interprogramming articles/news

Rails 500 error - IP spoofing attack

2008-08-16T03:57:00+00:00

Apparently Rails 2.1 has the nifty ability to throw a 500 Internal Server Error with the message “IP spoofing attack?!” under certain circumstances.

Unfortunately, those circumstances include a common Apache/Mongrel deployment and Yahoo’s crawler, Slurp, trying to index your site. It’s possible Apache/Mongrel isn’t required; I’m unsure.

The key is that Slurp includes both a Client-IP header (HTTP_CLIENT_IP by the time it hits Rails) and an X-Forwarded-For header (HTTP_X_FORWARDED_FOR). When both are present, Rails assumes something evil is happening and voluntarily dies. Neat.

Such a header can be relied on only if it was set by a trusted proxy. Otherwise, it’s hard to know if it was spoofed. The difficulty is for Rails to know which one, if any, was set by a trusted proxy.

I deploy Rails in a common Apache w/mod_proxy_balancer and Mongrel setup. Apache uses X-Forwarded-For natively, so that’s the one I want to trust. To make Rails happy, I’ve just told Apache to delete the Client-IP header if present.

Adding RequestHeader unset Client-IP to the virtual host configuration seems to do the trick.

This does require mod_headers to be enabled in Apache.

Announcing Zerigo: NS -- DNS service

2008-08-07T01:42:00+00:00

I’m pleased to announce my latest service: Zerigo: NS

Zerigo: NS arose out of my own need for a reliable, easy to use, and affordable DNS service—not just for a single domain, but for a whole stack of them.

Key features are:

DNS services for your domains – no limit on the number of domains
Geographically distributed and redundant servers (North America and Europe)
Templates, for easy management of many domains
Ability to modify records dynamically (so called dynamic-DNS)
Configurable TTLs (as low as 5 minutes)

Standard service is free. A premium service is available for very high volume users or those requiring priority support.

http://ns.zerigo.com/

Rails plugin Limited Sessions updated

2008-07-24T17:14:00+00:00

I updated my limited_sessions plugin to improve support for Rails 2.1. It should maintain backwards compatibility.

The change surrounds Rails 2.1’s new partial updates support. Basically, it’s turned off for sessions so the session is kept current and doesn’t expire if the user is active.

limited sessions

Home Depot: "Just a toy"

2008-07-18T19:38:00+00:00

I was at Home Depot today trying to match paint colors for some exterior trim. I went to Home Depot because they have a self-service color-matching computer.

As I’m trying to use it, and getting rather poor results, a woman asks one of the clerks, “how well does this work?” He responded, “it’s just a toy.”

Why have something that doesn’t work and is just a toy—something not actually useful for your customers? It’s a breach of trust with those customers.

I did get help from another clerk, but I still left the store feeling a bit disillusioned with Home Depot. They obviously don’t care about me or their other customers—we’re just something to be fooled around with.

In business, it would be worthwhile to always ask, “is this actually useful or helpful to my customers?”

for all your needs

2008-07-06T04:29:00+00:00

The phrase “for all your needs” is pervasive. For all your insurance needs, for all your business needs, for all your printing needs, for all your in-home weekend veterinarian care needs, etc.

Does that phrase seem meaningful to you? It doesn’t to me. Instead, it strikes me as filler—a way to have a phrase to print or speak when nothing else comes to mind or perhaps when no time has been spent to think of something more meaningful.

Spend some time coming up with something interesting to say or at least an interesting way to say it. If your words are only filler, they’ll just go in one ear and out the other—not exactly the desired effect.

classmates.com's business model seems pretty fried

2008-06-23T18:27:00+00:00

classmates.com just sent me one of their usual spam^H^H^H^Hupdate messages. I’m struck today by the silliness of their current business model which is to hold data for ransom and require a subscription to get to it.

Supposedly I have a guestbook signing. However, they are requiring me to pay them to get to it. That’s dumb.

