I am part of a team that manages a public facing cloud platform at my company. We have a large user base running VM's that face the internet. I would like to run an automated scan of our address space and see if anyone is running a Rails app so I can notify them to upgrade their version of Rails to avoid a critical security vulnerability that came out this week.
I've noticed that in some Apache deployments, there is a Passenger Header that is useful:
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.3
However, this is not reliable. I'm wondering if there is a reliable way to detect Rails running behind a web server either with response headers or some kind of a GET / POST that can be definitive. Thanks!
Every Rails site has:
meta content="authenticity_token" name="csrf-param'
Or could have a submit button where the name="commit"
At least that's what I have consistently seen.
Header responses are not reliable, here are three from various Rails sites:
Server:Apache/2.2.14 (Ubuntu)
Server:nginx
Server: thin 1.4.1 codename Chromeo
You know nginx and Thin are popular in the Rails community, but that's not conclusive enough to say there is Rails behind it. You would need to run a script that scrapes the site and looks for the meta-tag above. BeautifulSoup is a pretty good if your script is going to be in Python. Mechanize gem is great if you are going with Ruby.
Most rails apps have a submit button where the name="commit"
A Rails app could be running on lots of different ports, depending on the configuration allowed. That, plus the fact that the app might not respond in a way you can recognize, seems like a "sub-optimal" way to find out.
Instead, if you own the hosting, you own the drives and the systems supporting the apps. Why not run a grep across the systems, looking for strings matching Rails.
Or search for some of the standard Rails files; Use find, or locate if you have it running.
Another default setting of Rails that is commonly left untouched is the name of the main /assets/application-<hex hash>.{css,js} files.
I don't thing that a single reliable way of detecting Rails exists, but by using a combination of the authenticity_token, the default assets names and the HTTP headers, you should be able do identify the vast majority of the Rails apps.
The Wappalyzer script uses these three criteria and considers that the co-occurrence of two indicates a Rails app.
Wappalyzer is a good option, and (shameless plug) have you looked at Spotkick? We're in private beta now, but it's a distributed engine for running open source apps, so you could run Wappalyzer across all of your sites to see what's probably running rails.
I do this for banklook.com - I run over about 6800 banks to dig up details about security risks.
Let me know if you want more details or information.
Related
I have a Ruby on Rails powered website running on www.myapp.com.
Now my boss asked me to add a blog to that website. The number of blog articles is expected to grow strongly over the next few years, possibly into the hundreds or even thousands.
The problem: Our Rails app is not suited for content production or blogging at all!
My boss has a PHP / XML powered software in mind that he wants me to install for the purpose of running the blog. But the software has nothing in common with Ruby on Rails and cannot be combined with it.
Now we figured that setting up the blog under a subdomain like blog.myapp.com would be feasible. However, according to various sources this may come at the price of less search engine visibility when compared with running the blog in a subdirectory of our website such as www.myapp.com/blog/ which would be our favourite solution.
So to cut a long story short, is there a way to establish a PHP blog in a subdirectory of a Rails 5 app? If so, how?
Thanks for any pointers.
You'd configure this in your frontend web server (Apache, nginx, etc.). Normally, you pass all requests to your domain to your Rack server (Unicorn, Puma, etc.). Instead, you want to treat /blog as your PHP app - configuring all URLs with that path to run your PHP, and pass all other URLs to your upstream Rack server as you would for any other Rails app. Specifics on how to implement this would depend on what frontend web server you're using.
I'm a little confused with how deployment of an application works.
I've been looking up tutorials and numerous times it is suggested that it goes live with DigitalOcean, Heroku or something similar, but some are monthly payment services (albeit not a large amount).
I resell hosting to my clients when I build websites for them so I manage everything on my side. My question is: is there a way to deploy a Rails app to my own web hosting space rather than having to use a third-party service? Have I missed something in the documentation?
I'm certain that my hosting can support everything that's needed. If anyone could explain how or why not I'd really appreciate it :-)
You can set up the stack on your own server without problems. When you are using apache or nginx, the easiest might be to use passenger for serving your rails application.
You just need to make sure you have the right ruby version and bundler installed. Services like DO are just simpler to work with as they already do all the needed server setup and most of the configuration for you.
I was wondering if there was around a hosting as those that have existed for years for PHP that would give the opportunity to publish many Ruby and Rails applications and not as Heroku that forces a single application for dyno.
In classical hosting PHP I can create a folder, upload some files in php and navigate them through links.
You can something like that on some Web hosting?
For small projects, Heroku is really the best deal. Their free tier does everything you'd need for something that's occasionally used and doesn't have a lot of scaling issues. You are restricted to one application per "dyno", per account.
For anything more demanding it's not hard to set up a hosting environment on a VPS provider. Although it takes some additional knowledge, you'll be able to set up and configure a web server using a tool like Passenger and manage your own instances. For $10/mo. you can have a very capable server instance that will handle way more than a $7/mo. dyno can manage. Even the $5/mo. server from a provider like Digital Ocean is a fantastic deal.
