Necessary to set ServerSignature and ServerTokens apache config options with Rails apps? - ruby-on-rails

I came across something in one of my rails books that said I should set
ServerSignature Off
ServerTokens Prod
to disable apache from showing server information in production when the app screws up. Is this necessary? The only error message I see in prod is the standard Rails production error message. I never see any server information.
Are there any other security related apache config variables I need to set?

It is not necessary, but it is recommended. By showing the server signature and the full server tokens you are giving potential hackers an easier way to identify how to hack your system. For example, with ServerSignature on and a full ServerToken, a hacker will know exactly what OS (including version) and server technology you are running.
Example. With ServerToken set to full you might get:
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server
With it set to prod you will only get
Apache
This article on slicehost gives a good overview of how to approach serverSignature and serverTokens

Related

Rails 4 Capistrano3 Deploy Setup

I have Rails 4 application setup under version control, I was running it on puma server on the staging environment. Now I decided to use capistrano3 for deployment, I added the necessary gems and everything. I can even run cap staging deploy successfully and the puma server start. But when I load the URL in the browser, I see the default apache config page saying, congratulations the server is set up.
I tried all the common ports after URL in the browser, but none of them works. I think I'm extremely close, but missing a key(and silly) piece in the puzzle. Can anyone help out?
Make sure that the location is correct. I assume that puma is being proxied to from Apache, but Apache is serving the assets. It sounds like you need to verify that the vhost is correct, and it is actually proxying to the right port. Check the apache logs for this. You can set a custom log on your vhost like:
ErrorLog /var/log/apache2/myapp-error_log
CustomLog /var/log/apache2/myapp-access_log common
Also, make sure that Apache is pointing to the correct directory for the assets. It will probably be something like /var/www/myapp/current/public.
Other than this, you will need to do some more debugging. Stack Overflow is usually more helpful if you have a specific problem or error to address.
Good luck!

Rails: local server handling SSL

I'm very surprised to find such little documentation on this topic which quite many developers must have faced before me.
We're changing our app to 100% HTTPS/SSL (as partial SSL doesn't make sense).
That's cool but before that, we need to migrate to it, hence to test it. Of course I found some basic information (here and here).
As I'd like my local environment to be as close as possible to the other ones in order to avoid unexpected errors, those solutions are not satisfying to me : they are ok for short time testing a feature, not more.
Here are the problems/questions I have:
Can I get a valid certificate for my local machine, to avoid the ugly warning step I can't even accept definitively on chrome?
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file server.key --ssl-cert-file server.crt), can I get same log messages as from rails server?
Can't I keep using rails server as a booting command (except by writing an dirty ALIAS ...)
Summary question is can I make a config so that it is transparent for anybody to run the instance of our app locally in https?
I mean, absolutely everything's done in rails to make development easy, and production robust, but here, there would be such a lack of good tools? I hardly can believe it ... or let's do it now!
Thanks for support! I'm using rails 3.2 with ruby 1.9.
Can I get a valid certificate for my local machine, to avoid the ugly
warning step I can't even accept definitively on chrome?
This depends if you're using the actual certificate for your domain (eg. example.com), or generating one just for development. If you are using the actual certificate from production, you could simply edit your hosts file to have example.com resolve to localhost. Then visiting https://example.com should load your Rails app.
You'll probably also need to include this in your application.rb:
config.force_ssl = true
If you're generating your own certificate you'll need to go through the motions of creating a private Certificate Authority to avoid the SSL warning in Chrome. This is a lot more work and probably not worth it.
Booting server with thin (thin start --ssl --ssl-verify --ssl-key-file
server.key --ssl-cert-file server.crt), can I get same log messages as
from rails server?
You should be able to tail -f log/development.log from the root of your Rails app.
Can't I keep using rails server as a booting command (except by
writing an dirty ALIAS ...)
This one is trickier as the server that runs when using rails s is WebBrick. You could try what's listed in this post here: Configuring WEBrick to use SSL in Rails 4
As an aside the typical setup for a Rails app is to proxy it behind say an SSL terminated nginx server. This way your Rails app doesn't need to know anything about SSL, as well as giving you a number of other benefits like being able to serve assets from nginx, load-balancing, virtual hosts etc.
If you're interested in setting up an environment that is identical to production I'd look into Vagrant.

