l l as 10GbE, t h e w ire d s ide oft h e ne t w ork w il l h av e pl e nt y of bandw idt h t o k e e p up w it h 802.11n and s upportt h e Th in AP m ode l .I n m any cas e s , t h e bus ine s s e s t h emsel v e s w il l s im pl y not h av e t h e bandw idt h t ot he I nt e rne tt o s upport 802.11n, w h ich is w h y 802.11b/ g/ a Th in APs w il l st il l be around f or t he f ore s e e abl e f ut ure . Concl us ion Att he t im e ofw rit ing, t h e re are no ope n s ource Th in AP s ol ut ions . I fyou are int e re s t e d in ope n Th in AP s ol ut ions , Aruba Ne t w ork s h as an Aruba L abs s it e (h t t p:/ / l abs .arubane t w ork s .com ) t h atis w ort h ch e ck ing out . Ot h e r Th in AP v e ndors incl ude Trape z e Ne t w ork s , M e ru Ne t w ork s , and Cis co Sys t e m s (f orm al l y Airs pace ).

o3 m agaz ine :: page 19

I P Ne t w ork ing :: H TTP GSL B w /Nginx

H TTP Gl obal Se rv e rL oad Bal ancing
Gl obal Se rv e rL oad Bal ancing is al l aboutcont rol l ing t raf f ic and dis t ribut ing itam ong ge ograph ical l y dis t ribut e d s e rv e rs . Gl obal Se rv e rL oad Bal ancing aim s t o dire ctt h e us e r t ot he f as t e s tand cl os e s ts e rv er . Norm al l y Gl obal Se rv e rL oad Bal ancing is an e xpe ns iv e de pl oym e nt , unt il now . Find outh ow t o de pl oy GSL B w it h Nginx. Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) Nginx, cal l e d e ngine -x is a h igh pe rf orm ance H TTP s e rv e r and re v e rs e proxy, w it h proxy capabil it ie s f or I M AP/ PO P3/ SM TP . Nginx is t h e cre at ion ofRus s ian de v el ope r ,I gor Sys oe v , and h as be e n running in product ion f or ov e rt w o ye ars . Th e l at e s ts t abl e re l e as e att he t im e ofw rit ing is Nginx 0.5.30, and is t he f ocus oft h is art icl e . W h il e Nginx is capabl e ofproxying non-H TTP prot ocol s, w e 're going t of ocus on H TTP and H TTPS. H igh Pe rf orm ance , Ye tL igh t w e igh t Nginx us e s a m as t e r proce s s and N+ 1 w ork e r proce s s m ode l . Th e num be r ofw ork e rs is cont rol l e d by t h e conf igurat ion, ye tt he m e m ory f oot printand re s ource s us e d by Nginx are s e v e ral orde rs ofm agnit ude l ess t h an Apach e . Nginx us e s e pol l () in L inux. I n our l ab, Nginx w as h andl ing h undre ds of re q ue s t s pe r s e cond, w h il e us ing about16M B ofram and a cons is t e ntl oad av e rage of about1.00. Th is is cons ide rabl y be t t e rt h an Apach e 2.2, and Pound doe s n'ts cal e wel l w it h t h is t ype ofus age (h igh m e m ory us age , l ot s oft h re ads ). I n ge ne ral , Nginx of f e rs a v e ry cos te f f e ct iv e s ol ut ion. L igh t t pd L igh t t pd is a gre atl igh t w e igh topt ion, butit h as a coupl e ofdraw back s . Nginx h as v e ry good re v e rs e proxy capabil it ie s w it h int e grat e d bas ic l oad bal ancing. Th is m ak e s it av e ry good opt ion as a f ronte nd t o dynam ic w e b appl icat ions , s uch as t h os e running unde r Rail s and us ing M ongre l .L igh t t pd on t h e ot h e r h and, h as an ol d and unm aint aine d proxy m odul e . Now itdoe s h av e a ne w proxy m odul e w it h L igh t t pd 1.5.x, butt h atis t he ot h e r probl e m w it h L igh t t pd, w h e re it s going. L igh t t pd 1.4 is l igh t w e igh t , re l ie s on v e ry f ew e xt e rnal l ibrarie s and is f as t .L igh t t pd 1.5.x on t h e ot h e r h and re q uire s m any m ore e xt e rnal l ibrarie s , incl uding gl ib, now I don'tk now aboutyou butanyt h ing us ing gl ibc is f ar f rom " l igh t w e igh t " . Bas ic Conf igurat ion Th e bas ic conf igurat ion ofNginx s pe cif ie s t he unpriv il e ge d us e r t o run as , t h e num be r of w ork e r proce s s e s , e rror l og, pid and e v e nt s bl ock . Af t e rt h is bas ic conf igurat ion bl ock , you h av e pe r prot ocol bl ock s (h t t pf or e xam pl e ). us e r nobody; w ork e r_ proce s s e s 4; e rror_ l og l ogs / e rror .l og; pid l ogs / nginx.pid; ev e nt s { w ork e r_ conne ct ions 1024; } Bas ic H TTP s e rv er Nginx is re l at iv el y e as y t o conf igure as a bas ic w e b s e rv er , its upport s I P and Nam e bas e d v irt ual h os t s , and itus e s a pcre bas e d URI proce s s ing s ys t e m . Conf iguring s t at ic h os t ing is v e ry e as y, you j us ts pe cif y a ne w s e rv e r bl ock : s e rv e r{ l is t e n 10.10.10.100:80; s e rv e r_ nam e w w w .f oocorp.com f oocorp.com ; acce s s _ l og l ogs / f oocorp.com .l og m ain; l ocat ion /{ inde x inde x.h t ml inde x.h t m; root / v ar/ www/ st at ic/ f oocorp.com / ht docs ; } }

o3 m agaz ine :: page 21

I P Ne t w ork ing :: H TTP GSL B w /Nginx

H e re w e are l is t e ning on port80 on 10.10.10.100, w it h nam e v irt ual h os t ing us ing w w w .f oocorp.com and f oocorp.com . Th e s e rv e r_ nam e opt ion al s o s upport s w il dcards , s o you can s pe cif y *.f oocorp.com and h av e it h andl e d by t h e conf igurat ion. Th e us ual acce s s l ogs , and roots pe cif ie s h t docs . I fyou h av e al arge num be r ofnam e v irt ual h os t s, you'l l ne e d t o incre as e t h e s iz e oft h e h as h buck e tw it h s e rv e r_ nam e s _ h as h _ buck e t _ s iz e 128; Gz ip com pre s s ion Nginx l ik e m any ot h e r w e b s e rv e rs , can com pre s s cont e ntus ing gz ip. gz ip on; gz ip_ m in_ l e ngt h 1100; gz ip_ buf f e rs 4 8k ; gz ip_ t ype s t e xt / pl ain t e xt / ht ml t e xt / cs s t e xt / j s; H e re Nginx al l ow s you t o e nabl e gz ip, s pe cif y a m inim um l e ngt h t o com pre s s , buf f e rs and t h e m im e t ype s t h atNginx w il l com pre s s . Gz ip com pre s s ion is s upport e d by al l m ode rn brow s e rs . H TTP L oad Bal ancing Nginx can be us e d a s im pl e H TTP l oad bal ance r , in t h is conf igurat ion, you w oul d pl ace Nginx in f rontofyour e xis t ing w e b s e rv e rs . Th e e xis t ing w e b s e rv e rs can be running Nginx as w e l l .I n H TTP l oad bal ance r m ode , you s im pl y ne e d t o add an ups t re am bl ock t ot h e conf igurat ion : ups t re am a.s e rv e rpool .f oocorp.com { s e rv e r 10.80.10.10:80; s e rv e r 10.80.10.20:80; s e rv e r 10.80.10.30:80; } ups t re am b.s e rv e rpool .f oocorp.com { s e rv e r 10.80.20.10:80; s e rv e r 10.80.20.20:80; s e rv e r 10.80.20.30:80; } Th e n in t h e s e rv e r bl ock , you add t he l ine :

proxy_ pas s h t t p:/ / a.s e rv e rpool .f oocorp.com ; H e al t h Ch e ck L im it at ions Nginx h as onl y s im pl e l oad bal ancing capabil it ie s . I tdoe s n'th av e h e al t h ch e ck ing capabil it ie s and itus e s a s im pl e l oad bal ancing al gorit h m . H ow e v er , Nginx is a re l at iv el y ne w proj e ct , s o one w oul d e xpe ctt o see v arious l oad bal ancing al gorit h m s and h e al t h ch e ck ing s upportadde d ov e rt im e . W h il e itm igh tnotbe w is e t o re pl ace your com m e rcial l oad bal ance r w it h Nginx anyt im e s oon, Nginx is al m os tt h e re in t e rm s ofa v e ry com pe t it iv e s ol ut ion. M onit , and ot her m onit oring appl icat ions of f e r good opt ions t o com pe ns at e f or a l ack ofh e al t h ch e ck ing capabil it ie s in Nginx. Gl obal Se rv e rL oad Bal ancing Nginx h as a v e ry int e re s t ing capabil it y. W it h a l it t l e conf igurat ion can prov ide Gl obal Se rv er L oad Bal ancing. Now Gl obal Se rv e rL oad Bal ancing (GSL B) is a f e at ure you'l l f ind on h igh -e nd l oad bal ancing s w it ch e s s uch as t h os e f rom F5, Radw are , Nort el , Cis co e t c. Typical l y GSL B is an addit ional l ice ns e you h av e t o purch as e f or a f ew t h ous and dol l ars , on t op ofa s w it ch t h att ypical l y st artaround US$ 10,000. GSL B w ork s by h av ing m ul t ipl e s it es dis t ribut e d around t h e w orl d, s o you m igh t h av e a s it e in Europe , a s it e in As ia and a s it e in Nort h Am e rica. Norm al l y, you w oul d dire ct t raf f ic by re gion by us ing dif f e re ntt op l ev el dom ains (TL D). So w w w .f oocorp.com m igh t go t o Nort h Am e rica, w w w .f oocorp.co.uk t o Europe , w w w .f oocorp.com .cn t ot h e s e rv e r in As ia. Th is is n'ta v e ry e f f e ct iv e s ol ut ion be caus e itre l ie s on t h e us e r t ov is itt he prope r dom ain. A us e r in As ia, m igh ts e e a printadv e rt is e m e ntf or t h e Nort h Am e rican m ark e t , h it t ing t h e .com addre s s m e ans t hey are n'tv is it ing t h e cl os e s tand f as t e s ts e rv er . GSL B w ork s by l ook ing att h e s ource I P addre s s oft h e re q ue s t , and t h e n de t e rm ine s w h ich s it e is cl os e s tt ot h ats ource addre s s . Th e s im pl e s tm e t h od is t o bre ak t he I nt e rne t addre s s s pace dow n pe r re gion, t hent o rout e

o3 m agaz ine :: page 22

I P Ne t w ork ing :: H TTP GSL B w /Nginx

t raf f ic t ot he l ocal s it e in t h atre gion. W h e n w e s ay re gion, w e m e an - Nort h Am e rica, Sout h Am e rica, EM EA (Europe , M iddl e Eas t and Af rica) and APAC (As ia-Pacif ic). Conf iguring Nginx f or GSL B Th e ge o {}bl ock is us e d t o conf igure GSL B in Nginx, t h e ge o bl ock caus e s Nginx t ol ook at t h e s ource I P , and s e ta v ariabl e bas e d on t h e conf igurat ion. Th e nice t h ing w it h Nginx is t h atyou can s e ta de f aul t . ge o $ gs l b{ de f aul tna; incl ude conf / gs l b.conf } H e re in our conf igurat ion, w e 're s e t t ing t he de f aul tt o na (Nort h Am e rica) and t hen incl uding t h e gs l b.conf . Th e conf igurat ion f il e gs l b.confis a bas ic f il e cons is t ing ofs ubne t v ariabl e . H e re is an e xce rptf rom gs l b.conf : 32.0.0.0/ 8 e m e a; 41.0.0.0/ 8 e m e a; 43.0.0.0/ 8 apac; W h e n Nginx re ce iv e s a re q ue s tf rom a s ource I P in 32.0.0.0/ 8 (f or t h os e ofyou unf am il iar w it h sl as h not at ion, t h is is t he e nt ire Cl as s A, 32.0.0.0 t h ru 32.255.255.255), its e t s t he v ariabl e $ gs l bt o e m e a. W e t h e n us e t h atl at e r in t he conf igurat ion t o re dire ct . I ns ide t he l ocat ion bl ock ofour s e rv er conf igurat ion in Nginx, w e add a num be r ofif st at e m e nt s be f ore t h e proxy_ pas s (ifus e d) st at e m e nt . Th e s e ins t ructt h e s e rv e rt o do a H TTP 302 Re dire ct(t e m porary re dire ct ). if($ gs l b = e m e a) { re w rit e ^(.*) ht t p:/ / e urope .f oocorp.com $ 1 re dire ct ; } if($ gs l b = apac) { re w rit e ^(.*) h t t p:/ / as ia.f oocorp.com $ 1 re dire ct ; } Th e s e are conf igure d unde r t he