PHP's fire and forget method of hosting is convenient, but it's actually a lot more work in the long haul compared to an efficient workflow based around Rails and Passenger.
For example, using Capistrano and a version control system like Git you can make changes, test locally, package up into a commit and deploy on your server within minutes. It's basically effortless once you get it working.
For small production projects, I use webfaction, it's easier to push to production than to configure a complete VPS as it's more like a managed hosting (with all the tools and documentation you need for rails) .
I use mina for deployment and Git for version control.
To complete #Tadman answer you can check OpenShift if you want a more Heroku like alternative.
When I started using Rails I was also tempted to compare and seek for a 'php-hosting' like solution. But it's just a different approach.
To answer your question more precisely, you don't drop files in a folder and navigate with links in a classic rails project. You have to understand the concept of MVC, routing ...
I suggest that you give the rails-tutorial a try, it is a good starting point for understanding the whole rails ecosystem.
You can try Ruby hosting on Jelastic PaaS with automated deployment to containers and scaling, as well as pay-per-use pricing model that makes it not so pricy.
There are pre-configured Apache and NGINX containers for running Ruby application, supported different Ruby versions, built-in Ruby on Rails framework, Passenger, Puma, Unicorn, Bundler dependency manager etc.
When deploying a Ruby application, only a single context (ROOT) can be used. However, you can switch between three deployment types: deployment, production and test.
More details are described here https://jelastic.com/blog/ruby-paas-hosting/
You can start with a free trial and test how it suits your project before investing any budget. This Ruby PaaS is available on different local service providers https://jelastic.cloud/
O. Community, and thanks in advance for the support!
I recently took Mattan Griffel's One Month Rails course on skillshare to be able to write rails web apps.
Railsinstaller.org includes rails 3.2.1 and ruby 1.9.3 and works perfectly out of the box.
My app worked well and it was time to get it up on the web, so I purchased a namecheap domain and webserver, uploaded my app and... nothing!
The problem is that the namecheap servers only support rails 2.3.17 and ruby 1.8.7 - nothing created with v 3.x or dependent on ruby 1.9.x will run in a 2.x / 1.8.x environment.
Has anyone else run into this issue?
It seems like such a standard use case, I can't believe it's not better documented on the namecheap site.
I've done my Google-Fu and have learned that, once I installed it, I could create an older rails app using
rails _2.3.17_ AppName
Is there a similar way of forcing rails to use an older version of ruby as well?
I'm close to cancelling my namecheap account altogether in disgust, so if someone out there knows of a better place to host my rails 3.x web apps, I'd love to hear about it!
(Let's assume, for the time being, that a VPS is prohibitively expensive and far in excess of what I need, resource-wise).
Thanks again,
One Frustrated User
You can use heroku free account to begin with. Don't waste time on fixing problems on shared hostings, they are just toys.
Rails 3.x native cPanel support is still unreleased , feature request case is still open
http://forums.cpanel.net/f145/mod_rails-passenger-instead-mongrel-rails-3-support-case-44197-a-152577.html
This is tricky but possible to run Ruby 3 applications - additional software installation and global server reconfiguration required in this case, but hardly possible on regular shared server per user. We can offer to upgrade your hosting account to VPS. All your existing account content including databases, additional domains, email accounts and settings will be transferred transparently to VPS. To optimize your VPS with cPanel and make possible for you to develop and run Ruby 3 application you may request our technical support team to tune up the system according to all your requirements. Operating system tuning and custom software installation is included with Full Management VPS option. You may request part-time technical support as an alternative.
Regards,
Dima S.
Technical Support,
Namecheap Hosting
I was wondering what are the options for doing site analytics with a ruby on rails application ?
I haven't seen any solutions specifically targeted towards rails - more towards apache type web servers. I don't want to use the google analytics, I'd like to have the logging/analyis all local.
After a quick look at wiki's list of web analytics software http://en.wikipedia.org/wiki/List_of_web_analytics_software, I can't see anything that I can see how to incorporate into my rails/ruby app.
AFAIK Rails deployments behind both Apache and nginx can both benefit from the host of tools developed for parsing web logs over the years. I loved AWStats :)
For application events not explicitly in the web logs - like logins, sign-ups, purchases - I'd recommend using keen-gem from Keen IO (Disclaimer - I work there). It's pretty easy - install or bundle the gem, then just add lines like this:
Keen.publish_async("sign_ups", { :username => "lloyd", :referred_by => "harry" })
anywhere in your Rails app to log events. Once the events have been logged you can use the workbench at keen.io to run queries and see visualizations, or you can use the REST API to pull any and all data back out for custom processing.
Most people deploy rails applications behind Apache or other web servers, because Rails applications can be set up to allow those web servers to quickly and efficiently serve static assets and cached pages. This also means that we can use the same log analysis tools we've always used like Analog, AWStats, etc.
Or we can just punt and use google analytics. I like row logs though :)
Hope that helps!