OS X: Development & Production Deployment for RoR with Apache and Passenger

My head is about to explode from the mangled mess as a result of the following few days trying to setup a development environment for Rails, Apache and Passenger.
The questions I have are:
Do you NEED passenger for a development environment? Can I just develop with pow.cx instead? - I am 99.99% sure the answer is no (you don't use passenger for development), but I need confirmation since I am deeply confused now.
When I deploy, I only use Passenger for that, correct? I.e. I don't ever touch passenger until I deploy.
Is my development environment correct?
Production deployment is simply moving a rails application under the effects of Passenger coupled with an Apache VHOST?
Background (I suggest you read):
It seems that all the information on the web is concerned about explaining things for people who already know what they are doing, rather than explaining in detail how things work it's just a series of installation steps and that has left me extremely confused on the role of things, and how to setup a development environment and deploy a RoR application correctly - so please bear with this long question.
For the past 3 days I have been trying to setup a development environment on my Macbook Pro that isn't destroyed by Apple's rediculous limits on Apache installations. I installed a custom Apache install (from bitnami using their ruby stack, since I refuse to use Server.app) so that I can run Apache and upgrade things like PHP to 5.5 easily, and that works fine.
I am trying to get into RoR but so far it has been a struggle, and I am about ready to give up.
I understand you need Apache to serve Rails applications so that the server can handle requests concurrently rather than one at a time, and that various interfaces for this exist like Thin or whatever; Passenger was highly recommended.
I installed Passenger via their instructions and did some hackery to compile it for the Bitnami passenger installation, rather than the default Apache on Mac OS X - and it's working. When I start apache and run: passenger-memory-stats I get results expected from the installation guide, so that tells me passenger is running.
However, when I try and deploy a simple hello world Rails application I get a slew of "We're sorry…" or no result at all and just a blank page.
I am fairly sure my development environment is correct, everything works except this last bit. I can picture development taking place on a pow.cx server, and once deployment is ready you simply copy the Rails application and configure Apache's VHOST to point to your ready-to-deploy app while Passenger handles the rest, is that correct?
I am using PostgresSQL via the Postgress.app, the server works fine and I can connect to it.
I have gem 'pg' in my Gemfile.
I have already read, and tried every conceivable solution from the following SO questions, but I either get no result or empty logs which is… infuriating to say the least:
We're sorry, but something went wrong. - with Rails, Apache, Passenger
Ruby on Rails: How can i edit database.yml for postgresql?
How do I set up the database.yml file in Rails?
https://www.ruby-forum.com/topic/187128
So with all that said, I am trying to deploy this hello world application (which works on a standard rails server) using the following:
INVOKING APPLICATION VIA:
http://dmarket.local:8081/
VHOSTS:
<VirtualHost *:8081>
PassengerEnabled on
RailsEnv production
ErrorLog /Applications/rubystack/apache2/htdocs/helloworld/project_error.log
CustomLog /Applications/rubystack/apache2/htdocs/helloworld/project_error.log combined
ServerName dmarket.local:8081
ServerAlias www.dmarket.local:8081
DocumentRoot "/Applications/rubystack/apache2/htdocs/helloworld/public"
PassengerPreStart http://dmarket.local:8081
<Directory "/Applications/rubystack/apache2/htdocs/helloworld/public">
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
HOSTS FILE:
127.0.0.1 dmarket.local
127.0.0.1 www.dmarket.local
DATABASE.YML (same for development, test, and production):
adapter: postgresql
encoding: unicode
host: 127.0.0.1
port: 5432
database: tsujp
pool: 5
username: tsujp
password:
A summary of answers to your questions
You don't need Passenger in development. You can develop with Pow, and deploy with Passenger.
But you can use Passenger in development if you want to. It is a good idea to use Passenger in development because that way your development environment will match your production environment more, which reduces the risk of running into unexpected problems when you deploy.
