Rails - May 2006 - recommended setup of Mongrel_cluster + SSL for multiple apps?

I''d like to use Mongrel_cluster with SSL on a green-field application
(it
can be configured however is best - initially, "ease of setup" is
important,
but then soon after will be scaling and response time). I''ve read a lot
of
emails on this topic, and checked out the Mongrel pages, etc, but I''m
left
with this question of what is recommended:

 

For a client-login application (no pages/images/anything are accessible
without logging in first - and the authentication is being done in Rails,
not in Apache/Lighttpd):

1) Is there a recommended setup to put SSL in front of a mongrel cluster? 

(pound is said to be somewhat slow and therefore won''t scale well;
lighttpd
has ssl built in, but there are some problems with mod_proxy so on the
mongrel website it says to connect to one port which is running balance; pen
has only experimental SSL built into it; Apache seems like overkill if it is
ONLY being used as an SSL front end)

 

2) if all pages are protected by login (being done in Rails using session
variables to make sure that someone is logged in before serving a page),
then pages caching in Lighttp/Apache isn''t really feasible since they
serve
pages without checking with Rails first (i.e., without making sure the
person is logged in) unless you want to have lighttpd/apache do the
authentication (which I don''t want). Given that lighttpd / apache are
usually recommended to be in front of mongrel is in the case of serving up
static content. but without that, then the only reason to use them is as a
SSL front end, but then there are other options.

 

3) if you''re going to run multiple apps on the setup (as:
app1.eyetools.com,
app2.eyetools.com, etc) does that change the recommendation?

 

 

Greg Edwards

CTO, Eyetools Inc.

gedwards1@eyetools.com

(916) 792 4538

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060502/dc48d061/attachment.html

Howdy, answers below...


On 5/2/06 4:01 PM, "Greg Edwards" <gedwards1@eyetools.com>
wrote:
> I?d like to use Mongrel_cluster with SSL on a green-field application (it
can
> be configured however is best ? initially, ?ease of setup? is important,
but
> then soon after will be scaling and response time). I?ve read a lot of
emails
> on this topic, and checked out the Mongrel pages, etc, but I?m left with
this
> question of what is recommended:
>  
> For a client-login application (no pages/images/anything are accessible
> without logging in first ? and the authentication is being done in Rails,
not
> in Apache/Lighttpd):
> 1) Is there a recommended setup to put SSL in front of a mongrel cluster?
> (pound is said to be somewhat slow and therefore won?t scale well; lighttpd
> has ssl built in, but there are some problems with mod_proxy so on the
mongrel
> website it says to connect to one port which is running balance; pen has
only
> experimental SSL built into it; Apache seems like overkill if it is ONLY
being
> used as an SSL front end)
>
You''ve got three options that seem to be coming out as the best
practices
for mongrel clusters (whether you need SSL or not):

1) Use apache with mod_proxy_balancer.  Jonathan wrote a great article with
a huge URI that covers this really well.
http://blog.innerewut.de/articles/2006/04/21/scaling-rails-with-apache-2-2-m
od_proxy_balancer-and-mongrel

2)  litespeed web server with mongrel, written up by Rick
http://weblog.techno-weenie.net/2006/4/11/setting-up-litespeed-with-mongrel

3)  Simple little pound setup with mongrel.  Written up by nobody yet.

There have also been mixed reviews of the following two options for people
not needing SSL:

A) pen + mongrel written up by Ezra
http://brainspl.at/articles/2006/04/26/dead-simple-deployment

B) balance + mongrel with no write-up but pretty simple to get going
http://www.inlab.de/balance.html

And, while you''re at it, take a look at Bradley of railsmachine.net who
has
a spiffy cluster management plugin for mongrel:
http://www.forbiddenweb.org/viewtopic.php?id=93239

That should keep you busy for a while.

