Tag Archives: apache

mod_pony

mod_pony has been a pretty long-standing joke on #httpd on Freenode, and has also made a number of appearances in conference presentations of mine when I wanted to refer to an imaginary module for some reason.

I’m pleased to announce that there is now actually a mod_pony. It really doesn’t do anything useful. But it does build, and output a pony. And, really, what more could one possibly want?

Patches welcome.

(See mod_pony in action HERE.)

EDIT: mod_pony is now moved to Github. The “in action” link is not working – I’ll try to fix it when I get a moment.

Slowloris

No doubt you’ve heard of Slowloris, the HTTP DOS tool that will take down an Apache web server. I recommend reading the update at that site, which describes in some detail how it works.

Note that this condition is also covered in the Apache documentation, and, according to svn, that was put in:

r369825 | slive | 2006-01-17

So we’ve known about it for a *long* time.

What I can’t figure out is whether it’s really not that big a deal, or if I’m dismissing the importance because I’ve known about it for so long. I’ve known for a *long* time that you can take down an Apache server with nothing more than a telnet client. You telnet to port 80, issue a partial HTTP request, and then bg the process, then do it again.

The way that the attack works is that Apache then waits for the rest of the request, until it hits the timeout (configurable with the Timeout directive). This completely ties up that listener, so that it can’t answer any other inbound requests. Unfortunately, by default, Timeout is set to 300. And Apache only has a finite number of available waiting processes (Configurable by MaxClients.) So you do that MaxClient times within Timeout seconds, and, viola, the server is now no longer able to respond to inbound requests.

That’s exactly what the slowloris tool does, in a more automated fashion.

So, what to do about it?

Well, set Timeout lower. And use mod_evasive to limit the number of connections from one host. And use mod_security to deny requests that look like they were issued by this tool. However, that last one doesn’t really help, because it’s trivial to change the signature of requests from this tool.

On the other hand, this attack – or exploit, if you want to call it that – has been around for years, and hasn’t been a very popular attack vector. What this tool has done is not so much discovering an attack – we already knew about it – but let the larger number of script kiddies know about it. So presumably we’ll see it happen more often than we used to.

So, what to do about it longer term? Well, in Apache 3.0, or 2.4, with the event mpm and asynchronous IO, it will apparently be a non-issue. Another of the *many* compelling reasons to upgrade to 2.4 just as soon as it releases – something else that I need to write more about in the coming days.

Additional resources:

Niq’s response
Apache security documentation
Slowloris website
mod_evasive

Geek Arrogance and Chauvinism

I read with mounting horror Aaron’s post about the Ruby conference, and the various things that he linked to from it. Unfortunately, it’s an old and familiar story.

Unfortunately, it reminds me of attitudes in another community I used to be very involved in – Perl. Attitudes within Perl seem to have changed an awful lot in the last 10 years. I’m sure a lot of that had to do with the discovery that Allison Randall was smarter than any half-dozen of the rest of us put together. But, too, it had a lot to do with the examples of folks like Larry Wall and Casey West, who demonstrated by their actions that it was possible to be brilliant, but still be professional. This is a message that many boys (I hesitate to call them men) within the Ruby community haven’t grasped yet.

Having been involved in the planning of ApacheCon for the last seven years, I’m also horrified that the planning committee for a (seemingly) respectable conference would accept a talk that made no secret of the fact that it would use jokes about pornography to make its points.

I’ve written before about how pornography is treated as acceptable for public discourse. That was 6 years ago. At least in the technical circles *I* work in, this attitude has lessened, but not vanished, in that time. It is far less common for me to hear reference to porn in every day technical discussion than it was back then. I don’t assume that the people in question believe, as I do, that pornography itself is damaging. I think it has more to do with the realization that some discussions simply don’t belong in professional settings. When someone spends good money to travel and attend your conference, they deserve to be treated with professionalism and respect, not treated to a stream of pornographic images and sexual innuendoes.