Here in 2008, data like that is free. I don’t pay to use facebook, linkedin, or any other of the myriad of social networks. Why should I pay classmates.com? I won’t and their data can rot—data I can’t see might as well not exist.

Maybe it’s time for classmates.com to rethink.

xen 3.2 freezing under load

2008-06-21T20:37:00+00:00

For a number of weeks now I’ve been fighting a Xen host (dom0) that’s been freezing up periodically. It’s been a complete freeze of the Linux kernel, dom0, all domU’s, everything. SysRq doesn’t work either.

Today I finally found a reliable way to reproduce it.

On this dom0 I have a USB sound adapter attached. Pulseaudio runs in the dom0 so I can have sound from various domU’s. I had this connected via a powered USB 2 hub. It seems that this combination is the problem. Removing just the hub and connecting the USB sound driver directly seems to improve things.

I did try to freeze the system generating USB load to another USB device (UPS) but it seemed stable. This could be because I can’t generate anywhere near the load to a UPS as to a sound adapter.

Anyway, I made a couple of other changes a couple weeks ago such that I no longer have to use the hub, so I’ve pulled it out of the chain entirely.

Now I’m hoping this was the only way to crash the system and that I now have it solved. Only time will tell.

Compiling mod_xsendfile for OS X

2008-04-07T23:09:00+00:00

Today I needed to compile mod_xsendfile for OS X on Intel. The standard command for this,

apxs -cia mod_xsendfile.c

resulted in a module that was for i386 only.

Apache on Leopard (untested on Tiger) doesn’t appreciate this, throwing this error:

4/7/08 5:08:08 PM org.apache.httpd[ 15990] httpd: Syntax error on line 116 of /private/etc/apache2/httpd.conf: Cannot load /usr/libexec/apache2/mod_xsendfile.so into server: dlopen(/usr/libexec/apache2/mod_xsendfile.so, 10): no suitable image found. Did find:\n\t/usr/libexec/apache2/mod_xsendfile.so: mach-o, but wrong architecture

Turns out the solution is pretty simple. Just change the command to apxs to this:

apxs -cia -Wc,"-arch x86_64 -arch ppc -arch i386 -arch ppc64" -Wl,"-arch x86_64 -arch ppc -arch i386 -arch ppc64" mod_xsendfile.c

This will generate a fat-binary for all four current Mac architectures.

paging: blog writers: hello !?!

2008-02-08T22:06:00+00:00

one of my pet peeves is a blog that doesn’t have links to view previous pages of content. it works like this:

something i’m reading has a link to some random blog. i follow it, find the article interesting, and wonder what else of interest might be on this blog. so, i go to the home page and start reading. typically i get to read 5-10 articles and then get to the bottom of the page.

first tip: if your blog only shows one or two articles per page, change it. i don’t want to click and wait that often—i’ll end up leaving.

at the bottom i frequently find, well, nothing. i’m looking for a ‘next page,’ ‘more articles,’ ‘older entries,’ or something of the sort. i am amazed at how often there’s nothing there. sometimes i simply close the window at this point. occasionally i scroll back to the top looking for the links there, although i almost never find them.

i have, on occasion, gone digging into the archives section. even then, it’s usually impossible to find a way to get to a substantial portion of older content. the site i was just at showed about 10 articles for a given month, then an incomplete list of links to some more articles from that month (including duplicate links for all the articles above). still no pager though.

lame. don’t make visitors work that hard to read your site. if your blog or other content-drive site doesn’t have the ability to easily page through older content, you’re losing readers. fix it.

spotlight fun in leopard

2007-12-22T03:57:00+00:00

i upgraded to mac os x 10.5 shortly after it came out. one of the biggest areas of improvement is with spotlight. mostly it’s just much, much faster.

given its speed, i often use spotlight to launch less frequently used applications. today i went to launch locomotive.

cmd-space – l – o – c – o

that’s as far as i got before locomotive was the top hit, ready to launch. that’s great. more amusing, however, was what was right below it:

definition: adjective. crazy.

made me smile.