All posts by rbowen

Web server performance problem solved, years later

(Geeky post alert. If you’re reading this on Facebook, the links and formatting are going to be all messed up.)

15 years ago, I wrote a blog post about a stereo cabinet glass door that spontaneously exploded. For some reason, this post attracted a lot of attention. If I had written it a few years later, one would say it “went viral.” It received tens of thousands of page views, and 330 comments.

At some point, I decided to export it to a static page, since every page load was causing my server – at the time, running on a Pentium in my home office across my DSL line – to slow down horribly. In the process, I managed to delete the page entirely (a long story within a long story) and I grabbed the page off of the Wayback Machine.

That page is HERE, by the way.

Each comment has a Gravatar logo next to it, which, due to the way curl (the tool I used to retrieve the static copy) works, has a name like avatar(230).php but is actually a jpeg file. That means that every time the page loads, it makes 330 calls to the php engine, which errors out because the file in question isn’t a php file, but is an actual on-disk jpeg file. Like this one, for example.

Then, several years ago, I switched from using mod_php to using php_fpm, which does the same thing, except more efficiently.

Finally, at some point, I added a mod_security ruleset that attempted to detect when people were DDoSing my site – the barrier it set was more than 30 requests in under a second.

These various things, all combined, resulted in a situation where whenever someone attempted to view that page, it would cause my server to crawl to a halt, and the visitor to be added to my mod_security deny list. This was not desired behavior.

Of course, this is all in retrospect. All I knew was that several times a day, I’d get failure notices from my server monitoring, and by the time I got there to see what was happening, the problem had cleared up. So, no big deal, right.

This has been going on for years.

Today, looking at error logs trying to figure out what was happening, I suddenly put all of the pieces together, and fixed the problem, in less time than it has taken me to write this blog post. The solution has a few parts.

First, we exclude anything in the /files/ directory from being processed by php:

# (old line) ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/vhosts/drbacchus/$1
ProxyPassMatch ^/(?!files)(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/vhosts/drbacchus/$1

That adds the (?!files) negative lookahead, which says “only do this if it DOESN’T match ‘files’

Next, we turn off the mod_security rule specifically for these requests:

<LocationMatch (Exploding)>
SecRuleEngine off
</LocationMatch>

Which says, don’t run the SecRuleEngine for requests that contain ‘Exploding’, which is in the URL of the static copy of the blog post.

Finally, I have to tell httpd that the .php files in the static copy are, in fact, jpeg files:

<Directory /var/www/vhosts/drbacchus/files>
AddType image/jpg .php
</Directory>

This has the added benefit that if anybody dropped a .php file in my files directory, it would be defanged, so to speak, and wouldn’t execute.

 

300 TFTC

I just found my 300th geocache! I started Geocaching in March of 2003. It was a difficult time and I needed a reason to get out of the house and do something other than sit and stare at the walls. And so I started geocaching. I met a lot of good friends while geocaching, although I’m not in touch with very many of them anymore. Today I’m up in New Jersey for a wedding and took the opportunity to go out and get the last two to push me to the 300 line. Thanks for the cache.

Thermodynamics

I asserted to my daughter last week that a paper cup with water in it will not catch fire if placed directly in a fire. So, of course, we had to try it.

I was a little nervous, but it turns out this is completely true. The cup burned down to the water line, and then didn’t burn until the water had completely boiled off. The *instant* the last of the water boiled off, the cup burst into flames and was gone almost immediately. (Animated version of image is here.)

Why? Well, it’s because water boils at 212°F (100°C) and paper combusts at 451°F (843.8°C) so as long as there is water in the cup, the heat of the cup is being convected away into the water to heat it towards boiling and the cup remains too cold to ignite. Once the water starts boiling, the cup is full of steam, which is quickly carrying away the heat. The moment the water has all evaporated, though, the cup is abruptly at combustion temperature and goes up in a flash.

You should try it. It’s a great way to impress your kids. Or win a bet.

Blogging, and feedreaders

2 Comments

A week or two ago I had a conversation with Stormy about the lost art of blogging, and blog reading. Long ago, Google Reader was a daily routine, and kept me in touch with the blogs that I wanted to read, and made me more likely to write blogs of my own. When Google Reader died, nothing really took its place, and the thing that kinda sorta took its place – Facebook and Twitter – do a terrible, terrible job of giving me the sources I actually want, and, instead, feed me a steady diet of pablum and clickbait.

Yesterday, Anil Dash tweeted about Google Reader, and made some great observations about what an important tool it was for a certain population.

The entire Twitter thread is worth reading … and would have made a good blog post.

These two things have inspired me to try Feedly again. It is much better than the last time I tried to use it, and I have high hopes that I’ll actually stick with it this time, and make it part of my daily routine again. I hope. I also hope that this will result in my actually writing again, like I used to do, on a nearly daily basis.

Pi-Hole

In honor of Pi Day, I built and deployed a Pi-Hole server.

Pi Hole is software that acts as a caching DNS server and ad-blocker, by black-holing known advertising sources at the DNS layer.

You can obtain Pi Hole at https://pi-hole.net/

As the name suggests, it is optimized to run on a Raspberry Pi. I’m running it on a Pi B that was otherwise unoccupied.

It’s been running for a couple of days now, and tells me that it is stopping around 25% of traffic. And because it stops the traffic before the browser even connects to the server, that means that it is making my network faster as a result.

It took me very little time to get running, following the instructions on the website. Indeed, the longest part of the entire process was the initial Raspberry Pi operating system installation. The actual Pi Hole installation took maybe 10 minutes.

So far there has been no negative impact that I’ve noticed – no false positives, no pages I couldn’t get to that I wanted.