And this isn’t just about alienating the women in your audience. Turns out that some heterosexual men actually believe that objectifying women isn’t a good thing. But even if you don’t accept that belief, you owe it to your audience to treat them with professional courtesy, and recognize that they are paying a LOT of money to attend a technical conference, not a peep show.

Shame on Matt for putting together this presentation. Double shame on GoGaRuCo for accepting this talk. Shame on the decent men in the audience (assuming there were any) who didn’t get up and walk out after the first slide. Shame on the chauvinistic boors who are defending Matt in the various forums where this is being discussed.

Turns out, in the real world, it actually matters if you’re a jerk. It’s time for the Ruby On Rails community to grow up and realize that being professional isn’t a weakness. But it would be grossly short-sighted to merely point the finger at them and not take a close look at the attitudes within our own communities – be they technical or otherwise – and seriously reconsider our common courtesy in the work place.

First Apache email

It seems that first Apache.org email message was a very thorough bug report for a bug that, alas, not only was already well documented, but which had already been fixed. The report was against Apache 1.3b3, which I mistakenly called 3.3b3. I guess, since 1.3 hadn’t released yet, that we must have been running 1.2 at the time at DataBeam.

That was in January of 1998, though, and I am pretty sure that I had already been running Apache for at least 2 years by then, and NCSA before that. It seems strange that I never sent a message to a mailing list before then.

Surrounded by genius

I got involved with Perl largely by accident, and very quickly found myself surrounded by people a lot smarter than me, and had the opportunity to meet people that, to this day, I’m humbled to think know me by name.

Later on, I got involved in Apache in much the same way. Somewhat by accident, but also because I did what I was good at – explaining complicated things to beginners – and contributed that back to the project. Once again, I quickly found myself surrounded by people not only a lot smarter than me, but who had done things that fundamentally changed the way the world does things, from developing the HTTP protocol itself to writing the Apache web server, to things like Java, ATOM, SVN, and so on.

I’m always a bit dazzled, when I come to ApacheCon, by the folks who are milling around here, and what these people have collectively created. And by the fact that they consider me one of their peers.

Over the years, the level of my contribution has waxed and waned, largely dependent on the demands of my real life, or whether or not I’m working on a book at the time. But the people that I’ve met during this process continue to respect and accept me for what I’ve done in the past. That’s pretty cool. But whenever I come to events like ApacheCon, I find myself inspired all over again to step up and contribute to this amazing collection of projects that comprise the ASF, or to other projects with which I’m nominally involved.

Apache HTTP Server Training in Amsterdam

Shameless Plug:

ApacheCon EU is just a few weeks away. I’ll be doing a two day training on the Apache HTTP Server, along with Jim Jagielski. He’s listed as the instructor, but we’ll both be tag-teaming on this.

Day one will be an overview of the entire server product, and day two will be hands-on, recipe-based examples, showing you how to do specific tasks that come up every day as a web server admin.

Here’s the training description.

Here’s the conference website.

Here’s where you sign up.

Come see me in Amsterdam. It’ll be lots of fun. And I’ll be going down to the Van Gogh museum on Wednesday afternoon. You should come with me.

Apache OFBiz Development

Apache OFBiz Development
The Beginner’s Tutorial

by Jonathon Wong and Rupert Howell

Packt Publishing (Official book website)

About 2 months ago, I was sent a review copy of “Apache OFBiz Development“, and have been trying to find time since then to do a review of it. I was also sent a PDF of Chapter 10, which you can read here.

For those of you who listen to FeatherCast, you may remember hearing an episode on OFBiz that we did back in December 2006. A lot has changed since then, including OFBiz becoming a TLP within the Apache Software Foundation. TLP stands for Top Level Project, and refers to the status that a project obtains when it is no longer under the supervision of the Incubator.

OFBiz is an Open Source framework for developing ERP and CRM systems. If you don’t know what ERP and CRM are, or if you don’t have at least a decent knowledge of Java programming, OFBiz probably isn’t for you. And, for that matter, this book probably isn’t. Although titled “The Beginner’s Tutorial”, keep in mind as you read that it’s referring to being a beginner at OFBiz, not a beginner to these other concepts.