w w w .f oocorp.com nam e d v irt ual s e rv er , if s om e one f rom Nort h Am e rica h it s w w w .f oocorp.com , ith it s t h e de f aul tand s im pl yl oads f rom t h e s am e s e rv er .I ft h e us e r is f rom Europe , t h e re q ue s ts h oul d m at ch one oft h e s ubne t s l is t e d in gs l b.conf , and s e t s t he gs l bv ariabl e t o e m e a. Th is re q ue s tcaus e s t h e Nort h Am e rican s it e h os t ing t h e .com dom ain t o re dire ctt h e cl ie ntt ot h e s e rv e r(s ) att h e s it e in Europe . On t h e Europe an s e rv er ,t h e conf igurat ion is sl igh t l y dif f e re nt .I ns t e ad oft h e e m e a ch e ck , you ch e ck f or NA and re dire ctt ot h e US s it e. Th is is t o h andl e t h e s it uat ion w h e n s om e one in Nort h Am e rica h it s t h e .e u or .co.uk s it e. if($ gs l b = na) { re w rit e ^(.*) h t t p:/ / w w w .f oocorp.com $ 1 re dire ct ; } Traf f ic Cont rol :I n-re gion notal w ays f as t er Th e probl e m w it h com m e rcial s ol ut ions is t h att h e y are t oo ge ne ral iz e d. I n our e xam pl e conf igurat ions s o f ar , w e m ak e s om e pre t t y w il d as s um pt ions . Th e probl e m w it h t he I nt e rne tis t h ata us e r in As ia, m igh tnotf or e xam pl e , h av e af as t e r conne ct ion t o s e rv e rs in As ia. A good e xam pl e oft h is is I ndia and Pak is t an. A s e rv e r h os t e d in H ong Kong or Singapore , is in As ia, and w oul d be cons ide re d " in re gion" f or cus t om e rs in I ndia and Pak is t an. Th e re al it yt h ough is t h att raf f ic f rom t h os e count rie s t o H ong Kong, is act ual l y rout edt h rough Europe , s o pack e t s f rom I ndia t o H ong Kong, go f rom I ndia t h ru Europe , acros s t h e Unit e d St at e s and h it H ong Kong f rom t h e Pacif ic. H ow e v er , in t he s am e s ubne t , cus t om e rs in Aus t ral ia are onl y af e w h ops aw ay f rom H ong Kong. I n s uch a s it uat ion, w it h com m e rcial s ol ut ions , you are j us toutofl uck , butw it h Nginx you can f ine t une h ow t raf f ic is dire ct e d. H e re w e k now 120.0.0.0/ 6 is m ainl y APAC, but122.162.0.0/ 16 and 122.163.0.0/ 16 h av e f as t e r conne ct ions t o Europe . So, w e s im pl y add t h e s e s ubne t s t ot he conf igurat ion. Nginx w il l us e t h e cl os e s t m at ch t ot h e s ource I P . So 122.162.0.0/ 16 is

o3 m agaz ine :: page 23

I P Ne t w ork ing :: H TTP GSL B w /Nginx

f ine r graine d t h an 120.0.0.0/ 6, s o Nginx w il l us e it . M anual Tuning Th e init ial t uning can be done by us ing t he w h ois com m and, f or e xam pl e w h ois 120.0.0.0 w il l giv e you an ide a w h ich re gion it be l ongs t o - ARI N, RI PE, e t c. ARI N, RI P , APNI C, AFRI NI C, and L ACNI C are re gional int e rne tre gis t rie s or RI R. An RI R is an organiz at ion ov e rs e e ing t h e al l ocat ion and re gis t rat ion ofI nt e rne tnum be r re s ource s w it h in a part icul ar re gion oft h e w orl d. I P addre s s e s bot h I Pv 4 and I Pv 6 are m anage d by t h e s e RI Rs . H ow e v er , as in our pre v ious e xam pl e , you're going t o ne e d t of ine t une t h e gs l b conf igurat ion w it h t race rout e and ping inf orm at ion. Probabl yt h e be s tapproach is t o do a ge ne ral conf igurat ion and t henf ine t une t h e conf igurat ion bas e d on f e e dback f rom cus t om e rs . Cos tSav ings v s . Fe at ure s L ook ing ata w e l l k now n L aye r 4-7 s w it ch ing s ol ut ion, you w oul d ne e d a m inim um of$ 15k pe r s it e t o purch as e t h e ne ce s s ary e q uipm e ntand l ice ns ing. Com m e rcial s ol ut ions do h av e s om e addit ional f aul t t ol e rantm e as ure s , s uch as t h e abil it yt o m e as ure l oad and av ail abil it y ofs e rv e rs at re m ot e s it e s . H ow e v er , w it h Nginx of f e ring a v e ry cl os e s ol ut ion w h ich is av ail abl e f or FREE w it h t h e s ource code , itis onl ya m at t e r oft im e be f ore s uch f e at ure s are part ofNginx or av ail abl e t h ru ot h e r proj e ct s. Nginx L ink s ht t p:/ / w ik i.code m onge rs .com / Nginx ht t p:/ / nginx.ne t gs l b.conf Th e f ol l ow ing is an init ial e xam pl e of gs l b.conf , its h oul d be s uf f icie ntf or m os t us e rs . 25.0.0.0/ 8 32.0.0.0/ 8 41.0.0.0/ 8 43.0.0.0/ 8 uk ; e m e a; e m e a; apac;

51.0.0.0/ 8 uk ; 53.0.0.0/ 8 e m e a; 57.0.0.0/ 8 e m e a; 58.0.0.0/ 8 apac; 59 .0.0.0/ 8 apac; 60.0.0.0/ 8 apac; 61.0.0.0/ 8 apac; 62.0.0.0/ 8 e m e a; 77.0.0.0/ 8 e m e a; 78.0.0.0/ 7 e m e a; 80.0.0.0/ 5 e m e a; 88.0.0.0/ 6 e m e a; 9 0.19 2.0.0/ 11 uk ; 9 1.104.0.0/ 13 uk ; 9 1.125.0.0/ 16 uk ; 9 2.0.0.0/ 8 e m e a; 9 3.0.0.0/ 8 e m e a; 116.0.0.0/ 6 apac; 120.0.0.0/ 6 apac; 122.162.0.0/ 16 uk ; 122.163.0.0/ 16 uk ; 124.0.0.0/ 7 apac; 126.0.0.0/ 8 apac; 129 .0.0.0/ 8 e m e a; 130.0.0.0/ 8 e m e a; 131.0.0.0/ 8 e m e a; 133.0.0.0/ 8 apac; 134.0.0.0/ 8 e m e a; 139 .0.0.0/ 8 e m e a; 141.0.0.0/ 8 e m e a; 145.0.0.0/ 8 e m e a; 150.0.0.0/ 8 apac; 151.0.0.0/ 8 e m e a; 157.0.0.0/ 8 apac; 162.0.0.0/ 8 e m e a; 163.0.0.0/ 8 e m e a; 164.0.0.0/ 8 e m e a; 171.0.0.0/ 8 e m e a; 188.0.0.0/ 8 e m e a; 19 3.0.0.0/ 8 e m e a; 19 4.0.0.0/ 8 e m e a; 19 5.0.0.0/ 8 e m e a; 19 6.0.0.0/ 8 e m e a; 202.0.0.0/ 7 apac; 210.0.0.0/ 7 apac; 212.0.0.0/ 7 e m e a; 217.0.0.0/ 8 e m e a; 218.0.0.0/ 6 apac; 219 .0.0.0/ 8 apac; 220.0.0.0/ 7 apac; 222.0.0.0/ 8 apac;

o3 m agaz ine :: page 24

Se rv e r Side :: W e b Acce l e rat ion

W e b Acce l e rat ion w it h V arnis h Cach e
W e b Acce l e rat ion is al l aboutpl acing a re v e rs e proxy in f rontofproduct ion w e b s e rv e rs . Th e goal ofa re v e rs e proxy is t o re duce t he l oad on your w e b s e rv e rs by s e rv ing up cach abl e cont e nts uch as CSS, H TM L ,I m age s and Jav as criptf il es.V arnis h Cach e is a h igh pe rf orm ance w e b acce l e rat or de s igne d s pe cif ical l yf or t h is purpos e . Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) Th e buz z w ord " W e b Acce l e rat ion" is re al l y not h ing m ore t h an a f ancy re v e rs e proxy. A re gul ar proxy s uch as s q uid, cach e s f il es (obj e ct s ) s uch as h t ml , cs s , j av as cript , im age s and s o on, as us e rs brow s e t he I nt e rne t . Th e ide a be h ind cach ing is t h atyou can s av e s om e bandw idt h ifm ul t ipl e us e rs v is itcnn.com as t h e cont e ntis cach e d l ocal l y f or a s e tpe riod oft im e . Th e t im e and ot her f act ors are h andl e d by Cach e -Cont rol t ags , as w e l l as t h e cach e s e rv e r conf igurat ion. A re v e rs e proxy is on t h e w e b s e rv e r s ide , ins t e ad ofcach ing out bound us e r re q ue s t s , it is cach ing inbound us e r re q ue s t s , w it h t he goal ofof f -l oading s om e oft h e w ork f rom your w e b s e rv e rs . Dynam ic W e b Appl icat ions A re v e rs e proxy m ay in s om e cas e s s pe e d up a dynam ic w e b appl icat ion cons ide rabl y. I t re al l y de pe nds on t he t ype ofappl icat ion you are l ook ing atacce l e rat ing. De pe nding on h ow t h e appl icat ion w as w rit t e n, itm ay notbe av e ry good candidat e f or cach ing. A good candidat e f or cach ing w oul d be a bl og. A bl og t ypical l y h as us e rs pos t ing com m e nt s,a s m al l num be r ofus e rs pos t ing act ual art icl es and a l arge num be r ofus e rs s im pl y re ading t h e cont e nt . Typical l y com m e nt s re q uire a l ogin, and you probabl y w antt o s e cure l ogins v ia h t t ps . Th is m ak e s is re l at iv el y e as y t o s pl it " st at ic acce s s " f rom " dynam ic acce s s " in a bl og appl icat ion. A s m al l m odif icat ion t ot he appl icat ion, and you can f orce l ogins and pos t s v ia h t t ps . I nt e rm s ofpe rf orm ance , t h is m e ans t h att h e m ore e xpe ns iv e re nde ring of a dynam ic page is onl y done w h e n ne w cont e ntis av ail abl e,t h e re s toft he t im e t he cont e ntis s e rv e d up f rom a h igh -s pe e d cach e . H igh -s pe e d W e b Se rv e rs Th e re are a num be r ofl igh t w e igh t , h igh pe rf orm ance w e b s e rv e rs av ail abl e t oday, t w o good e xam pl e s are L igh t t pd and Nginx. De pe nding on w h att ype ofcont e ntyou pl an t o s e rv e , itm igh tnotbe ne ce s s ary f or you t o ev e n cons ide r a " w e b acce l e rat or" . Th e s e l igh t w e igh tw e b s e rv e rs are w rit t e n us ing v e ry s im il ar m e t h ods us e d f or h igh -pe rf orm ance cach e s , s o t h e pe rf orm ance be ne f it s of acce l e rat ing cont e nts uch as s t at ic h t ml , cs s , j s , and im age s f or s t at ic cont e ntm ay notbe as gre atas t h e y are w it h dynam ic w e b appl icat ions . Butin m any cas e s , Dynam ic w e b appl icat ions al s o prov e a ch al l e nge t o be acce l e rat e d prope rl y, you m igh tf ind t h at s im pl y us ing Nginx t o s e rv e up t h e im age s , cs s and j av as criptf rom your dynam ic w e b appl icat ion m igh tbe a be t t e r opt ion. W h y notus e Sq uid? Sq uid is a f orw ard cach e (re gul ar proxy as w e de s cribe d abov e ), and itis a v e ry good one att h at . Sq uid can al s o be conf igure d t o do re v e rs e proxy, butitis j us tt h at , itis a f e at ure rat h e rt h an t he f ocus oft he appl icat ion. V arnis h on t h e ot h e r h and, h as be e n de s igne d and w rit t enf rom t h e ground up as a w e b acce l e rat or .V arnis h is w rit t en us ing m ode rn program m ing t e ch niq ue s , and s im il ar point e r /m e m ory t e ch niq ue s t h atare us e d in h igh pe rf orm ance com m e rcial s ol ut ions . O bj e ctSt orage Whenev al uat ing w h e t h e r or nott ot ry V arnis h , you ne e d t ol ook ate xact l y h ow Sq uid and V arnis h dif f e rf rom e ach ot her . Sq uid w ork s by pl acing H TTP obj e ct s int o m e m ory. Th e s e obj e ct s are t ypical l y st ore d by t h e us ual m e m ory re ad/ w rit e ope rat ions

