heavy RoR app horizontally scaled on AWS needs efficient SSL - ruby-on-rails

I am running a Rails app on the AWS infrastructure using several EC2 instances, a RDS DB, a round robin session-sticky load balancer and Route 53.
The application is serving pages for several domain names (same app looks and functions different depending on domain name).
The Rails code is hosted on a NFS share on a staging instance where the web server is running in development mode, while the other boxes load the apache config and application code via NFS and run in production mode.
What I'd like to do is to SSL-enable the whole thing as we're starting to process payments and whatnot. Due to the nature of the application and the heavy apache/Passenger optimization in place, I can't set up a vhost for each domain, but rather use a wildcard for www.* to load pretty much the same code, and the app does the rest internally.
Haven't really been able to figure out an ideal way to resolve this. Would anyone have an idea?
Thanks!

After a bit of discussion in the comments we came to this conclusion:
The application is currently hosted in one single <vhost> on Apache where the Application does the differentiation between hostnames for the different layouts.
The problem here is to support SSL without having to setup each domain with it's own certificate and a different vhost as that would require running the Rails app multiple times where it's unnecessary.
By using a Multiple Domain Certificate (MDC) this problem can be solved with only one vhost and one certificate, but MDCs are more expensive than normal certificates. So depending on the number of domains you need to support it may be cheaper/easier to just do it manually with multiple certs, or opt to pay the more expensive MDC but save time and maintenance cost.
While at it I found this nice wikipedia comparison of Certificate Authorities and their trust level in different browsers:
http://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers

Related

One VPS, multiples services, different projects/domains

This is my first VPS, so I am pretty new to administrating my own box. I already have experience with a managed web server, registrars, DNS settings, etc. The basics. Now I'd like to take it a step further and manage my own VPS to run multiple services for different business and private projects.
So far I got an VPS from Contabo, updated the system, set up a new user with sudo rights, secured the root user, configured Ufw, installed Nginx with server blocks for two domains and created SSL certificates for one domain using Certbot.
Before I go on with setting up my VPS, I'd like to verify my approach for hosting multiple services for multiple domains makes sense and is a good way to go.
My goal is to host the following services on my VPS. Some of them will be used by all projects some only by a single one:
static website hosting
dynamic website hosting with a lightweight CMS
send and receive emails
Nextcloud/Owncloud
Ghost blog
My current approach is to run all services except for Nginx and the mail server with Docker. Using Nginx as proxy to the services encapsulated in Docker.
Is this an overkill or a valid way to go forward in order to keep the system nice and clean? Since I am new to all of this, I am unsure if I also could run all of the services without using Docker but still be able to serve the different projects on different domains without messing up the system.
Furthermore, I'd like to make sure, that access to the services and the stored data is properly separated between the different tenants (projects). And of course ideally the admin of the services is kind of manageable.

Is there a way to setup SSL on heroku-godaddy using letsencrpyt entirely for free?

I've been an amateur developer for quite some time now and this is the first time I've actually needed to set up the domain and SSL for a website. I already bought a domain name from GoDaddy and I'm using my rails as my backend. But it seems that on almost all of the guides online (the ones I've come to search) is for the Heroku paid dynos (I'm on the free tier) or has their website hosted somewhere else/bought the domain somewhere else. As of now, I'm not actually sure how straightforward this should be but any guide to free SSL cert generation and free setup would be nice.
You have 2 options here:
Use Heroku domain app.herokuapp.com as this is encrypted and served through https.
If you want to use a custom domain. There is no way but to use a paid dyno. There were some tutorials on how to do this manually and a couple of projects that allowed you to do so on free dynos but they are all outdated/deprecated.
There is no need to configure anything on Heroku's side if you start off with a paid dyno.
ACM is enabled by default for all Common Runtime apps created after March 21, 2017 that run on Hobby or Professional dynos.
To upgrade, simply run heroku ps:resize web=hobby via heroku cli. Then, to enable letsencrypt automated certificate, simply run heroku certs:auto:enable. Just make sure your DNS is activly pointing to the currect address before doing so or you'll need to verify your DNS target.
Docs: https://devcenter.heroku.com/articles/automated-certificate-management
deprecated project: https://github.com/dmathieu/sabayon
outdated tutorial: https://github.com/dwyl/learn-heroku/blob/master/SSL-certificate-step-by-step-setup-instructions.md
I have used the same setup for my heroku app. By default heroku free tier gives ssl on your web app.
Like if you hit url yourwebsite.herokuapp.com, it is encrypted and provides ssl for free.
But when you will add a custom domain name to your heroku app, then its without ssl. You cannot use ssl on it unless you moved to hobby dyno(paid)
Here is what heroku says

is it possible to have multiple project of rails on same port?