Most of the folks I talk with have found that lighttpd is start to lack in
the stability department, especially with it''s mod_proxy backends.  Man
I
wish Jan would discover the love valgrind shines on C code.
> 2) if all pages are protected by login (being done in Rails using session
> variables to make sure that someone is logged in before serving a page),
then
> pages caching in Lighttp/Apache isn?t really feasible since they serve
pages
> without checking with Rails first (i.e., without making sure the person is
> logged in) unless you want to have lighttpd/apache do the authentication
> (which I don?t want). Given that lighttpd / apache are usually recommended
to
> be in front of mongrel is in the case of serving up static content? but
> without that, then the only reason to use them is as a SSL front end, but
then
> there are other options.
>
Not sure if this is a question Greg, but yeah, authenticated pages pose a
problem.  Read the above linked article on mod_proxy_balancer.  Jonathan
does a great job of showing his architecture and talking about how he has to
use fragment caching and memcached for nearly the same reason.
  
> 3) if you?re going to run multiple apps on the setup (as:
app1.eyetools.com,
> app2.eyetools.com, etc) does that change the recommendation?
>  
> 
Options 1-3 all handle this situation just fine, but with varying degrees of
complexity.  Apache is probably the most complex, followed by litspeed, then
pound (but I''m sure others have different opinions).

Options A & B can''t do this since they just proxy tcp.  You could
potentially do the rails trick where you can give conditional content based
on the host, but I''m not really sure how you hook that one up.

Hope that helps.  If you get one working, please write it up for everyone so
that we can start to build more knowledge around deployments.


Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/

Zed,

Thanks for your answer. I''ll keep you posted!
-Greg

-----Original Message-----
From: rails-bounces@lists.rubyonrails.org
[mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of Zed Shaw
Sent: Tuesday, May 02, 2006 5:20 PM
To: "gedwards1@eyetools.com, rails"@lists.rubyonrails.org
Subject: Re: [Rails] recommended setup of Mongrel_cluster + SSL formultiple
apps?

Howdy, answers below...


On 5/2/06 4:01 PM, "Greg Edwards" <gedwards1@eyetools.com>
wrote:
> I?d like to use Mongrel_cluster with SSL on a green-field application (it
can
> be configured however is best ? initially, ?ease of setup? is important,
but
> then soon after will be scaling and response time). I?ve read a lot of
emails
> on this topic, and checked out the Mongrel pages, etc, but I?m left with
this
> question of what is recommended:
>  
> For a client-login application (no pages/images/anything are accessible
> without logging in first ? and the authentication is being done in Rails,
not
> in Apache/Lighttpd):
> 1) Is there a recommended setup to put SSL in front of a mongrel cluster?
> (pound is said to be somewhat slow and therefore won?t scale well;
lighttpd
> has ssl built in, but there are some problems with mod_proxy so on the
mongrel
> website it says to connect to one port which is running balance; pen has
only
> experimental SSL built into it; Apache seems like overkill if it is ONLY
being
> used as an SSL front end)
>
You''ve got three options that seem to be coming out as the best
practices
for mongrel clusters (whether you need SSL or not):

1) Use apache with mod_proxy_balancer.  Jonathan wrote a great article with
a huge URI that covers this really well.
http://blog.innerewut.de/articles/2006/04/21/scaling-rails-with-apache-2-2-m
od_proxy_balancer-and-mongrel

2)  litespeed web server with mongrel, written up by Rick
http://weblog.techno-weenie.net/2006/4/11/setting-up-litespeed-with-mongrel

3)  Simple little pound setup with mongrel.  Written up by nobody yet.

There have also been mixed reviews of the following two options for people
not needing SSL:

A) pen + mongrel written up by Ezra
http://brainspl.at/articles/2006/04/26/dead-simple-deployment

B) balance + mongrel with no write-up but pretty simple to get going
http://www.inlab.de/balance.html

And, while you''re at it, take a look at Bradley of railsmachine.net who
has
a spiffy cluster management plugin for mongrel:
http://www.forbiddenweb.org/viewtopic.php?id=93239

That should keep you busy for a while.