The book dives right in to installing OFBiz from SVN. It’s pretty clear from this chapter that installing and configuring OFBiz is not for the faint of heart. As soon as Chapter 3, we’re being shown how to make modifications to the core OFBiz source code, and given recommendations about keeping track of these for future upgrades.

Although a certain familiarity with the MVC development methodology is useful, chapter 2 covers the rudiments, and discusses OFBiz’s take on it.

After a couple chapters of nitty gritty stuff, the book settles into an example/solution tutorial, and is very effective in presenting practical, hands-on scenarios that demonstrate how the system woks, and how to get real results from it. As a side-note, every time I see OFBiz in action, I’m enormously surprised at how sophisticated it is, and how much work has obviously gone into it.

Through the course of the rest of the book, example applications are built, and you can immediately begin to see the fruit of your knowledge. The prose is conversational, but direct and to the point, getting straight to the implementation details.

Chapter 14 covers a variety of useful debugging techniques, from the log files to using a full debugger – very valuable content for someone new to this stuff.

On the whole, I found this book to be an enormously helpful introduction to OFBiz development. While I admit that I’m probably not the target audience for the book, since my development is somewhat outside of the scope of this project, I was able to quickly understand the purpose of OFBiz, and see how it can be made useful.

Apache Incubator – Stonehenge

There’s a new project in the Apache Incubator. It’s called Stonehenge, and it’s about producing sample applications that implement industry standards. The purpose of these sample applications is to show developers how to develop interoperable applications. There’s a new FeatherCast about it, if you want to learn more about what they’re trying to accomplish.

By entering the ASF, a project has access to the ASF infrastructure, legal organization, funding, conferences, and a variety of other resources, as well as having access to folks who know how to do Open Source, who have been doing it for more than ten years, and are many of them, fabulous mentors for folks wanting to figure out how this all works.

My Other Life

This week I’m back in my other life.

At home, I have two lives. From about 8 in the morning until about 5 in the afternoon, I’m an IT manager, with a team of 5 very talented and productive programmers and designers, writing web applications and designing websites. This is extremely busy, and sometimes stressful, but for the most part I enjoy it thoroughly.

The rest of the time, I have a wife and two kids, and a lovely house, and I enjoy that life thoroughly too.

I do the first of these in order to pay for the second of these.

But then a few weeks of the year I do conferences, and this is truly a different existence. This week I’m at ApacheCon in New Orleans, with about a hundred of my third life friends, and a bunch of strangers that have come to hear us talk about Apache technologies. Yesterday and Today, I hung out in a board room with 10 of my friends to plan the next one, which will be in Amsterdam next spring, and I think we’ve put together a pretty great schedule for it.

And this time around, my Best Beloved has come along with me, to see what it is that I do at these things, meet some of my friends here, and generally enjoy this other part of my life that she doesn’t get to see much of.

I used to spend a lot more time on Apache stuff than I do now. With age and marriage come changing priorities. Also, with the new job comes an intense desire to not spend one more moment on the computer when I get home. I tend, also, to have a lot of extra projects going all the time, and for the last several months, they’ve all had to do with Apache, but none of them were involvement with the actual Apache community, which is a little sad. They were, for the most part, writing Apache training materials, which I enjoy, and I think I’m good at, but it’s a little isolating from the great people that comprise Apache itself.

Another thing that I have done with Apache over the last two years, and have largely abandoned since early this summer, is FeatherCast. I hope to pick that up again this week Perhaps as early as this morning. I really enjoy talking with folks from all over the technical world, and Apache particularly, and then sharing those conversations with you. There are so many people, so much smarter than I, working on fascinating projects, and it’s exciting both to talk with them, but also to give them the opportunity to tell the whole world about what they’re doing.

So, these weeks immersed in my third life are always rejuvenating, exciting … and generally expensive. But, I hear that my training class sold really well, so perhaps we’ll at least break even for the week.