I want to add a new project beside of my current rails app without starting a new server for that.
I think it is impossible to have two rails app on one port but my boss want it.
Is it possible at all?
Yes it's possible if you configure a web server (nginx, etc) as a reverse proxy to listen on the port you want, and have it forward traffic to the correct app based on subdomain.
Yes and no. You can't run two web servers, e.g. Puma, on the same port. That won't work. But you can run one web server to serve two Rails apps. Incoming requests are routed based on either their subdomain (app1.example.com) or their path (example.com/app1).
A common setup is to use Apache/nginx as the web server in combination with Passenger as the application server. This question ask a similar question and points to Passenger's documentation on how to serve apps from subdomains: How to deploy multiple rails app on a single IP (Apache + Passenger)?
The configuration depends heavily on your setup, so I can't give you a more detailed answer. But searching for "multiple apps" and the combination of your web and application server should yield enough results and tutorials for you to solve your problem.

Http Request Timeouts on Azure Web Apps

We have a collection of MVC 5 websites running on the Azure Cloud Hosting platform. We have several different versions of the environment with which these websites run (Development, Staging, Production), and we are experiencing a very difficult to troubleshoot issue. It seems that, intermittently, when a request is made to the production environment, the request will be rejected, or the file will be served slowly to the point of the server timing out and aborting the request. This only seems to occur in the production environment, and does not appear to happen in development or staging.
Given that our websites just recently started receiving traffic, the production environment is actually the lesser used in this case, so it is not a matter of the machine being out of resources. Also, we have the capability to monitor the resources of the machine through a web ui, and we do not see any issues here.
When configuring these systems, we do not have a ton of control over how they are set up. To that end, it's unlikely that there is a configuration difference between them, as they are setup (presumably) from an image, and configured through a web UI. The settings on these systems is the same between them as far as we can tell. To ensure its not an issue of configuration of the machine, we have mirrored the production environment by recreating it, and we're still experiencing the same issue.
The websites in our environments are secured via SSL certificates. In order to remove that as the potential culprit, we've turned SSL off on our production site and tested it. This didn't seem to fix the issue and we still got intermittent failed requests.
We thought it may have to do with Routing, and MVC handling the files, so we've attempted downloads of static files (Images, javascript files) as well as dynamic files (Views, bundled javascript), and we still get these failed requests. In our bundling configuration, we do not override the default RouteExistingFiles value, so MVC should not be handling the routing of static files (as I understand it, at least, please correct me if I'm wrong)
Our tests are run against the primary domain name on the account, and it doesn't appear that the issue is attributed to anything DNS related.
It doesn't seem to have anything to do with our database connections, as we do not hit our database when serving up static files, nor when we load our login page (which we tested against primarily)
We are really running short on ideas with regard to what might be causing this issue, and we were really hoping someone out there may have experienced a similar issue with the Azure Cloud platform? Alternatively, if anyone has any suggestions, they would be greatly appreciated.
Try enabling the "Always On" feature, this can be done via the web app settings.
How Azure App Service works is that the site content is stored on a file server, and then the site is loaded by a web worker when it is active. If the site is idle it will be unloaded. When the new request comes in, the site will have to be reloaded, which may cause the slowdown you are experiencing. In addition, content may be ngen'd again, which would further contribute to the slowdown.
Documentation for configuring web apps is here: https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure/

Heroku, Domain Name

Quick noob question or two about Heroku.
I have a rails app I would like to deploy on Heroku.
If I want the address to be www.whatevername.ie do I need to purchase this domain name or does the custom domain name feature with Heroku allow me to do this?
Secondly, what is the difference between development and production with regards to deploying an app on Heroku? Once it's deployed and on the net, does this mean it is in fact "in production" so to speak?
Thanks!
Heroku
To answer your questions more fully, you need to appreciate that Heroku is a Platform As A Service - meaning that it will provide the back-end infrastructure for your application, but that's it:
In terms of a domain name, it's not for Heroku to buy you a domain. A domain is literally just a "mask" for an IP address (a shop window), which means you have to buy it (as the DNS system takes a lot to manage & maintain)
Heroku's custom domain feature is simply a means for you to accommodate external domain name traffic to your application. You'll have to buy a domain (we use Namecheap, but there are 1,000's of domain registrars you can use)
--
Rails
If you want to run a Rails application, the development and production environments are very important, although not much different than each other.
As mentioned in the referenced question, the underlying differences between "production" and "development" modes / environments for Rails is efficiency. You're running the SAME source code in both environments - the difference is how that source is handled, compiled & served
--
Development
Rails logger is running all the time
Exceptions are captured & displayed on screen
Classes are not cached
Assets are compiled "on the fly" (dynamically handled)
Typically operated with low-efficiency services (DB / Web Server)
Loads everything individually for development purposes
Production
"Assets" precompiled & served statically (for performance)
Classes can be cached
Production-grade web & DB servers recommended
Focus on efficiency & speed
--
By default, Heroku will run your Rails application in production mode
If I want the address to be www.whatevername.ie do I need to purchase this domain name or does the custom domain name feature with Heroku allow me to do this?
You need to purchase the domain name.
-
Secondly, what is the difference between development and production with regards to deploying an app on Heroku? Once it's deployed and on the net, does this mean it is in fact "in production" so to speak?
Development is what's on your computer locally; production is what's on the internet for all to see (in this case, on Heroku).

Resources