o3 m agaz ine :: page 26

Se rv e r Side :: W e b Acce l e rat ion

s uch as m al l oc(). As Sq uid is w ork ing aw ay, obj e ct s cach e d in m e m ory are s w appe d out t o dis k by t h e k e rne l , as v irt ual m e m ory norm al l y w ork s . O v e rt im e , Sq uid re cogniz e s t h att h e s e obj e ct s h av e n'tbe e n re q ue s t edf or aw h il e , s o itde cide s t o page t h os e obj e ct s outt o dis k . Since t h e obj e ct s are al re ady on dis k , butSq uid is unaw are oft h is , Sq uid caus e s t h e k e rne l t o s w ap t h e obj e ctback int o ram , t h e n Sq uid w rit e s itt o dis k . W h at h appe ns ift h atobj e ctis re q ue s t e d again be f ore ite xpire s ?Th atobj e cth as t o be pul l edf rom t he f il e s ys t e m , w rit t e n back int o m e m ory and t h e n s e rv e d up t ot h e us e r . Now w h e n Sq uid caus e s t h e k e rne l t o pul l t he obj e ctf rom s w ap s pace on dis k , itm ore t h an l ik e l y w il l caus e t h e k e rne l t o h av e t o s w ap ot her , pos s ibl y Sq uid obj e ct s f rom RAM t o s w ap, t of re e up e nough RAM t o s w ap t he original obj e ctback int o RAM . I fyou t h ink aboutt h is f or a s e cond, and appl y itt o sev e ral t h ous and s q uid obj e ct s , you w il l see h ow ine f f icie ntt h is w il l be . V arnis h on t h e ot h e r h and, w ork s dif f e re nt l y. V arnis h doe s n'tt ry t o cont rol w h atis cach e d in RAM and w h atis cach e d on dis k . I ns t e ad, V arnis h us e s t h e s am e pie ce ofal l ocat ed v irt ual m e m ory and ins t ruct s t h e k e rne l t o back t h atv irt ual m e m ory up in a s pe cif ic f il e. I tt henl e av es t h e k e rne l t o de cide w h atis st ore d in RAM and w h atis s w appe d outt o dis k . Th e adv ant age h e re s h oul d be pre t t y appare nt .I ns t e ad ofm ul t ipl e ope rat ions be t weent h e cach e s e rv e r and t h e k e rne l , pul l ing f il e s in and outofdis k and m e m ory, v arnis h w ork s in unis on w it h t h e k e rne l f or an opt im iz e d and s e am l e s s s ol ut ion. Av oiding M e m ory O pe rat ions V arnis h h ow e v e r doe s n'ts t op t h e re . O n m ul t icore /m ul t i-proce s s or s ys t e m s , m e m ory re ad and w rit e s are e xpe ns iv e e s pe cial l y on pie ce s ofm e m ory t h atne e d t o be updat e d on a re gul ar bas is , s uch as s t at is t ics count e rs . I f one CPU is updat ing t h e count er ,t h e s e cond CPU w il l h av e t o w aitunt il t h atCPU h as incre m e nt e d it , and t h e n bot h CPUs h av e t o e ngage in an e xpe ns iv e , re ad /w rit e ope rat ion on m e m ory. Th is m igh tbe l e s s ugl y on be t t e r arch it e ct ure s , bute it h e r w ay it s not

gre at . V arnis h ins t e ad t rie s t o m inim iz e t h e num be r ofre ads and w rit es t o m e m ory (m e m ory ope rat ions ). I ns t e ad ofdoing l ot s ofm al l oc() and f re e () ope rat ions , v arnis h ins t e ad cal l s m al l oc() once and us e s point e rs t o re cycl e t h e s pace as ne e de d f or e ach H TTP h e ade r . Th e re s ul t , is l e s s m e m ory ope rat ions , and m uch f as t e r pe rf orm ance on t oday's m ul t icore , m ul t i-proce s s or s ys t ems. Buil ding V arnis h You w il l probabl y h av e t o buil dV arnis h f rom s ource , probabl y nota bad ide a anyw ay f or a product ion s e rv ice , as you don'tk now w h o buil tt h e pack age your dis t ribut ion prov ide s . Th e l at e s tv e rs ion is V arnis h 1.1, s im pl y unpack itand run: ./ conf igure --pre f ix=/ opt / v arnis h --w it h -gnu-l d-w it h -pic --e nabl e -s h are d --dis abl e -s t at ic -e nabl e -s t ack -prot e ct or m ak e m ak e ins t al l You w il l ne e d t o add / opt / v arnis h / l ib t o / et c/ l d.s o.conf , and run l dconf ig. You w il l probabl y al s o ne e d t o updat e your PATH : PATH =/ opt / v arnis h / bin:/ opt / v arnis h / s bin: $ PATH e xportPATH Final l y, ifyou h av e any probl e m s w it h ./ conf igure , you m ay noth av e st ack prot e ct or av ail abl e t o you. So drop t h e --e nabl e -s t ack prot e ct or opt ion ifne ce s s ary. Conf iguring V arnis h V arnis h us e s a f orm atcal l edV CL .I fyou're notf am il iar w it h Re gul ar Expre s s ions , now w oul d be a gre att im e t o pick up a good book on re ge x. Th e f irs tpartoft he V CL conf igurat ion is t oset up t h e back e nd, you can conf igure m ul t ipl e back e nd bl ock s , and it s bas ical l yt h e re t ot el l V arnis h w h e re you w antt o s e nd re q ue s t s t o. Th e back e nd bl ock cons is t s ofa h os tand a portopt ion.

o3 m agaz ine :: page 27

Se rv e r Side :: W e b Acce l e rat ion

back e nd de f aul t{ s e tback e nd.h os t= " 10.10.10.10" ; s e tback e nd.port= " 8181" ; } back e nd w w w { s e tback e nd.h os t= " w w w .f oocorp.com " ; s e tback e nd.port= " 8282" ; } H e re you can al re ady s t artt osee t h at V arnis h giv e s you pot e nt ial f or a v e ry s cal abl e opt ion. You coul d run m ul t ipl e v arnis h cach e s e rv e rs , and pointt hem t o m ul t ipl e back e nds . I fyou us e a FQDN in t he h os tparam e t er , you ne e d t o m ak e s ure you h av e DNS s e t up f or it . V arnis h s upport s t h e us e ofAcce s s Cont rol L is t s (ACL s ). Th e s e w ork as a bl ock of st rings , pre f ixe d w it h a !f or do notm at ch (or de ny). Th e n t h e s e ACL s are appl ie d t o f unct ions l at e r on. H e re is an e xam pl e ofan ACL . acl t e s t{ " 10.10.10.0/ 24" ; !" 19 2.168.0.0/ 16" ; } Th is w il l al l ow 10.10.10.0/ 24 butde ny 19 2.168.0.0/ 16. You m ay w antt o us e s om e t h ing l ik e t h is t o by-pas s t h e cach e f rom a part icul ar w ork s t at ion or s ubne tatyour of f ice , w h il e us ing anot h e r s ubne tatyour of f ice t o h itt h e cach e f or t e st ing. I tcoul d al so be us e d f or m ore adv ance d t raf f ic cont rol . Th e re m aining opt ions in a V CLal l ow you t o cus t om iz e or ov e rride h ow e ach s t age oft he cach e proce s s be h av es.I nv arnis h t h ese bl ock s are v cl _ re cv ,v cl _ pipe , v cl _ pas s , v cl _ h it ,v cl _ m is s , v cl _f et ch , v cl _ de l iv er , v cl _t im e outand v cl _ dis card. Th e s e bl ock s e ach al l ow you t of ine t une e ach s t age oft he cach ing proce s s . Cach e M ode s Th e f irs tbl ock t o be h itis t he v cl _ re cv (). I t f igure s outw h ate xact l yt o do w it h t he

re q ue s tonce it s be e n re ce iv e d. I n ge ne ral , it w il l e it h e r pas s an e rror , us e pas s or pipe m ode s , or l ook up t h e obj e ctin t h e cach e . For e xam pl e , ifyou don'tus e PH P on your back e nd, you m igh tde cide t h atany re q ue s t s f or PH P docum e nt s t h row s an e rror , s om e t h ing l ik e t h is w il l h andl e s uch a re q ue s t ,t ak ing care ofASP and V Bf il e s as w e l l . s ub v cl _ re cv { if(re q .url ~ " \.(ph p|as p|v b|ph p3)$ " ){ e rror 404; } } For s t at ic cont e nt , you m igh te xpe ctt of ind cach e d, you can add s om e t h ing l ik e t h is , w h ich f orce s a l ook up in t h e cach e : s ub v cl _ re cv { if(re q .url ~ " \.(cs s |gif |j pg|png|j s |bm p|pdf )$ " ){ l ook up; } } You probabl y don'tw antt o cach e PO ST re q ue s t s: s ub v cl _ re cv { if(re q .re q ue s t!= " GET" & & re q .re q ue s t!= " H EAD" ){ pipe ; } } Th e re are t w o ot h e r m ode s - pipe and pas s f or h andl ing re q ue s t s . W it h pipe m ode , t he re q ue s tis pas s e d t ot h e back -e nd w it h out any m odif icat ion. Any f urt h e rt raf f ic e xch ange d be t weent h e cl ie ntand t h e s e rv er is unal t e re d unt il e it h e r e nd cl os e s t he conne ct ion. Th e pas s m ode , pas s e s t he re q ue s ton t ot h e back -e nd w it h outs t oring it in t h e cach e . Subs e q ue ntt raf f ic ov e rt he s am e conne ct ion is h andl e d norm al l y by t he cach e , m e aning itw il l st il l proce s s it . H itor M is s V arnis h prov ide s a l otofcont rol t ot he adm inis t rat or ,t he v cl _ h it () bl ock e nabl es t he

o3 m agaz ine :: page 28

Se rv e r Side :: W e b Acce l e rat ion

adm inis t rat or t o de t e rm ine w h att o do w h e n an obj e ctis f ound in t h e cach e . Th e de f aul tis t o de l iv e r itt ot h e us e r , butus ing re ge x and v arious conf igurat ion opt ions , t he adm inis t rat or can f ine t une t h ings t o de t e rm ine w h att o de l iv e rt ot h e us e r . Th e v cl _ m is s () bl ock e nabl es t he adm inis t rat or t o de cide w h att o do w h e n t h e re is a cach e m is s . Sh oul d its w it ch t o pas s , or s h oul d itf et ch t h e obj e ctf rom t h e back -e nd. Cach e I ns e rt ion w it h v cl _f et ch () Th e v cl _f et ch () bl ock al l ow s t h e adm inis t rat or t o de f ine w h ath appe ns af t e r a s ucce s s f ul re t rie v al f rom t h e back -e nd. H e re , w e can ins e rtt h e obj e ctint ot h e cach e and de l iv er , or s w it ch t o pas s m ode . Th is al l ow s f or cus t om iz at ion ofw h atge t s st ore d in t he cach e . I ff or e xam pl e , you are s e rv ing up cus t om e book s w it h a pdfge ne rat or , you probabl y don'tw antt o st ore once -of fPDF f il e s in t h e cach e . I fan obj e ctis n'tcach e abl e, you don'tw antt o st ore itin t h e cach e e it her . I nit ial Conf igurat ion Af t e r s pe nding a coupl e ofw e e k s e xpe rim e nt ing w it h v arnis h , w e f ound t he be s tapproach is t o st artw it h a m inim al conf igurat ion, and m onit or h ow t h ings are be ing cach e d and adj us tt h e set t ings appropriat el y. I tis v e ry e as y t o caus e v arnis h t o do v e ry s t range t h ings , af t e r a coupl e of conf igurat ion ch ange s , w e m anage d t o ge t v arnis h t o s e rv e up a JPG f il e in e rror , ins t e ad ofs t at ic H TM L .L at e r w e dis cov e re d t h is w as a re s ul tofa conf igurat ion e rror in v cl _f et ch (). back e nd de f aul t{ s e tback e nd.h os t= " 19 2.168.30.50" ; s e tback e nd.port= " 8888" ; } s ub v cl _ re cv { if(re q .url ~ " \.(cs s |gif |j pg|png|j s |bm p|pdf )$ " ){ l ook up; } if(re q .re q ue s t!= " GET" & & re q .re q ue s t!= " H EAD" ){ pipe ;

} if(re q .h t t p.Expe ct ){ pipe ; } if(re q .h t t p.Aut h e nt icat e || re q .h t t p.Aut h oriz at ion) { pipe ; } if(re q .url ~ " account .l ogin" ){ pipe ; } l ook up; } Th e abov e is a good s t art ing pointt o be ing opt im iz at ion ofv arnis h . Again, opt im iz at ion is s om e t h ing you'l l ne e d t o do bas e d on your part icul ar appl icat ion and ne e ds . Th e m an page f or v cl is w e l l docum e nt e d, and t h e m is c m ail ing l is t , e s pe cial l y it s arch iv e s is a good pl ace t ot rack dow n conf igurat ion adv ice and t ips . St art ing V arnis h O nce you h av e your V CLf il e conf igure d, you can s t artv arnis h d. V arnis h t ak e s a l otof opt ions and m an v arnis h d w il l giv e you a good bre ak dow n ofe ach opt ion. Th e f ol l ow ing is e nough t o ge ts t art edt h ough : v arnis h d -a 172.16.50.20:80 -T l ocal h os t :1234 -f/ et c/ cach e / t e st .v cl -s f il e ,/ v ar/ cach e / v arnis h _ s t orage .bin,1G -g nogroup -u nobody H e re w e are t el l ing v arnis h d t o st arton port 80 on 172.16.50.20, and of f e r a m anage m e nt int e rf ace on l ocal h os tport1234. W e pointit t he v cl f il e is l ocat e d in / et c/ cach e and is cal l edt e st .v cl .We t el l v arnis h t o us e a f il e (m al l oc is anot h e rs t orage opt ion butnot re com m e nde d f or product ion us e by t he de v el ope rs ), and t h atf il e is t o be 1GB in s iz e . Final l ywe t el l v arnis h t o run t h e w ork e r proce s s e s as us e r nobody, and group nogroup. I tis as s im pl e as t h at . A q uick ne t st at-nap | gre p v arnis h , t o m ak e s ure it s up and running.