Using Passenger in development is very easy. Use it's Standalone mode, and run passenger start instead of rails server.
Pow is strictly a development-only server. The authors recommend against using it in production.
When you deploy, you touch Passenger. You don't have to touch Passenger until deployment time, but you may.
Production deployment is indeed moving an application under the effects of Passenger, and setting up a virtual host. You will of course also need to install gems (bundle install) setup the database (editing config/database.yml), running database migrations (bundle exec rake db:migrate), etc.
I've also posted updates on the posts that you linked to, in order to make life easier for people who happened to have found those posts via search.
Apache vs Nginx
You will find a lot of people recommending Nginx (e.g. Sergio just did). I second that recommendation. Nginx is faster than Apache, handles slow clients better and is generally easier to use.
Passenger works great with Nginx. It has an Nginx integration mode that is just as easy as the Apache mode. Sergio suggested Nginx + Unicorn or Nginx + Puma, but Nginx + Passenger (which replaces Unicorn/Puma) is much easier to setup, performs great, uses less memory, works better and has more features. Nginx + Unicorn requires a lot of configuration, process management using init scripts, etc.
But this is just a recommendation. You don't have to use Nginx. Sticking with Apache + Passenger is fine. Apache works well enough for most people.
Regarding your Passenger problems
However, when I try and deploy a simple hello world Rails application I get a slew of "We're sorry…" or no result at all and just a blank page.
Whenever you get an unexpected error, the first thing you should do is to read the log files. There are two log files that are important to you:
The web server error log, typically /var/log/apache/error.log. This log file contains:
Phusion Passenger error messages.
Everything that the Rails application writes to STDERR. This typically consists of errors that Rails encounters during startup (but not errors that it encounters when it's handling requests).
The Rails development log (or production log, in case you're running in production), log/development.log (or log/production.log). When an error occurs during request handling, it is typically logged here. This file does not contain errors that Rails encounters during startup.
The error messages will often tell you what the problem is and how to solve it.
This tip can also be found in the Phusion Passenger manual, Troubleshooting section.
Capistrano
Sergio recommended Capistrano. I second that recommendation. You should remember that Capistrano complements Passenger; it does not replace Passenger. Capistrano is a tool for automating tasks. Do you currently create a tarball of your app and scp it to your server, and extract it there? Well, Capistrano automates this sort of thing for you.
For more information about how all the different pieces of the stack fit together (Apache, Passenger, Capistrano, HAProxy, Chef, etc), check out the section "The big picture" on the Phusion Passenger documentation page.
Recommendation summary
Use passenger start in development. It is by far the easiest to get started with. You don't have to edit any configuration files, it works immediately.
Use Phusion Passenger for Nginx in production.
You don't need Passenger in development. In fact, in development mode you don't need even apache. You can use built-in Webrick server ($ rails server) to run your app. And yes. Pow is a good tool, I use it all the time.
In production there are also multiple options. One of them is Apache+Passenger, yes. But you need to put Nginx in front of those (because Apache doesn't handle slow clients very well). If you have nginx, then you can replace apache+passenger with something else. For a long time I've been using Unicorn (ruby web server from github). Now my current favourite is Puma. It uses less resources than unicorn, but has more requirements to your code (it better be thread-safe, because puma is a threaded server).
Now, to the development-production discrepancy: it is known that development should resemble production as closely as possible, because it minimizes risks when deploying. So, my suggestion is: use unicorn everywhere (both development and production). Only on production put nginx in front of it.
Also,
for actually performing deploys, look into Capistrano. It became industry standard for deploying rails apps (but it can also deploy PHP, static files and what have you).