Recommended. Give it a try if you have a Raspberry Pi that has been sitting around since Christmas and you’re not sure what to do with it.

SnowpenStack

I’m heading home from SnowpenStack and it was quite a ride. As Theirry said in our interview at the end of Friday (coming soon to a YouTube channel near you), rather than spoiling things, the freak storm and subsequent closure of the event venue served to create a shared experience and camaraderie that made it even better.

In the end I believe I got 29 interviews, and I’ll hopefully be supplementing this with a dozen online interviews in the coming weeks.

If you missed your interview, or weren’t at the PTG, please contact me and we’ll set something up. And I’ll be in touch with all of the PTLs who were not already represented in one of my interviews.

A huge thank you to everyone that made time to do an interview, and to Erin and Kendall for making everything onsite go so smoothly.

OpenStack PTG and the Beast From The East

I’m at the OpenStack PTG in Dublin. I’ve started posting some of my videos on my personal YouTube channel – http://youtube.com/RichBowen – as well as on my work channel – http://youtube.com/RDOCommunity.

It turns out we’ve planned an event in the middle of the storm of the century, which the press is calling the Beast From The East.

So far it hasn’t amounted to a lot, but there’s a LOT more snow promised for this afternoon, and the government has warned people to stay off the roads after 4 unless they have a really good reason. Which is disappointing because I have a party planned to start at 6. I’m still trying to get hold of the venue to decide what happens next.

Yesterday I suddenly realized that I had bought my plane ticket for Sunday instead of Saturday by mistake. I quickly booked another hotel room for Saturday night, closer to the airport. Well, it turns out this may have been the most fortunate travel error I’ve made in a long time, as pretty much everything is cancelled for the next few days, and getting out of here on Saturday might have been impossible.

For now, we’re just watching the weather reports, and hoping for the best.

Not a Kenya citizen, apparently

There’s some drama going on in the news in Kenya right now. Without going into all of the detail (it’s quite a soap opera) one of the characters in the drama is one Miguna Miguna. (Yes, that’s really his name.)

Weirdly, I have been acquainted with Miguna for several years. He used to come to my Kenya website, say awful things about pretty much everyone, and then threaten to sue me when anyone said anything at all about him. Even when they had documented evidence. Like about his time in prison for opposing the Moi government, and other details that are conspicuously absent from his Wikipedia page.

But I digress.

One of the details of great interest to me is his citizenship. At some point, he acquired Canadian citizenship while in exile from Kenya (again, due to his political activism). The constitution says pretty clearly (and, as a lawyer, one would think he’d know this) that if you acquire foreign citizenship, you lose your Kenya citizenship. Read it for yourself. And you must apply for reinstatement, if you want it. Kenya does not automatically recognize dual citizenship, although there is a process you can go through to gain it, if you’re in that position.

Now, this last part was news to me, and so I’ve been reading over the last few days. Perhaps I could apply for reinstatement of my dual citizenship?

The 1991 constitution, I vaguely remember, introduces some language that eliminates dual citizenship. However, everything I can find about it now says that the only substantive change in that revision was the abolishment of the one-party state.

This led me to dig some more, because I have always believed that I had dual citizenship when I was born. I was born in Kenya to USA citizen parents.

Turns out, the 1963 constitution does not recognize Jus Soli – the notion that you’re a citizen of the bit of dirt you’re born on. Turns out, that’s actually somewhat uncommon, and mostly only recognized in the Americas. Not in Europe, Africa, or Asia, where (for the most part) you are a citizen only if your parents (or, in most cases, one of them) was a citizen.

So, although I have believed all my life that I’m a citizen of Kenya by birth, it turns out, legally, I never was. And, of course, the 2010 constitution makes it impossible for me to have that citizenship (re)instated, even if I had been, as I would have to reside in Kenya for 7 years, which is not practical at this stage in my life. And, as someone who was not, legally, born a citizen, I’d have to renounce my US citizenship as part of that process.

This is odd. Practically speaking, it makes no difference. I have never had enough knowledge of local politics to want to vote. I can still travel to Kenya without a visa. And I still have my childhood and my memories. It makes no practical difference whatsoever.

But I still feel like I’ve lost a part of who I am. Or, something that I always believed I was.

FOSDEM ’18, and the CentOS Brussels Dojo

The first weekend in February always finds me in Brussels for FOSDEM and the various associated events, and this year is no exception.

I arrived in Brussels on Wednesday morning, in order to have a little time to get over jet lag.

I have an AirBnB with two of my colleagues, and on Thursday, we cooked a fancy dinner and had a few friends over to share it. I think this is going to become an annual thing. It was a lot of fun, and I’ve been wanting to do this for a long time. I kind of wish we could have invited more people, but space is limited.

On Friday, CentOS had a dojo at the Marriott. We had roughly 75 people in attendance, and two rooms of presentations. I was, on the whole, very pleased with the event – both the attendance and the great talks.

Videos from the talk will start to appear on YouTube over the next few days, for those that missed it.

(We’ll have another Dojo in Singapore in March. Details coming real soon.)

Today was the first day of FOSDEM, with the chaos that always accompanies that. As usual, I worked shifts at the Apache, CentOS, and OpenStack tables. As usual, I was exhausted by quitting time. (Ok, quite a while before quitting time.)

Of course, I have to go back and do it again tomorrow.

This event is always exhausting, but it’s also a great time to see friends and colleagues from pretty much every open source project I’ve ever worked on, all the way back to the beginning.  Today I saw Apache friends I haven’t seen in many years, and also got to spend time with colleagues that I usually only see a few times a year.

I’ll be writing more over on the CentOS blog, as well as in the RDO newsletter, so see those for the rest of the story.