o3 m agaz ine :: page 29

Se rv e r Side :: W e b Acce l e rat ion

W h ataboutL ogs ? V arnis h s t ore s it s l ogs in s h are d m e m ory. T o acce s s t h ese l ogs you h av e t o us e t he v arnis h l og com m and w h ich is partofa s uit e ofut il it ie s t h atcom e s w it h v arnis h . You can us e v arnis h l og t o ch e ck w h at s going on righ t now , or you can run itw it h -D -a -w / v ar/ l og/ v arnis h cach e .l og t o w rit e outa l og. I f you w antt he l ogs in Apach e /NCSA com bine d l og f orm at ,v arnis h com e s w it h anot h e r ut il it y cal l edv arnis h ncs a, w h ich w il l do t h atf or you. Anot h e r ut il it y, v arnis h t op, w il l pre s e ntt o you t he t op rank e d (m os t occurring) l og e nt rie s in your l og. For e xam pl e v arnis h t op -i RxH e ade r -C -I \^Us e rAge ntw il l dis pl ay t h e m os tcom m onl y us e d us e r age nt s h it t ing your s it e. Concl us ion V arnis h is an im pre s s iv e w e b acce l e rat ion / re v e rs e proxy s ol ut ion. I tis us e d on a grow ing num be r ofh igh -t raf f ic product ion ne t w ork s around t h e w orl d, and is w e l l w ort h al ook . W h il e t h e conf igurat ion m igh tnotbe f or t he f ainth e art e d, once you s t artt o e xpe rim e ntw it h V arnis h you'l l unde rs t and it s pow e r and appe al t o h igh -t raf f ic product ion ne t w ork s . For t h e CEO /CI O, t h is is a cos t s av ing s ol ut ion, e s pe cial l y ifyou are al re ady us ing or cons ide ring a Sq uid or com m e rcial re v e rs e proxy s ol ut ion t o acce l e rat e your w e b s e rv ice s . Us ing V arnis h in conj unct ion w it h ot h e r ope n s ource proj e ct s s uch as Nginx, giv e s you t h e opt ion t o int e grat e l oad bal ancing and SSLof f -l oad int ot h e s ol ut ion. Art icl e L ink s V arnis h Cach e ht t p:/ / w w w .v arnis h -cach e .org Sq uid Cach e ht t p:/ / w w w .s q uid-cach e .org Pound Re v e rs e -Proxy ht t p:/ / w w w .aps is .ch / pound/ L igh t t pd ht t p:/ / w w w .l igh t t pd.ne t

o3 m agaz ine :: page 30

Appl iance and V M :: Sim pl e St ack s

Sim pl e Appl iance St ack s w it h L FS
L inux F rom Scrat ch is a proj e ctt h atprov ide s s t e p by s t e p ins t ruct ions f or buil ding your ow n L inux s ys t em f rom s ource . Th is is s ue w e l ook atus ing L FS t o buil d a s im pl e appl iance s t ack f or cons t ruct ing ch root () e nv ironm e nt s f or any appl icat ion w it h e as e . Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) L inux From Scrat ch (L FS) is a proj e ctt h at prov ide s s t e p by s t e p ins t ruct ions f or buil ding your v e ry ow n L inux s ys t e m e nt ire l yf rom s ource . Th e re are a num be r ofgood re as ons t ol ook atL FS, e ducat ing yours e l fon h ow e xact l yaL inux ope rat ing s ys t e m is buil tis a k e y re as on. ButL FS is al s o e xt re m e l y f l e xibl e , and you can us e itt o buil d a m inim al st ack f or buil ding s of t w are appl iance s t h at w il l run on any L inux s ys t em. Th e Ul t im at e ch root () e nv ironm e nt I fyou h av e ev e rt rie d t o ch root () an appl icat ion, you k now t h att rying t o ge tt he righ tm ix ofl ibrarie s , binarie s and ot h e rt h ings t h e appl icat ion ne e ds can be a nigh t m are . Th e goal oft h is art icl e is t ohel p you put t oge t h e ra t ype ofs k e l et on e nv ironm e ntf rom w h ich you can ch root () any appl icat ion you ne e d. W e w il l init ial l y buil d w h atw e 're going t o cal l e d an I BE (I nit ial Buil d Env ironm e nt ). Th is w il l be a m inim al , ye ts uf f icie ntf or our purpos e , buil d ofL FS. I tis going t o be e nough t o com pil e w h at ev e r appl icat ions w e ne e d. From t he I BE, w e are going t o st rip it dow n, s o t h atw e h av e a s m al l er , opt im iz e d ch root () f rie ndl y e nv ironm e ntw e are going t o cal l an Appl icat ion St ack . Don'tre pe atyours e l f(DRY) Th e L inux From Scrat ch docum e nt at ion (h t t p:/ / w w w .l inuxf rom s crat ch .org/ l f s/ v ie w / st abl e/ ) is s o w e l l w rit t e n, t h atI 'm going t o av oid re pe at ing t h ings and pointyou s t raigh tt ot he docum e nt at ion. Th is art icl e is bas e d on t he curre ntde v el opm e ntL FS w h ich is 6.3. T o s av e s om e t im e , w e 're going t o s h ow you h ow t o aut om at e dow nl oading al l t he L FS pack age s and pat ch e s you w il l ne e d: #!/ bin/ bas h m k dir -p / opt / de v m k dir -p / opt / de v / {ibe , ibe / s ource s ,ibe / l ogs } cd / opt / de v / ibe / s ource s L FS=/ opt / de v / ibe e xportL FS w ge t ht t p:/ / w w w .l inuxf rom s crat ch .org/ l f s/ v ie w / de v el opm e nt / ch apt e r03/ pack age s .h t ml m v pack age s .h t ml ibe -3.1.0.h t ml catibe -3.1.0.h t ml | gre p Dow nl oad: -A 1 | gre p -v Dow nl oad | gre p \" | cut-d \" -f2 > ibe 3.1.0.pre l is t catibe -3.1.0.pre l is t| s e d 's / ht t p:\/ \/ f t p.gnu/ f t p:\/ \/ f t p.gnu/ g' > ibe -3.1.0.l is t f or i in $ (catibe -3.1.0.l is t );do w ge t$ i;done m k dir pat ch e s cd pat ch e s w ge t ht t p:/ / w w w .l inuxf rom s crat ch .org/ l f s/ v ie w / de v el opm e nt / ch apt e r03/ pat ch e s .h t ml m v pat ch e s .h t ml ibe -3.1.0-pat ch e s .h t ml catibe -3.1.0-pat ch e s .h t ml | gre p Dow nl oad: A 1 | gre p -v Dow nl oad | gre p \" | cut-d \" -f2 > ibe -3.1.0.pat ch l is t f or i in $ (catibe -3.1.0.pat ch l is t );do w ge t$ i; done cd / opt / de v / ibe / s ource s o3 m agaz ine :: page 32

Appl iance and V M :: Sim pl e St ack s

From t h is pointon, you are going t of ol l ow t he ins t ruct ions s t e p by s t e p, f or Ch apt e r 4, 5 and 6. Since you are buil ding a " st ack " and nota boot abl e O S, you can s k ip t h ings l ik e grub and t he L FS boots cript s.I fyou don'tw antt o us e a part it ion, j us ts ym l ink / m nt / l f s t o/ opt / l f s, and us e / opt / l f s f or $ L FS. W h e n you are done , you s h oul d h av e a w ork ing I BE s t ack . I BE and t e m pl at es You m igh tw antt o st ore t he I BE s t ack in / opt / ibe , and ch root () t o itw h e ne v e r you ne e d t o com pil e a ne w appl icat ion or l ibrary. You w il l ne e d t o copy t he I BE s t ack t o cre at e a t e m pl at e . Do t h is w it h cp -a, be f ore you do, m ak e s ure you um ountproc, s ys f s , and de v f rom t h e ibe e nv ironm e nt , or you'l l run int o t roubl e. m k dir -p / opt / st ack / cp -a / opt / ibe / opt / st ack / t e m pl at e Ne xtcl e an up t h e ibe , by de l et ing t he t h ings you don'tne e d. Th e L FS docum e nt s t el l you h av e t o st rip t he l ibrarie s and binarie s of s ym bol s . W e 're going a f ew st e ps f urt h e r by re m ov ing t h ings s uch as / us r/ incl ude , / us r/ s h are / , m an page s , binarie s and l ibrarie s you don'tne e d. O nce you h av e prune d t h ings dow n as you f eel is ne ce s s ary, us e m an <com m and> t ol ook up appl icat ions you are nots ure you'l l ne e d t of ind outw h att h e y do. I n ge ne ral ,L FS is pre t t y m inim al , you s h oul d be abl e t o s h av e itdow n by atl e as t50% . Buil ding appl icat ions As w e m e nt ione d be f ore , you h av e a t e m pl at e e nv ironm e nt ,t h atis cutdow n, and you h av e t he f ul l bl ow n ibe w h ich is t he f inal L FS product . You ne e d t he I BE t o buil d appl icat ions f or your s t ack . Th e be s tw ay t o do t h is is t o ins t al l appl icat ions in e it her / st ack / app/ _ appnam e or / st ack / com m on/ _ appnam e , w h e re _ appnam e is t h e nam e oft h e appl icat ion s uch as apach e . Th e com m on dire ct ory s h oul d be us e t o st ore t h ings l ik e s s l . You m igh tw antt o cre at e / buil d/ s rc ins ide t he I BE, and s t ore your s ource f il e s and buil ds ins ide t h att re e . Buil ding appl icat ions is pre t t yt riv ial , you do

t h e us ual ./ conf igure -pre f ix=/ st ack / app/ bind9 --e nabl e -s h are d -dis abl e -s t at ic, f ol l ow e d by m ak e & & m ak e ins t al l .I ft h e appl icat ion you add incl ude s l ibrarie s , s im pl y add / st ack / app/ bind9 / l ib, f or e xam pl e t o/ et c/ l d.s o.confand run l dconf ig. M ak e s ure you do t h is w h il e ch root 'd ins ,ide t he I BE, you don'tw antt o m e s s up t h e h os t s ys t e m . You w il l probabl y al s o w antt o updat e t h e PATH v ariabl e f or t h e st ack as w e l l . I ns t al l ing t e m pl at es Af t e r you h av e buil ta f e w appl icat ions , you s h oul d h av e e ach appl icat ion s t ore d ins ide / st ack / app/ _ appnam e . Now al l you ne e d t o do is cre at e a ne w ch rootare a f rom t he t e m pl at e,so: cd / opt / st ack cp -a t e m pl at e bind9 Ne xt , you ne e d t o copy in w h atyou ne e d f or bind9 . I nt h is cas e itm igh tbe s s l and bind9 : m k dir -p bind9 / st ack / {app,com m on} cp -a / opt / ibe / st ack / com m on/ ssl bind9 / st ack / com m on cp -a / opt / ibe / st ack / app/ bind9 bind9 / st ack / app Drop in your bind9 conf ig int ot h e ch root are a, and putt oge t h e r a s criptt o st artit : #!/ bin/ bas h DNSST ACK =/ opt / st ack / bind9 e xportDNSST ACK m ount-v --bind / de v $ DNSST ACK / de v m ount-v tde v pt s de v pt s $ DNSST ACK / de v / pt s m ount-v tt m pf s sh m $ DNSST ACK / de v / sh m m ount-v tproc proc $ DNSST ACK / proc m ount-v ts ys f s s ys f s $ DNSST ACK / s ys ch root$ DNSST ACK / us r/ bin/ e nv -i \ H O M E=/ rootTERM =" $ TERM " PS1='\u:\w \$' \ PATH =/ bin:/ us r/ bin:/ s bin:/ us r/ s bin:/ st ack / app/ bind9 / bin:/ st ack / app/ bind9 / s bin \ / st ack / app/ bind9 / s bin/ nam e d -t / st ack / ch root / dns -c / et c/ nam e d.conf-u bind9 You now h av e an ins t ants t ack . Th e s e s t ack s

o3 m agaz ine :: page 33

Appl iance and V M :: Sim pl e St ack s

are inde pe nde ntoft h e h os ts ys t em.I fyou ne e d a ne w v e rs ion ofa l ibrary t h atm igh t bre ak one s t ack , butis ne e de d f or a ne w st ack , t h atdoe s n'tm at t er , you can buil dt he ne w l ibrary, copy itint ot he t e m pl at e f or t he ne w s t ack , and t h e ol d st ack is unaf f e ct e d. Exam pl e -- Rail s St ack L et s s ay you w antt o buil d a st ack t o run Ruby on Rail s w it h M ongre l . You m igh t com pil e l z o, pcre and ope ns s l and ins t al l t h e m int o/ st ack / com m on/ . Th e n al l you ne e d is ruby, ruby ge m s and t o re s t ore / us r/ incl ude , as it s us e d by ruby ge m s . A coupl e ofunt ar , ./ conf igure , m ak e & & m ak e ins t al l com m ands , and you'v e gota v iabl e st ack . T o ins t al l rail s , you s im pl y ch rootint ot h e st ack , cre at e / et c/ re s ol v .confand t h e n run: ge m ins t al l rail s --incl ude -de pe nde ncie s ge m ins t al l m ongre l ge m ins t al l m ongre l _ cl us t er You now h av e a re ady t o rol l Rail s st ack . Pract ical l y any ope n s ource appl icat ion can be buil tint ot h e st ack l ik e t h is . You can t hen t ar up t h e st ack , and de pl oy itw h e re v e r you ne e d w it h av e ry s im pl e conf igurat ion ch ange . No m ore brok e n pack age m anage m e nt , no m ore probl e m at ic de pe nde ncie s w h e n you t ry t o upgrade t he h os tope rat ing s ys t e m and bre ak ot h e rt h ings . St ack w it h outt he v irt ual iz at ion Th is ch root () s t ack bas ical l y giv e s you al l t he adv ant age s ofappl icat ion part it ioning w it h out t h e ov e rh e ad or h e adach e s ofv irt ual iz at ion. Be s tofal l you buil tt h e e nt ire s ys t em f rom s ource ! Ext ra re cipe s o3 m agaz ine s ubs cribe rs can pick up e xt ra re cipe s or re q ue s te xt ra re cipe s us ing s ubs cribe r s e rv ice s (t he l ogin l ink on t he w e bs it e ) or as k q ue s t ions on t h e o3 m e dia f orum s .