Stable and fast configuration of Web Server to run Rails like apache + php on Windows

I'm looking for a good configuration of rails + a webserver. Actually I'm using webrick which has some problems (on 2 different machines): First, it crashes after XXX time (and it's not my application, it happens randomly on a brand new app). Second, it doesn't handle multiple requests, and my app uses a lot of small ajax calls making the website testing really slow for being on a local server with so small pages.
I thought I could install Rails + Apache but reading around I think it's not possible. What's the fastest configuration (that supports multi threaded requests) as a webserver to use with Rails?
I'm using wamp to handle my apache webserver, php, mysql and so on (yea I'm not an expert, but I can handle with configuration files). I would like to use rails through that apache if possible, I read I should use however apache + mongrel (can I handle multiple requests in this way?).
I'm ok with other configurations too, I just need someone to point me in the right direction and possibly on a tutorial.
So requirements are:
Handle parallel requests (I have a lot of small requests)
Stable (webrick crashes quite often)
Thanks a lot
Edit 1:
For those who like me uses virtual hosts, here is what I wrote:
<VirtualHost *:8080>
ServerAdmin admin#federtrek.org.localhost
DocumentRoot "D:/wamp/www/manage_federtrek_org"
ServerName federtrek.org.localhost
ServerAlias manage.federtrek.org.localhost
ErrorLog "logs/manage.federtrek.org-error.log"
CustomLog "logs/manage.federtrek.org-access.log" common
ProxyPass / http://manage.federtrek.org.localhost:3000/
ProxyPassReverse / http://manage.federtrek.org.localhost:3000/
</VirtualHost>
Where port 3000 is mongrel server and 8080 is apache port.
Follow the pdf document linked in the answer to make it works.
Webrick is not appropriate for a production environment; it should only be used for local development.
You're deploying Rails on Windows? Never heard of that being done before. If it were Linux or OS X and you insisted on using Apache, I would recommend Fusion Passenger (it's kind of like Ruby's mod_php). But I don't think they support windows.
I think your best bet is Mongrel...I think it runs under Windows. The idea is that you run one or more copies of your Rails app as Mongrel processes (services in Windows parlance?) You then setup Apache as a reverse-proxy to them, perhaps also doing some load balancing. While it's not actually multi-threading, it will have the same benefits. (In fact, most Rails deployments use this idea instead of true multi-threading.)
Should be lots of tutorials out there for this, on *nix at least. I think most of it will be the same for Windows. A quick Google search yielded this PDF specific to a Windows setup. http://www.napcsweb.com/howto/rails/deployment/RailsWithApacheAndMongrel.pdf

rails trying to trouble shoot latency on my development machine - where can I see the web server request log?

Im having a lot of latency running webrick on my development machine (localhost) .Anytime the browser makes a request, it takes the server about 8-9 seconds before it shows contents of the database, which contains just 34000 listings of text, output to the browser window.
I want to trouble shoot to find out whats happening.
Where should I start the process of troubleshooting?
I thought the first thing would be to monitor the web server logs to see requests.
But where can I find these on my development machine?
I know I can find the apache logs on my machine at
/var/log/apache2/access_log
but Rails doesnt run apache right? It runs webrick on port 3000
Please help.
When you run rails in development mode like:
rails s
..it usually runs WEBrick automatically as a foreground process and prints the type of information you're looking for to the console for each client request. You can check/tune some of the logging parameters by editing:
config/environments/development.rb
As WEBrick is the default web server, Apache has nothing to do with it unless you've configured your environment to do so. As you mentioned, the default port is 3000.
Newer versions of Rails can also log the the database query plan automatically for queries taking a long time to return.
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
You should also check your specific database for proper indexing based on the schema and queries you're trying to optimize.

Resources