Simon Willison’s Weblog

Phusion Passenger for nginx. Passenger (aka mod_rails / mod_rack) enables easy deployment of Rails and Ruby apps under Apache... and the latest version adds support for nginx as well. It works as an HTTP proxy and process manager, spawning worker processes and forwarding HTTP requests to them via a request queue. It can also handle Python WSGI applications—anyone tried it out for that yet?

# 20th April 2009, 4:53 am / apache, deployment, nginx, passenger, python, rails, ruby

Ruby on Rails 2.3 Release Notes. I’m impressed with how thoroughly Rails has embraced Rack (Ruby’s standardised web framework API, inspired by Python’s WSGI).

# 15th March 2009, 1:22 pm / python, rack, rails, ruby, wsgi

Building and Scaling a Startup on Rails: 12 Things We Learned the Hard Way. Lessons learned from Posterous. Some good advice in here, in particular “Memcache later: If you memcache first, you will never feel the pain and never learn how bad your database indexes and Rails queries are”. Also recommends using job queues for offline processing of anything that takes more than 200ms.

# 23rd February 2009, 8:28 am / memcache, message-queues, posterous, rails, scaling

Infrastructure for Modern Web Sites. Leonard’s thoughts on what the next generation of web frameworks should aim to provide.

# 29th January 2009, 1:36 pm / django, frameworks, infrastructure, leonard-lin, rails, sysadmin

Merb gets merged into Rails 3! Huge news. Of particular interest is the new focus on “framework agnosticism”, whereby Rails will aim to play well with people wishing to use alternative ORMs, template mechanisms and so forth. Rails has previously suffered from a reputation for getting in your way if you deviate from its opinions.

# 23rd December 2008, 8:32 pm / frameworks, merb, rails, rails3, ruby

Response Splitting Risk. Important reminder that you should always ensure strings used in HTTP headers don’t contain newlines.

# 19th October 2008, 11:58 pm / http, rails, responsesplitting, security

Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern.

# 22nd September 2008, 8:28 pm / activerecord, antipattern, rails, security

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming.

# 23rd August 2008, 11:11 am / billionlaughs, denial-of-service, rails, rexml, ruby, security, xml

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to.

# 2nd July 2008, 10:39 am / maxcaceres, open-source, patches, rails, ruby, security

Twitter, or Architecture Will Not Save You. Kellan is not an armchair architect. He also doesn’t mention Rails once. Well worth reading.

# 29th May 2008, 1:16 am / architecture, kellan-elliott-mccrea, rails, twitter

On-board vs. Off-board Comet. Useful distinction. On-board comet runs on the same server as the rest of your application; Off-board comet is served from a separate server (generally a subdomain) and a separate stack. If you want to stick with PHP, Rails or Django for the rest of your site off-board comet looks like the way to go.

# 22nd May 2008, 5:02 pm / comet, django, joe-walker, php, rails

Multi-Inflection-Point Alert. Dammit, Tim, stop giving away our competitive advantages!

# 26th April 2008, 6:48 pm / bigtable, couchdb, java, python, rails, rest, simpledb, soap, tim-bray

What’s New in Edge Rails: Easier Timezones (via) Time zones can be a nightmare to get right—if this works well it’s going to make a lot of people’s lives a whole bunch easier.

# 2nd April 2008, 3:39 pm / rails, timezones

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet.

# 10th January 2008, 6:46 pm / rails, ruby, safeerb, security, xss

ErlyWeb vs. Ruby on Rails EC2 Performance Showdown. ErlyWeb’s peak response rate beats Rails by 47x, albeit with a hugely simplified benchmark. More interesting than the results is the idea of using EC2 for benchmarking on identical simulated hardware.

# 10th December 2007, 3:27 pm / amazon, benchmarks, ec2, erlang, erlyweb, performance, rails, virtualisation, yarivsadan

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.

# 1st December 2007, 8:34 pm / autoescaping, django, rails, security, xss

BBC Radio Labs: Perl on Rails. BBC engineered built their own Rails clone in Perl to fit in with the BBC’s engineering infrastructure—it’s already running the new programmes guide.

# 1st December 2007, 1 am / bbc, perl, rails

Two Weeks With Django. A Rails developer tries Django but ends up switching back to Rails. I think we could definitely take some steps towards making the initial user experience a bit smoother—currently you have to decide things like how you’ll serve static files and where you’ll keep your templates. Once you’ve got that lot set up it’s mostly plain sailing but it does mean there’s a bit of a bump in the learning curve.

# 15th October 2007, 9:51 pm / django, john-taber, rails

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON.

# 9th October 2007, 12:23 pm / django, python, rails, ruby, security, xss

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone.

# 5th October 2007, 11:42 pm / rails, security, sessionfixation, sessions

identity-matcher. Dopplr’s social network importing code (for Gmail, Twitter, Facebook and sites supporting Microformats), implemented as a Rails ActiveRecord plugin.

# 4th October 2007, 2:53 pm / dopplr, facebook, fowa, fowa2007, gmail, identitymatcher, matt-biddulph, microformats, openid, plugins, portablesocialnetwork, rails, ruby, social-graph, twitter

7 reasons I switched back to PHP after 2 years on Rails. After two years working on a Rails rewrite of CD Baby, Derek Sivers scrapped it and instead rewrote the PHP version using Rails-inspired design principles. Derek would still use Rails for a greenfield project though.

# 23rd September 2007, 8:49 am / cdbaby, derek-sivers, php, rails, rewrites

Bust A Name. Smart Ajax powered domain search; you give it some words, it shows you available combinations. It’s still almost impossible to find something that doesn’t suck though.

# 20th August 2007, 3:40 pm / ajax, bustaname, domains, rails

Scale rails from one box to three, four and five. Excellent, concise run-down of what it takes to scale a web application. Most of the advice is easily portable to other frameworks.

# 30th July 2007, 1:40 pm / courtenay, rails, scaling

Disambiguated URLs with Ruby on Rails. Using before_filter to remove trailing slashes and a few lines of lighttpd configuration to kill the www.

# 24th July 2007, 3:18 pm / disambiguated, lighttpd, nowww, rails, urls

One App, One User Account and Multiple OpenIDs. Dr Nic on allowing many OpenIDs to be associated with a single account.

# 22nd July 2007, 9:42 pm / nic-williams, openid, rails

Just what web server should be sitting in front of my Rails application? Includes some interesting notes about Varnish, PHK’s high performance, highly configurable front-end caching server (essentially a much more modern version of Squid).

# 17th July 2007, 1:29 pm / jason-hoffman, joyent, nginx, phk, rails, squid, varnish

SELECT * FROM everything, or why databases are awesome. I’m beginning to think that for scalable applications the thinner your ORM is the better—if you even use one at all.

# 22nd June 2007, 12:40 am / blaine-cook, databases, orm, rails, scaling, sql, twitter

Scaling Twitter (via) Slides from Blaine’s recent talk.

# 23rd April 2007, 11:02 am / blaine-cook, rails, scaling, twitter