o3 m agaz ine :: page 34

Dat abas e and St orage :: Pos t gre SQL

De pl oying Pos t gre SQL
Pos t gre SQLis a pow e rf ul ope n s ource dat abas e s ol ut ion. Pos t gre SQLis an e nt e rpris e cl as s dat abas e and an e xce l l e ntal t e rnat iv e t o M ySQL . Pos t gre SQLh as m any adv ance d f e at ure s and pride s it sel fon it s st rong s t andards com pl iance w it h ANSI -SQL9 2/ 99. Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) I nt he l as tis s ue w e l ook e d atM ySQL ,t oday w e w il l f ocus on Pos t gre SQL , w h ich is anot h e r pow e rf ul ope n s ource re l at ional dat abas e s ol ut ion. Pos t gre SQLis an e nt e rpris e cl as s dat abas e . I th as m any s oph is t icat edf e at ure s s uch as M ul t i-V e rs ion Concurre ncy Cont rol (M V CC), pointin t im e re cov e ry, t abl e s pace s , as ynch ronous re pl icat ion, ne s t edt rans act ions , onl ine /h ot back ups , a s oph is t icat e d q ue ry pl anne r / opt im iz e r , and w rit e ah e ad l ogging f or f aul t t ol e rance . I ts upport s int e rnat ional ch aract er set s , m ul t i-byt e ch aract e r e ncodings , unicode and is l ocal e -aw are f or s ort ing, f orm at t ing and cas e -s e ns it iv it y. Pos t gre SQLh as e xce l l e nts t andards com pl iance , and conf orm s s t rongl yt o ANSI -SQL9 2/ 99. St andards com pl iance is im port antf or bus ine s s e s l ook ing t o ach ie v e v arious I SO bus ine s s s t andards com pl iance . L im it at ions Pos t gre SQLh as no m axim um dat abas e l im it at ion, t h e m axim um t abl e s iz e is 32 TB, t h e m axim um Row Siz e is 1.6 TB, and t he m axim um f ie l d s iz e is 1GB. Th e m axim um row s pe r t abl e are unl im it e d, as are t he inde xe s pe r t abl e . Th e m axim um num be r of col um ns pe r t abl e is be t w e e n 250 and 1600, as itis h igh l y de pe nde nton t h e col um n t ype . I n com paris on, M ySQL5.x s upport s a m axim um t abl e s iz e of64 TB w it h I nnoDB. Buil ding Pos t gre SQL For t h e purpos e oft h is art icl e , w e w il l l ook at buil ding Pos t gre SQL8.2.4 f rom s ource , us ing aL inux s ys t e m running Ge nt oo. Pos t gre SQL is av ail abl e f rom h t t p:/ / w w w .pos t gre s q l .org. Af t e r uncom pre s s ing t h e arch iv e , w e ne e d t o run conf igure and m ak e t o com pil e Pos t gre SQL .

./ conf igure --pre f ix=/ opt / st ack / pgs q l --e nabl es h are d --w it h -gnu-l d --w it h -ope ns s l m ak e m ak e ins t al l Th is w il l ins t al l Pos t gre SQLunde r t he / opt / st ack / pgs q l dire ct ory w it h s upportf or O pe nSSL . Running Pos t gre SQL Ge t t ing Pos t gre SQLup and running is v e ry e as y. You w il l w antt o cre at e a non-rootus e r accountf or Pos t gre SQL .We t ypical l y us e pgs q l as t h e us e r . us e radd -d / opt / st ack / pgs q l /-g nogroup -s / bin/ bas h pgs q l ch ow n pgs q l / opt / st ack / pgs q l m k dir -p / opt / st ack / pgs q l / dat abas e s ch ow n pgs q l / opt / st ack / pgs q l / dat abas e s s u - pgs q l pgs q l @ m ybox ~ $ Att h is point , you m ay ne e d t of ix t h e PATH by t yping PATH =/ opt / st ack / pgs q l / bin:$ PATH ; e xportPATH . Th e ne xts t age is t o init ial iz e t h e dat abas e . You can s e e f rom t he com m ands abov e , w e h av e cre at eda dire ct ory cal l e d dat abas e s . T o init ial iz e t he dat abas e , run init db -D / opt / st ack / pgs q l / dat abas e s . Th e n cre at e t he pgs q l dat abas e w it h cre at e db pgs q l . Th e f il e s be l onging t ot h is dat abas e s ys t em w il l be ow ne d by us e r " pgs q l " . Th is us e r m us tal s o ow n t h e s e rv e r proce s s . Th e dat abas e cl us t e r w il l be init ial iz e d w it h

o3 m agaz ine :: page 36

Dat abas e and St orage :: Pos t gre SQL

l ocal e C. f ixing pe rm is s ions on e xis t ing dire ct ory / opt / st ack / pgs q l / dat abas e ... ok cre at ing s ubdire ct orie s ... ok sel e ct ing de f aul tm ax_ conne ct ions ... 100 sel e ct ing de f aul t s h are d_ buf f e rs / m ax_ f s m _ page s ... 24M B/ 153600 cre at ing conf igurat ion f il e s ... ok cre at ing t e m pl at e 1 dat abas e in / opt / st ack / pgs q l / dat abas e / bas e / 1 ... ok init ial iz ing pg_ aut h id ... ok init ial iz ing de pe nde ncie s ... ok cre at ing s ys t em v ie w s ... ok l oading s ys t e m obj e ct s ' de s cript ions ... ok cre at ing conv e rs ions ... ok set t ing priv il e ge s on buil t -in obj e ct s ... ok cre at ing inf orm at ion s ch e m a ... ok v acuum ing dat abas e t e m pl at e 1 ... ok copying t e m pl at e1t ot e m pl at e 0 ... ok copying t e m pl at e1t o pos t gre s ... ok W ARNI NG: e nabl ing " t rus t " aut h e nt icat ion f or l ocal conne ct ions You can ch ange t h is by e dit ing pg_ h ba.conf or us ing t h e -A opt ion t he ne xtt im e you run init db. Succe s s . You can now s t artt h e dat abas e s e rv e r us ing: or pos t gre s -D / opt / st ack / pgs q l / dat abas e

pgs q l 20886 0.0 0.0 10420 1768 pt s/ 1 S 14:11 0:00 -bas h pgs q l 209 32 1.7 0.2 48020 4636 pt s/ 1 S 14:14 0:00 / opt / s n/ t e st / pgs q l / bin/ pos t gre s -D / opt / st ack / pgs q l / dat abas e pgs q l 209 34 0.0 0.0 48020 119 2 ? Ss 14:14 0:00 pos t gre s : w rit e r proce s s pgs q l 209 35 0.0 0.0 18484 1172 ? Ss 14:14 0:00 pos t gre s : s t at s col l e ct or proce s s pgs q l 209 36 0.0 0.0 8348 9 44 pt s/ 1 R+ 14:14 0:00 ps ux pgs q l @ nucl e us ~ $ne t st at-nap | gre p pos t gre s (Notal l proce s s e s coul d be ide nt if ie d, nonow ne d proce s s inf o w il l notbe s h ow n, you w oul d h av e t o be root t o s e e ital l .) t cp 0 0 127.0.0.1:5432 0.0.0.0:* L I STEN 209 32/ pos t gre s udp 0 0 127.0.0.1:3289 9 127.0.0.1:3289 9 EST ABL I SH ED 209 32/ pos t gre s unix 2 [ ACC ] STREAM 39 769 209 32/ pos t gre s / t m p/ .s .PGSQL .5432 L I STENI NG

pg_ ct l -D / opt / st ack / pgs q l / dat abas e -l l ogf il e st art pgs q l @ nucl e us ~ $pg_ ct l -D / opt / st ack / pgs q l / dat abas e -l l ogf il e st art s e rv e rs t art ing Ne xt ,v e rif yt h atPos t gre SQLis running by us ing ps and ne t st at . pgs q l @ nucl e us ~ $ps ux USER PI D % CPU % M EM V SZ RSS TTY ST AT ST ART TI M E CO M M AND pgs q l 20885 0.0 0.0 20708 1108 pt s/ 1 S 14:11 0:00 s u - pgs q l

Th e int e ract iv e cons ol e Jus tl ik e M ySQL , Pos t gre SQLh as an int e ract iv e t e rm inal cal l e d ps q l . Th e M ySQL int e ract iv e cons ol e is int uit iv e . H ow e v e rt he Pos t gre SQLt e rm inal re q uire s a l it t l e m ore ef f orton t h e partoft h e adm inis t rat or . Th e re are t woset s ofcom m ands t h atps q l s upport s. You us e \?t o ge ta l is toft he t e rm inal com m ands w h il e \h giv e s you a l is tof s upport e d SQLcom m ands . Rat h e rt h an t ak ing you on a t our ofps q l ,t h is art icl e w il l giv e you e nough bas ic inf orm at ion t o ge tof f and running w it h ps q l .

o3 m agaz ine :: page 37

Dat abas e and St orage :: Pos t gre SQL

L is t , Cre at e and Conne ct I n M ySQLyou w oul dt ype s h ow dat abas e s ; in ps q l you us e t h e \l t ol is tt h e dat abas e s . T o conne ctt o a part icul ar dat abas e run \c dat abas e . For our e xam pl e , w e w il l cre at e a dat abas e cal l e d cus t om e rs and conne ctt o it . CREATE DAT ABASE cus t om e rs ; \l L is tofdat abas e s Nam e | O w ne r | Encoding -----------+ -------+ ----------cus t om e rs | pgs q l | SQL _ ASCI I pgs q l | pgs q l | SQL _ ASCI I pos t gre s | pgs q l | SQL _ ASCI I t e m pl at e 0 | pgs q l | SQL _ ASCI I t e m pl at e 1 | pgs q l | SQL _ ASCI I pgs q l -# \c cus t om e rs cus t om e rs -# You w il l not ice t h att h e dat abas e nam e is in t h e prom pt . You w il l al s o not ice t h atps q l de v el ope rs h av e ch os e n s h orth and com m ands ov e rt h e k e yw ord bas e d com m ands you f ind in M ySQL . Th is m igh tbe al it t l e unne rv ing atf irs t , butonce you h av e run t h rough t h e com m ands a f ew t im e s , it be com e s s e cond nat ure . Cre at ing Tabl es Now t h atw e h av e cre at e d a dat abas e , it 's onl y nat ural t o cre at e at abl e . W e w il l cre at e a s im pl e t abl e t o st ore an I D num be r and cus t om e r nam e . CREATE T ABL E cont act( t e st _ id I NTEGER UNI QUE, t e st _ nam e V ARCH AR(50) ); You can t henv e rif yt he t abl e w as cre at ed w it h \dp. I ns e rt ing I nf orm at ion W it h our ne w l y cre at edt abl e , w e can s t artt o ins e rtdat a. Th is is done w it h t he I NSERT I NTO com m and. I NSERT I NTO cont actV AL UES ('1','Joe