Most of the folks I talk with have found that lighttpd is start to lack in
the stability department, especially with it''s mod_proxy backends.  Man
I
wish Jan would discover the love valgrind shines on C code.
> 2) if all pages are protected by login (being done in Rails using session
> variables to make sure that someone is logged in before serving a page),
then
> pages caching in Lighttp/Apache isn?t really feasible since they serve
pages
> without checking with Rails first (i.e., without making sure the person is
> logged in) unless you want to have lighttpd/apache do the authentication
> (which I don?t want). Given that lighttpd / apache are usually recommended
to
> be in front of mongrel is in the case of serving up static content? but
> without that, then the only reason to use them is as a SSL front end, but
then
> there are other options.
>
Not sure if this is a question Greg, but yeah, authenticated pages pose a
problem.  Read the above linked article on mod_proxy_balancer.  Jonathan
does a great job of showing his architecture and talking about how he has to
use fragment caching and memcached for nearly the same reason.
  
> 3) if you?re going to run multiple apps on the setup (as:
app1.eyetools.com,
> app2.eyetools.com, etc) does that change the recommendation?
>  
> 
Options 1-3 all handle this situation just fine, but with varying degrees of
complexity.  Apache is probably the most complex, followed by litspeed, then
pound (but I''m sure others have different opinions).

Options A & B can''t do this since they just proxy tcp.  You could
potentially do the rails trick where you can give conditional content based
on the host, but I''m not really sure how you hook that one up.

Hope that helps.  If you get one working, please write it up for everyone so
that we can start to build more knowledge around deployments.


Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/

_______________________________________________
Rails mailing list
Rails@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On May 2, 2006, at 5:20 PM, Zed Shaw wrote:
> On 5/2/06 4:01 PM, "Greg Edwards" <gedwards1@eyetools.com>
wrote:
>
>> I?d like to use Mongrel_cluster with SSL on a green-field  
>> application (it can
>> be configured however is best ? initially, ?ease of setup? is  
>> important, but
>> then soon after will be scaling and response time). I?ve read a  
>> lot of emails
>> on this topic, and checked out the Mongrel pages, etc, but I?m  
>> left with this
>> question of what is recommended:
snip...
> You''ve got three options that seem to be coming out as the best  
> practices
> for mongrel clusters (whether you need SSL or not):
>
> 1) Use apache with mod_proxy_balancer.  Jonathan wrote a great  
> article with
> a huge URI that covers this really well.
> http://blog.innerewut.de/articles/2006/04/21/scaling-rails-with- 
> apache-2-2-m
> od_proxy_balancer-and-mongrel
This was really helpful, thanks Zed (and Jonathan of course!)

I just finished creating an Apache config that handles static  
requests and
only proxies dynamic content:

   # Serve static request with Apache
   RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} -f

   # Serve server-info and server-status with Apache
   RewriteRule . -                                          [last]
   RewriteCond %{REQUEST_URI} ^/(server-info|server-status)

   # Everything else goes to Mongrel
   RewriteRule . -                                          [last]
   RewriteRule ^/(.*)$ balancer://proxy_group/$1            [proxy]

   # This defines where the mongrels are
   <Proxy balancer://proxy_group>
     BalancerMember http://127.0.0.1:7000
     BalancerMember http://127.0.0.1:7001
   </Proxy>

   # This handles the reverse proxying
   ProxyPassReverse / balancer://teaser/

-- 
-- Tom Mornini

On May 4, 2006, at 3:55 PM, Tom Mornini wrote:
> This was really helpful, thanks Zed (and Jonathan of course!)
>
> I just finished creating an Apache config that handles static  
> requests and
> only proxies dynamic content:
>
>   # Serve static request with Apache
>   RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} -f
>
>   # Serve server-info and server-status with Apache
>   RewriteRule . -                                          [last]
>   RewriteCond %{REQUEST_URI} ^/(server-info|server-status)
>
>   # Everything else goes to Mongrel
>   RewriteRule . -                                          [last]
>   RewriteRule ^/(.*)$ balancer://proxy_group/$1            [proxy]
>
>   # This defines where the mongrels are
>   <Proxy balancer://proxy_group>
>     BalancerMember http://127.0.0.1:7000
>     BalancerMember http://127.0.0.1:7001
>   </Proxy>
>
>   # This handles the reverse proxying
>   ProxyPassReverse / balancer://teaser/
Oops! Last line should be:

   ProxyPassReverse / balancer://proxy_group/

-- 
-- Tom Mornini