Sm it h '); I NSERT I NTO cont actV AL UES ('2','Jane Doe '); You can t henv e rif yt h e inf orm at ion w it h SEL ECT * FRO M cont act ; . Since w e 'v e f l agge d t he t e st -id v al ue as UNI QUE, ifyou at t e m ptt o us e t h e s am e I Dt w ice , Pos t gre SQLw il l re s pond w it h a dupl icat e key e rror m e s s age . L at e r on w e de cide t h atw e ne e d t h e cus t om e r's ph one num be r in t he t abl e as w e l l . You can us e t h e AL TER TABL E com m and t o m odif y a part icul ar t abl e.I n our e xam pl e t o add ph one t o cont act : AL TER T ABL E cont actADD CO L UM N ph one V ARCH AR(8); UPDATE cont actSET ph one ='123456' W H ERE t e st _ id = '1'; UPDATE cont actSET ph one ='654321' W H ERE t e st _ id = '2'; SEL ECT * f rom cont act ; As you can s e e , w e h av e s ucce s s f ul l y adde d t h e ph one col um n t ot he t abl e. De l et ing I nf orm at ion Th e DEL ETE com m and is us e d t o re m ov e inf orm at ion f rom a t abl e.L et s s ay Joe Sm it h is no l onge r a cus t om e r , and w e w antt o re m ov e h im f rom t h e dat abas e . T o do t h is , w e w oul d e xe cut e DEL ETE FRO M cont act W H ERE t e st _ id = '1';O n t h e ot h e r h and, if w e w ant edt o ge trid oft he t abl e com pl et el y, you w oul d us e t h e DRO P com m and. DRO P T ABL E cont act ; Se t t ing pe rm is s ions M ySQLe nabl e s you t o cre at e account s us ing GRANT. ButPos t gre SQLis a l it t l e dif f e re ntin t h atyou ne e d t o cre at e a rol e be f ore you can grantpriv il e ge s t o a us e r . Th e f ol l ow ing com m and cre at e s an accountcal l edj im m y : CREATE RO L Ej im m y W I TH PASSW O RD 'cl ue l e s s '; T o GRANT priv il e ge s on a part icul ar t abl e t o j im m y, w e w oul d run:

o3 m agaz ine :: page 38

Dat abas e and St orage :: Pos t gre SQL

GRANT AL LPRI V I L EGES O N cont actTO j im m y; On t h e e nt ire dat abas e : GRANT AL LPRI V I L EGES O N DAT ABASE cus t om e rs TO j im m y; T o re v e rs e t h e pe rm is s ions , us e t h e REV OKE com m and: REV O K E AL LO N DAT ABASE cus t om e rs FRO M j im m y; Concl us ion You s h oul d now h av e a bas ic gras p of Pos t gre SQL . Th e nice t h ing aboutbot h Pos t gre SQLand M ySQLis t h att h e y are v e ry wel l docum e nt e d. Th e ps q l com m and h as v e ry int uit iv e hel pf or SQLcom m ands , and ge t t ing up t o s pe e d w it h Pos t gre SQLis re l at iv el y s im pl e,ev enf or s om e one w it h v e ry l im it e d SQLe xpe rie nce .

o3 m agaz ine :: page 39

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

De pl oying Gl obal l y Dis t ribut e d Rail s Apps
Nginx, V arnis h Cach e , M ongre l and O pe nV PN as dis cus s e d in pre v ious art icl e s in t h is is s ue are pie ce d t oge t h e rt o cre at e a gl obal l y dis t ribut e d Ruby on Rail s Appl icat ion f ram e w ork . Th is is a v e ry s im il ar s ol ut ion as t ot h e one us e d in product ion ato3 m agaz ine . Th e re s ul t ing s ol ut ion is com pare d t o com m e rcial grade gl obal l oad bal ancing s ol ut ions . Joh n Bus w e l l (bus w e l l j @ o3m agaz ine .com ) Th e I nt e rne th as ch ange d t h e w ay t h e w orl d doe s bus ine s s . For m any bus ine s s e s , re gardl e s s ofs iz e , t h e cus t om e r is ev e ryw h e re and t he I nt e rne tw il l m ak e or bre ak your bus ine s s . Th is is e s pe cial l yt rue f or w e b 2.0 s e rv ice s and s of t w are product s. Th e pot e nt ial cus t om e r is notj us tt h e one in your l ocal m ark e t , butal sot h e one on t he ot h e r s ide oft h e w orl d. Th e cat ch ofcours e , is t h att h is principl e al s o w ork s f or com pe t it ors . W h e t h e r you k now itor not , t h e re is a good ch ance your com pany is com pe t ing gl obal l y. W h atis Gl obal l y Dis t ribut e d? Gl obal l y dis t ribut e d m e ans t h atcont e nt s e rv ice s (w e b-s it e , e -com m e rce , s upport s ys t e m ) are pl ace d cl os e r t ot h e cus t om e rs . Cl os e r m ay notm e an ge ograph ical l y cl os e r , butcl os e r bas e d on h ow a ge ograph ical re gion is s e rv ice d by t he I nt e rne t . Th e goal w it h any gl obal l y dis t ribut e d s ol ut ion, is t o prov ide f as t er , and pe rh aps l ocal iz e d cont e nt t ot h e cus t om e r .I nt he I P Ne t w ork ing col um n oft h is is s ue , w e l ook e d ath ow an ope n s ource proj e ctcal l e d Nginx can be us e d t o dire ctw e b t raf f ic t o s e rv e rs bas e d on t he s ource I P oft h e cl ie nt . Th is w ork s w e l l f or st at ic cont e nt , butw h ataboutdynam ic cont e nt ?Th is art icl e addre s s e s t he ch al l e nge s t h ata dynam ic w e b appl icat ion can cre at e wh ent rying t o dis t ribut e itgl obal l y. Cl ick and TL D Me t h od Th e ch e ap w ay ofgl obal l y dis t ribut ing cont e nt is t o us e l ink s on t h e w e b page t o dire ct cus t om e rs t ot h e ir l ocal iz e d copy. Th is is of t e n com bine d w it h t op l ev el count ry code dom ains (TL Ds ), in an e f f ortt o m anual l y h e rd cus t om e rs t ot he f as t e rl ocal cont e nt . W h il e t h is t ypical l y w ork s , itm e ans you h av e t o de s ign your s it e in s uch a m anne r t h att h is is pre s e nt edt ot h e cus t om e r f irs t . A m uch be t t e r s ol ut ion is t o do t h is aut om at ical l yf or t h e cus t om e r ,el im inat ing any pot e nt ial conf us ion due t ol anguage barrie rs , w h il e re t aining cont rol ofyour t raf f ic. Th ink Gl obal l y I tis im port antt o Th ink Gl obal wh enl ook ing ath ow your bus ine s s us e s t he I nt e rne t . For t h e purpos e oft h is art icl e , w e w il l as s um e t h ata bus ine s s h as a w e b s it e t o com m unicat e t h e ir m e s s age t o cus t om e rs , prov ide productinf orm at ion, s al es v ia e com m e rce and s upportv ia a w e b bas e d t ick e t ing s ys t e m . For m any cus t om e rs , and pot e nt ial cus t om e rs , t h is is t h e onl y im pre s s ion ofyour com pany t h e y w il l ev er h av e . As a bus ine s s , you w il l w antt o prov ide atl e as ta m inim um q ual it y ofs e rv ice t o al l cus t om e rs , re gardl e s s oft h e ir l ocat ion. You s im pl y cannotdo t h is s ucce s s f ul l y w it h a s ingl e s e rv e r or s ingl e dat a-ce nt e r s ol ut ion. M inim um Qual it y O fSe rv ice Be f ore l ook ing f or prov ide rs , or pl anning a dis t ribut e d ne t w ork , you ne e d t o de cide w h at t h e m inim um q ual it y ofs e rv ice w il l be . Th is is a pre t t y dif f icul tt as k , and it s notl ik e l y one t h atyou'l l ge trigh ton t he f irs tat t e m pt .I tis al s o s om e t h ing t h atw il l ev ol v e as you add s e rv e rs and l ocat ions t o your ne t w ork , t he m inim um q ual it y ofs e rv ice w il l incre as e . A st art ing pointm igh tbe t o us e h ops and round t rip t im e (RTT). Th e s e are s om e t h ing you can q uant if y w it h ut il it ie s s uch as t race rout e and ping. A good s t art ing pointm igh tbe t ot ry t o be unde r 100 m s in Nort h Am e rica, and Europe . Unde r 200 m s f or anyw h e re e l s e in t h e w orl d. Th is w il l m ak e s ure t h att h e s it e is re as onabl y q uick f or t h e m aj orit y of

o3 m agaz ine :: page 41

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

cus t om e rs around t h e w orl d. Us ing Googl e, you can ide nt if yt h e m aj or I SPs in dif f e re nt re gions , and q uick l y com e up w it h al is tof h os tnam e s and I Ps t h atyou can us e t o prof il e a pot e nt ial col ocat ion, de dicat ed h os t ing or V PS prov ide r . Ev al uat ing a Prov ide r Th e re are pl e nt y ofcol ocat ion and de dicat ed h os t ing prov ide rs t h atof f e r de dicat e d dat a pipe s rat h e rt h an paying f or a s e tam ountof t rans f er . M any col ocat ion prov ide rs al s o of f er pe rce nt il e bil l ing opt ions as w e l l . De pe nding on your budge t , and h ow w e l l you l ik e s urpris e s , t h e de dicat e d dat a pipe s are t ypical l yt h e be s tch oice . W h e n you h av e f ound a prov ide r you l ik e , s e nd t h e ir s al es de part m e ntyour l is tofaddre s s e s , and ev al uat e t h e re s ul t s t h e y s e nd back . M os t good prov ide rs w il l be m ore t h an w il l ing t o s e nd you t h e dat a you re q ue s t e d. W h e n l ook ing atprov ide rs , it s im port antf or you t o de t e rm ine w h o t h is prov ide r w il l be h e l ping you s e rv ice . I fyou are l ook ing t o prov ide s e rv ice s t o Europe an cus t om e rs , t h an you probabl y w antt o s e nd t h e s al e s de part m e nt your l is tofEurope an h os tnam e s and I Ps , as wel l as t he I Ps ofany m anage m e ntl ocat ions you w il l be us ing. A m anage m e ntl ocat ion, m igh tbe your of f ice 's publ ic I P s ubne te t c. Ov e rs e as Prov ide rs Trying t o e xports e rv e rs f or col ocat ion abroad can be a m aj or h e adach e . I fyou cannotf ind a re as onabl e de dicat e d s e rv e r you can l e as e , t h e ne xtbe s topt ion is t o purch as e t he e q uipm e ntin t h atcount ry, and h av e it s h ippe d t ot h e prov ide r .I n m any cas e s you m ay noth av e e m pl oye e s in t h atcount ry, s o it s im port antt of ind a k now l e dge abl e prov ide r w h o is notgoing t o nick e l and dim e you f or t h e ins t al l at ion. De l l is a good opt ion f or buying s e rv e rs ov e rs e as , t h e y ope rat e in m os tcount rie s , and t h e y of f e r on-s it e bus ine s s s e rv ice s . Typical Rail s De pl oym e nt Ruby on Rail s is a popul ar w e b appl icat ion f ram e w ork f or buil ding dynam ic w e b appl icat ions . Earl ie r in t h is is s ue , t h e Se rv er Side col um n l ook e d atde pl oying product ion

rail s s e rv ice s w it h M ongre l . So a t ypical st and al one Rail s de pl oym e ntm igh tcons is toft wo or t h re e s e rv e rs . A dat abas e s e rv e r prov iding t h e Rail s appl icat ion w it h acce s s t o inf orm at ion t h atis us e d by t h e web appl icat ion. A w e b appl icat ion s e rv e r w h ich is running M ongre l w it h t h e Rail s appl icat ion and a w e b s e rv e r(s ) prov iding f ront -e nd acce s s t ot h e publ ic. I n m any cas e s , t h ese t h re e s e rv e rs m igh tbe rol l e d int o one . I nt h is de pl oym e nt ,t h e re are t h re e t ype s of t raf f ic. H TTP or H TTPS (e ncrypt e d) t raf f ic be t weent h e cl ie ntbrow s e r and t h e web s e rv er . H TTP t raf f ic be t weent h e w e b s e rv er and t h e w e b appl icat ion s e rv e r (M ongre l ). M ySQLdat abas e t raf f ic be t weent h e web appl icat ion s e rv e r and t h e dat abas e s e rv er . Gl obal l y Dis t ribut e d De pl oym e nt De pl oying I nt e rne ts e rv ice s s o t h att h e y are gl obal l y dis t ribut e d, inv ol v e s s cal ing t he t ypical s ol ut ion. W it h st at ic cont e nt ,t h is is pre t t yt riv ial , as you can s im pl y us e rs ync, s ubv e rs ion or cv s t o s ynch roniz e cont e nt be t weent h e s e rv e rs f rom a ce nt ral l ocat ion. As s e e n in t h e e arl ie r art icl e in t h is is s ue on H TTP Gl obal L oad Bal ancing w it h Nginx, Nginx can e as il y be conf igure d t o gl obal l y dis t ribut e st at ic cont e nt . Dynam ic cont e nton t h e ot h e r h and, pre s e nt s an e nt ire l y ne w s e tofch al l e nge s . Th os e ch al l e nge s v ary, as doe s t h e s ol ut ion, de pe nding on t h e appl icat ion. T o de t e rm ine t h e be s tapproach , you ne e d t o cl as s if yt he w e b appl icat ion as cach e abl e or not cach e abl e . A cach e abl e w e b appl icat ion is one w h e re t he v as tm aj orit y oft he t raf f ic is s im pl y re ading cont e nt , w it h m inim al int e ract ion f rom t h e us e r .I fa us e r h as t o l ogin t o re ad t h e cont e ntge ne rat e d by t he appl icat ion, itis t ypical l y not -cach e abl e. Bl ogs , Cont e ntM anage m e ntSys t e m s and W ik is are good e xam pl e s ofw e b appl icat ions t h atcoul d be cach e d. Th e be s tapproach is t o m odif yt h e URLf rom h t t pt oht t ps , w h e n t he us e r ne e ds t ol ogin or w rit e inf orm at ion t ot he w e b appl icat ion. Notonl y is its e cure , it m ak e s ite as ie r t o re dire ctt raf f ic.

o3 m agaz ine :: page 42

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

Non-cach e abl e dynam ic cont e ntpre s e nt s ch al l e nge s ofit s ow n. As a bus ine s s , you w antt o prov ide a s e am l e s s e xpe rie nce t o al l us e rs . So e ach s e rv e r ne e ds t o pre s e ntnot onl yt h e s am e w e b appl icat ion, butne e ds t o us e t h e s am e dat a s ource f or t h at appl icat ion. Att h is point , you h av e t wo opt ions . You can us e dat abas e re pl icat ion, w it h l ocal dat abas e s e rv e rs ate ach l ocat ion. Al t e rnat iv el y, you can ce nt ral iz e your dat abas e and w e b appl icat ion s e rv e rs . Th e re are a v arie t y ofre as ons w h y dat abas e re pl icat ion can caus e probl e m s . Th e be s t , and pos s ibl y onl y approach ifyou w antt o us e dat abas e re pl icat ion is t o us e M ySQLin a m ul t i-m as t e r conf igurat ion. Th e re are pros and cons t o us ing M ySQLin a m ul t i-m as t er conf igurat ion. Th e re is a ris k t h atyou coul d l os e dat a int e grit y and ifyou h av e l arge num be r ofdat abas e updat es,t he pe rf orm ance coul d de grade as you add s e rv e rs . Back -e nd Trans port Re gardl e s s ofw h ich approach you ch os e , wh et h e r it s M ySQLt raf f ic or H TTP t raf f ic t oa ce nt ral iz e d l ocat ion, you w il l ne e d a s e cure t rans portf or t h is dat a. Th e s e curit y col um n of t h is is s ue , l ook s atbuil ding s e cure gl obal ne t w ork s ov e rt he I nt e rne t , w it h O pe nV PN. O pe nV PN prov ide s a q uick and e as y m e ans t oset up a s e cure l ink be t w e e n re m ot e dat ace nt e rs . Ce nt ral iz e d W e b Appl icat ion Se rv e rs By ce nt ral iz ing t h e w e b appl icat ion s e rv e rs , you e l im inat e t h e ne e d t o run M ongre l and M ySQL(or anot h e r dat abas e ) att h e e dge . For t h e re s toft h is art icl e , w e w il l re f e rt o s e rv e rs prov iding l ocal acce s s t o cont e ntas " e dge s e rv e rs " . Th e ce nt ral iz e d approach e nabl es f as t er , m ore pow e rf ul appl icat ion s e rv e rs t o be h os t e d atone or t wo ce nt ral iz e d l ocat ions . Re ducing t h e ov e ral l cos tand incre as ing s e curit y, as you no l onge r h av e m ul t ipl e copie s ofyour dat abas e dis pe rs e d around t h e gl obe . By noth av ing t o de al w it h m ul t ipl e copie s ofM ySQLand M ongre l , by f ar t he t w o m os tprobl e m at ic el e m e nt s oft h e de pl oym e nt , you w il l

s ignif icant l y re duce any adm inis t rat ion h e ad ach e s . Unde r t h e ce nt ral iz e d approach , t h e e dge s e rv e rs de al w it h t h re e t ype s ofcont e ntst at ic, dynam ic non-cach e abl e and dynam ic cach e abl e . Th e s t at ic and dynam ic noncach e abl e w il l be h andl e d by Nginx, w h il e t he dynam ic-cach e abl e w il l be h andl e d by pl acing V arnis h Cach e in f rontofNginx. For st at ic cont e nt ,t h e e dge s e rv e rs w oul d us e rs ync or a s im il ar appl icat ion t okeept he ht docs dire ct orie s f or e ach s it e in-s ync w it h a ce nt ral iz e d s ource . Th e dynam ic noncach e abl e cont e ntw oul d be h andl e d us ing t h e ups t re am {}and proxy_ pas s opt ions in t h e Nginx s e rv e r bl ock . For m ore de t ail s on t h e Nginx conf igurat ion, pl e as e re f e rt ot he I P Ne t w ork ing art icl e in t h is is s ue . Th e dynam ic cach e abl e cont e nt , w oul d us e V arnis h Cach e t o h andl e t h e re ad t raf f ic (h t t p) and us e Nginx t o h andl e noncach e abl e cont e nts uch as l ogins or pl acing com m e nt s , ide al l y ov e r H TTPS (t cp/ 443). V arnis h Cach e w oul d be conf igure d t o us e t he l ocal Nginx s e rv e r as t h e back e nd h os t , pe rh aps on l oopback (127.0.0.1) and a de dicat e d portnum be r s uch as t cp/ 8182. I nit ial re q ue s t s w oul d be pas s e d al ong t ot he Nginx s e rv er , w h ich w oul df orw ard t hem t o t h e ce nt ral iz e d s e rv er , and V arnis h Cach e w oul d re ce iv e , cach e and f orw ard t he re s pons e itre ce iv es f rom Nginx. Subs e q ue nt re q ue s t s , bas e d on t h e cach e cont rol param e t e rs us e d, w oul d re s ul tin t h e cont e nt be ing pul l edf rom t he f as t e rl ocal cach e . W it h t h is ce nt ral iz e d approach , e ach e dge s e rv e r w oul dt ypical l y h av e t h e s am e conf igurat ion, w it h af e w Nginx conf igurat ion ch ange s pe r re gion. Th is m igh tbe f or l ocal iz e d TL Ds or s ub-dom ains t o be h andl ed by t h e re gional s e rv e rs . Th is m ak e s itv e ry e as y and q uick t o de pl oy ne w s e rv e rs and m anage d e xis t ing s e rv e rs . Re q ue s tFl ow :: EM EA e xam pl e A cus t om e r in EM EA (Europe , M iddl e Eas t and Af rica) v is it s your .com w e bs it e af t er s e e ing an adv e rt is e m e nt . Th atre q ue s tw il l be

o3 m agaz ine :: page 43

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

h andl e d by one ofyour DNS s e rv e rs , and DNS w il l re s pond w it h a num be r ofI P addre s s e s . DNS round robin, w il l random iz e t h e orde r oft h ese I P addre s s e s , and t he cus t om e r's brow s e r w il l t ry t he f irs tone . I tw il l s e nd a H TTP re q ue s tt o one oft h e Nort h Am e rican s e rv e rs h andl ing your .com . Th is re q ue s tis h andl e d by Nginx, itw il l l ook att he cus t om e r's s ource addre s s and de t e rm ine w h ich re gion t h e cus t om e r is in. I tde t e rm ine s t h e cus t om e r is in EM EA, its e t s t he $ gs l b v ariabl e in Nginx t o EM EA. I nt h e s e rv er bl ock oft h e Nginx conf igurat ion, itt el l s Nginx t o do a H TTP 302 Re dire ctift h e cus t om e r is in EM EA, and s e nd t hem t o your .e u w e bs it e ins t e ad. Th e cus t om e r's brow s e r , w il l re ce iv e a H TTP 302 re dire ct , caus ing itt o re q ue s tt he .e u w e bs it e ins t e ad. Th e s am e proce s s w il l st artw it h Nginx on t h e .e u s e rv e r(s ), h ow e v er t h e conf igurat ion is s l igh t l y dif f e re nt , ins t e ad ofre dire ct ing EM EA cus t om e rs , itre pl ie s back w it h t h e prope r H TTP 200 re s pons e (ak a. t h e w e b page ). H ad t h e cus t om e r re q ue s tnon-cach e abl e cont e nt ,t h e .e u s e rv e r w oul d pe rf orm an e xt ra s e tofs t e ps . I ns t e ad ofpul l ing t he cont e ntl ocal l y, itw oul d s e nd a H TTP re q ue s t t o one oft h e s e rv e rs l is t e d in t h e ups t re am {} bl ock oft h e Nginx conf igurat ion. Th atH TTP re q ue s tw oul d go ov e rt h e O pe nV PN l ink t o t h e ce nt ral iz e d w e b appl icat ion s e rv e rs , and h andl e d by M ongre l . M ongre l w oul d e xe cut e t h e Rail s appl icat ion, w h ich itt urn t al ks t ot he l ocal dat abas e . Th e Rail s appl icat ion pas s e s a H TTP re s pons e back t o M ongre l , w h ich s e nds itback dow n s t re am t o Nginx, w h ich f orw ards itt ot h e cus t om e r's brow s e r . T ot h e cus t om e r ,t h e 302 re dire cts e e m s s e am l ess,t h eysee t h e .com ch ange t o a .e u URLin t h e ir addre s s bar oft h e ir brow s e r , and t h e cont e ntis pre s e nt edt ot h e m q uick l y. Th is al l ow s you t o al s o ov e rride any at t e m pt s by t h e cus t om e r t o pul l cont e ntf rom outof re gion s e rv e rs , giv ing you f ar gre at e r cont rol ov e r h ow your t raf f ic is m anage d and dire ct e d. H ad t h e cus t om e r re q ue s t e d cach e abl e cont e nt ,t h e .e u s e rv e r w oul d h av e h andl ed

t h e re q ue s tus ing V arnis h Cach e ins t e ad. Th is is done pure l y by DNS, s o your nam e d v irt ual h os tf or t h e cach e abl e cont e nt , w oul d s im pl y be h andl e d by a dif f e re ntI P addre s s t h atV arnis h Cach e is bound t o on t h e s e rv er . V arnis h Cach e w oul d ins pe ctit s cach e , ift he obj e ctw as n'tav ail abl e , itw oul d pas s t he re q ue s tt o Nginx, w h ich w oul d be h av e t he s am e w ay itdid f or non-cach e abl e cont e nt , onl yt h e re s pons e w oul d be cach e d by V arnis h Cach e , ifpos s ibl e. Enh ancing Pe rf orm ance Ev e n non-cach e abl e w e b appl icat ions h av e st at ic cont e nt- cs s , j av as criptand im age s . Nginx w il l ch e ck f or t h e e xis t e nce ofa f il e in t he l ocal ht docs be f ore itw il l pas s t h e re q ue s t ups t re am f or t h e proxy_ pas s t arge t . By s im pl y dis t ribut ing t h e st at ic cont e ntyour w e b appl icat ion us e s , you can cutdow n on t he am ountoft raf f ic t h att rav e rs e s acros s t he V PN t ot h e ce nt ral iz e d s e rv e rs . Th e e nd re s ul ts h oul d be t h atonl yt h e init ial re q ue s t w il l be pas s e d t ot h e back -e nd, re q ue s t s f or graph ics , cs s and j av as criptf il e s , can be pul l edf rom t he l ocal s e rv e r it sel f . H ybrid M ode l v s.F ul l y Dis t ribut ed Th e m ode l w e h av e dubbe d " Ce nt ral iz e d" is re al l y a h ybrid ce nt ral iz e d-dis t ribut e d s ys t em. Th e dynam ic rail s appl icat ion is m anage d and ran f rom a ce nt ral l ocat ion, butith as m ul t ipl e dis t ribut ed" e dge " s e rv e rs prov iding v arious point s ofe nt ry int ot h e appl icat ion. I t is dif f icul tt o argue w h ich approach is be t t er , t h is h ybrid approach is be t t e r ifyou w antt o m aint ain s t rong dat a int e grit y and re duce t he ris k ofdat abas e probl e m s . On t h e ot her h and, itpre s e nt s a ne w s e tofch al l e nge s , t o m aint ain an int el l ige ntne t w ork ofe dge s e rv e rs . Th e h ybrid m ode l doe s of f e r a cl os e r t o re al -t im e s ol ut ion, butt e nds t o us e m arginal l y m ore bandw idt h , w h ich can be of f s e tw it h cach ing. Put t ing t h e pie ce s t oge t h er Th is is s ue w as de s igne d t o prov ide e ach of t h e pie ce s ne ce s s ary t o buil d a gl obal l y dis t ribut e d w e b appl icat ion inf ras t ruct ure . At t he l ow e s tl ev el , O pe nV PN is ne ce s s ary t o int e rconne ctt h e e dge s e rv e rs t o one or m ore

o3 m agaz ine :: page 44

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

ce nt ral iz e d s it e s . M ongre l prov ide s t he s cal abl e w e b appl icat ion f ram e w ork , m ak ing itpos s ibl e t o gl obal l y dis t ribut e a Rail s appl icat ion. M ongre l is conf igure d t o run N+ 1 num be r ofm ongre l proce s s e s on a num be r ofport s (5000 - 5004) on a priv at e I P addre s s acce s s ibl e v ia O pe nV PN. Th os e I P addre s s e s m ak e up t h e ups t re am {}s e rv e rs us e d by Nginx. Th e s e I Ps m ay be t h e s am e f or al l oft h e e dge s e rv e rs , or you m ay de cide t o h av e m ul t ipl e ce nt ral iz e d l ocat ions , one in e ach re gion pe rh aps , and us ing M ySQLm ul t im as t e rt o k e e p dat a s ynch roniz e d be t ween e ach ce nt ral s it e . W it h m ul t ipl e ce nt ral iz e d l ocat ions , you w oul d us e a dif f e re nts e tof priv at e I Ps f or e ach ce nt ral s it e. Th e H TTP Gl obal Se rv e rL oad Bal ancing art icl e l ook e d atus ing Nginx's ge o conf igurat ion opt ion and re w rit es,t o ge ne rat e H TTP 302 re dire ct s,t o m anage w h ich s e rv e rs re ce iv edt raf f ic bas e d on t h e s ource I P oft h e cl ie nt . Th e W e b Acce l e rat ion art icl e, l ook e d atus ing V arnis h Cach e as a re v e rs e proxy. T ak ing t h e s am e approach , and s im pl y s cal ing itup, us ing t h e O pe nV PN l ink rat her t h an a l ocal L AN conne ct ion t o prov ide t he back e nd conne ct ion, h as m ade ita gl obal l y dis t ribut e d s ol ut ion. H TTPS (SSL / TL S) re dire ct ion M ongre l onl y s upport s H TTP , s o h ow do you prov ide a gl obal l y dis t ribut e d s ol ut ion us ing H TTPS?Nginx h as t h e capabil it yt o do, w h at is e s s e nt ial l y w h atm any com m e rcial s ol ut ions cal l e d SSLof f -l oad. Nginx can ne got iat e a H TTPS conne ct ion w it h t he cl ie nt , butus e H TTP ov e rt h e back -e nd t o M ongre l .I tt ak e s t h e re s pons e f rom M ongre l , and s e nds t h atback as H TTPS t ot h e us e r . O ne probl e m you w il l e ncount e r is w it h cach e abl e dynam ic cont e nt ,t h atyou w ant acce s s ibl e v ia H TTPS. I n orde r f or t h at s ol ut ion t o w ork , you w il l ne e d t o pl ace Nginx in f rontofV arnis h Cach e , h av ing Nginx pe rf orm t h e SSLof f -l oad, butus ing t he l ocal V arnis h Cach e s e rv e r as t h e ups t re am {} s e rv er ,sot h att h e cont e ntis cach e d. W h il e t h is w ork s , you w il l ne e d t o conf igure t he V CL in V arnis h Cach e care f ul l y, s o t h atitonl y cach e s com m on cont e ntt h atm igh tbe

s h are d, pe rh aps a priv at e " Re s e l l e rs O nl y" W ik i. Nginx doe s pe rf orm H TTP 302 re dire ct s v ia TL S/ SSLq uit e wel l . For e xam pl e , you m igh t w antt o re dire ct ht t ps :/ / s upport .m yproj e ct .com t o ht t ps :/ / s upport .m ycom pany.com , w h e re bot h are on t h e s am e s e rv e r (butdif f e re ntI Ps ). T o m ak e t h is w ork , you ne e d t o h av e t woset s of k e ys , w it h a Com m on Nam e of s upport .m yproj e ct .com in t h e k e y us e d f or t h ats e rv e r {}bl ock , and a Com m on Nam e of s upport .m ycom pany.com in t h e ot h e r s e rv er bl ock . From t h e us e rs pe rs pe ct iv e,t h e y w on't ge ta dom ain m is m at ch e rror , butifyou s e l f s igne d t h e ce rt if icat e w it h your ow n CA, t hey w il l ge tt h e m e s s age t w ice aboutacce pt ing t h e ce rt if icat e unl ess t h e y ch os e t ot rus tyour CA. Ge o-Aw are L aye r 7 L oad Bal ance r I n e s s e nce , w e h av e us e d a coupl e ofope n s ource proj e ct s t o cre at e a Ge ograph ical l y Aw are L aye r 7 L oad Bal ance r . Ge ograph ical l y aw are l oad bal ance rs are e xpe ns e . Typical l y you ne e d a re gul ar l oad bal ancing s w it ch w h ich w il l run you s e v e ral t h ous and dol l ars , al ong w it h a Ge ograph ical L oad Bal ancing l ice ns e k e y, w h ich is t ypical l y anot h e rf ew t h ous and dol l ars . Th e com m e rcial s ol ut ions do t h e Gl obal L oad Bal ancing in a bl ack box m anne r , and met h ods v ary de pe nding on t he v e ndor . So w h atis our s ol ut ion m is s ing, t h att hey prov ide ? Th e re are t wot h ings t h atw e 're m is s ing -h igh av ail abil it y and l oad bas e d t raf f ic m anage m e nt . Nginx l ack s t h e capabil it yt o de t e ctifan ups t re am s e rv e r is act ual l y running and re s pons iv e . A com m e rcial l oad bal ance r pe rf orm s re gul ar h e al t h ch e ck s , and re m ov es t h e s e rv e rf rom t he l is t , s h oul d itf ail t h e h e al t h ch e ck . Ge ograph ical l y aw are l oad bal ance rs cal cul at e t h e m axim um capacit y t h ata part icul ar s it e can h andl e , ift h e s it e is ne ar or att h atcapacit y, itre dire ct s t h e cl ie nt t ot h e ne xtne are s ts it e . W it h Nginx, itw il l bl indl yf orw ard re gardl e s s oft he l oad.

o3 m agaz ine :: page 45

W e b Apps :: Gl obal l y Dis t ribut e d Rail s

Anot h e r probl e m w it h our puz z l e , is DNS. Com m e rcial Gl obal L oad Bal ance rs actas t h e aut h orit at iv e nam e s e rv e rf or a s ubdom ain us ing NS e nt rie s in t h e DNS s e rv er . T ypical l y e ach s it e 's l oad bal ance r w oul d h av e an e nt ry, and produce a re s pons e t h at s e nds t h e cl ie ntt ot h e cl os e s ts it e in-re gion. I nt h e ope n s ource s ol ut ion, w e us e DNS round robin, s o t h e re is no h igh av ail abil it y aw are ne s s w it h in t h e DNS re s pons e . W e coul d e as y s e nd a cl ie ntt o an e dge s e rv er h andl ing t h e .com 302 re dire ct s t h at s not f unct ional . W ork ing around t he l im it at ions Th e s ol ut ion pre s e nt e d by t h is art icl e is in f ul l product ion h e re atSpl ice d Ne t w ork s . A num be r ofpat ch e s and s upportappl icat ions are in t h e w ork s . So t h e s e w ork arounds are onl yat e m porary e v il . As re f e re nce d e arl ie r in t h is is s ue , M onitis a good opt ion f or re s t oring av ail abil it y. M onitis a m onit oring appl icat ion, t h atcan be conf igure d t o aut om at ical l yf ix ce rt ain probl ems wh ent h e s ys t em de t e rm ine s t h e re is a probl e m . M onitis a good opt ion f or re s t art ing M ongre l and O pe nV PN, in t he ev e nta probl e m h as occurre d. O ne s ol ut ion t o w ork around t h e DNS probl e m , is t o cre at e a s ub-dom ain pe rh aps ht t p-e dge .yourcom pany.com . Pl ace t h is s ubdom ain in a s e parat e z one f il e , and h av e it aut om at ical l y ge ne rat e d by a s cripton your prim ary DNS s e rv er . Se t t ing t h e TTLt oal ow v al ue , w il l caus e t h e z one f il e t o be re q ue s t ed m ore of t e n, rat h e rt h an cach e d by e xt e rnal DNS s e rv e rs . Sim pl e t rigge r an updat e oft he z one f il e , re m ov ing or adding t h e s e rv e r in q ue s t ion int o a pool . For e xam pl e w w w .h t t pe dge .yourcom pany.com , m igh tbe a s e rie s of A re cords , you w oul d add or re m ov e probl e m at ic s e rv e rs aut om at ical l y as t he h e al t h ch e ck s criptde t e rm ine s t h e re is a probl e m . Jus tre m e m be r t o m ak e s ure t he s criptl im it s t h e num be r ofupdat e s done . Cas e St udy: o3 m agaz ine Th is v e ry m agaz ine is now h os t e d on a Gl obal l y Dis t ribut e d inf ras t ruct ure . Th e s t at ic cont e ntf or o3m agaz ine .com is s e rv edf rom

one ofe igh te dge s it e s . Th e o3 f orum s are s e rv e d us ing Be as t , a popul ar l igh t w e igh t Rail s appl icat ion, f rom a ce nt ral iz e d l ocat ion us ing m ul t ipl e e dge s it e s . Th e o3 s ol ut ion is al l aboutt h e ne t w ork . W e ope rat e ce nt ral s e rv e rs outoft wol ocat ions - At l ant a (Unit ed St at e s ) and L ondon (Engl and). Re ade rs in Europe are s e rv e d dire ct l yf rom L ondon, or f rom an e dge s it e in M unich (Ge rm any). W e us e O t hel l oT e ch nol ogy in L ondon, as t h e ir ne t w ork is f as tand j us ta coupl e ofh ops aw ay f rom m os tde s t inat ions in Europe . Th e s it e in L ondon, is al s o a s h ortnum be r of h ops f rom t h e ce nt ral s e rv e rs in At l ant a. I nt h e Unit e d St at e s , w e h av e s e rv e rs l ocat ed in At l ant a, Ph il ade l ph ia, Jack s onv il l e, H ous t on and San Jos e . Each l ocat ion h as e xt re m e l yf as tround t rip t im e s t ot he ce nt ral iz e d s e rv e rs in At l ant a. Ce nt ral s e rv e rs in At l ant a are k e ptin s ync w it h t h e m as t er ce nt ral s e rv e rs l ocat e d atour corporat e h e adq uart e rs in At h e ns , O h io. Th e s e rv e rs on t h e w e s tcoas t , prim aril y in San Jos e , prov ide f as tacce s s t o re ade rs in s om e part s ofAs ia. I n addit ion t ot h e San Jos e s e rv e rs , re ade rs in As ia are rout edt o e dge s e rv e rs l ocat e d in H ong Kong. W h il e cus t om e rs in APAC, s uch as t h os e in Aus t ral ia m aybe s e v e ral h undre d m il l is e conds aw ay f rom our ce nt ral s e rv e rs in At l ant a, t h e y are onl y 150 m s or l ess f rom our s e rv e rs in H ong Kong. Th os e s e rv e rs in H ong Kong h av e a m uch f as t e r conne ct ion and f e w e r h ops t o At l ant a. Th e ne tre s ul tis a s ignif icants pe e d incre as e f or cus t om e rs in t h atre gion. Concl us ion Ov e rt h e com ing m ont h s w e e xpe ctt ot w e ak and im prov e t h is Gl obal L oad Bal ancing s ol ut ion. W e inv it e you t ot ak e partin t he proce s s , and pos tf e e dback on t h e s ol ut ion as e nd us e rs on our f orum s . O pe n Source h as prov e n once again t h atitcan prov ide a robus tal t e rnat iv e t o com m e rcial ne t w ork ing s ol ut ions .

o3 m agaz ine :: page 46

W e b Apps :: Gl obal l y Dis t ribut e d Rail s us e r nobody; w ork e r_ proce s s e s 2; e rror_ l og l ogs / e rror .l og; pid l ogs / nginx.pid; ht t p{ incl ude conf / m im e .t ype s ; de f aul t _t ype appl icat ion/ oct et -s t re am ; s e ndf il e on; t cp_ nopus h on; k e e pal iv e_t im e out 65; t cp_ node l ay on; s e rv e r_ nam e s _ h as h _ buck e t _ s iz e 128; gz ip on; gz ip_ m in_ l e ngt h 1100; gz ip_ buf f e rs 4 8k ; gz ip_ t ype s t e xt / pl ain t e xt / ht ml t e xt / cs s t e xt / j s; l og_ f orm at nginx.conf:: s am pl e conf ig

m ain '$ re m ot e _ addr - $ re m ot e _ us e r [$ t im e _ l ocal ]$ re q ue s t' '" $ st at us " $ body_ byt e s _ s e nt" $ ht t p_ re f e re r" ' '" $ ht t p_ us e r_ age nt "" $ ht t p_ x_ f orw arde d_ f or" ';

}

acce s s _ l og l ogs / acce s s .l og m ain; ge o $ gs l b{ de f aul t na; incl ude conf / gs l b.conf ; } ups t re am f orum s .at l ant a.s pl ice dne t w ork s .com { s e rv e r 10.108.123.250:5000; s e rv e r 10.108.123.250:5001; } # dynam ic h os t ing s e rv e r{ l is t en 19 2.168.55.40:80; s e rv e r_ nam e f orum s .at l ant a.s pl ice dne t w ork s .com ; acce s s _ l og l ogs / f orum s _ acce s s .l og m ain; root / v ar/ www/ f orum s / ht docs ; inde x inde x.h t ml inde x.h t m; l ocat ion /{ proxy_ s e t _ h e ade r X-Re al -I P$ re m ot e _ addr; proxy_ s e t _ h e ade r X-Forw arde d-For $ proxy_ add_ x_ f orw arde d_ f or; proxy_ s e t _ h e ade r H os t$ ht t p_ h os t ; proxy_ re dire ct f al se; if($ gs l b = uk ) { re w rit e ^(.*) h t t p:/ / f orum s .s pl ice dne t w ork s .co.uk $ 1 re dire ct ; } if($ gs l b = e m e a) { re w rit e ^(.*) h t t p:/ / f orum s .s pl ice dne t w ork s .de $ 1 re dire ct ; } if(! -f$ re q ue s t _f il e nam e ) { proxy_ pas s h t t p:/ / f orum s .at l ant a.s pl ice dne t w ork s .com ; } } o3 m agaz ine :: page 47