Footnotes
[1] By “mostly” we mean it uses some Ruby C extensions to handle the URI parsing, but otherwise it is all Ruby.
[2] This configuration is based on work by Ezra Zygmunowicz and has been used with permission.
[3] This isn’t a dig on Windows, it’s just a reality of Ruby and how it runs on Windows.
[4] I worked at a government agency that said HTTPS+XML was not secure, but that SOAP was, and used telnet to manage important records based on system administrators setting policies. If the irony is not obvious (lucky you, you’ve never had to deal with SOAP), SOAP is HTTP(S)+XML, and telnet sends in cleartext.
[5] Cover Your Ass
[6] One interesting thing to try in a heterogenous environment is the NetBSD pkgsrc. Their source builds work on nearly any POSIX system and don’t interfere with your package system. You can get the exact same software installed on all systems even if they are different, and most of the software is current.
[7] Much of this section is based on documentation donated by Austin Godber to the Mongrel project.
[8] When you svn co your source, it leaves the .svn directories lying around where your Web server can serve them to the world for proper viewing. This can lead to security problems, especially if you do silly things like put passwords into your source or have other sensitive items viewable.
[9] (Pitagora Suiichi) for the Japanese readers (http://en.wikipedia.org/wiki/Pitagora_Suicchi).
[10] This is the origin of the “BAD CLIENT“ error message and is also the reason Mongrel can resist many attacks and still stay alive.
[11] Pure F***ing Magic. The best kind of magic (http://en.wikipedia.org/wiki/PFM).
[12] The easiest way to get to any gem’s RDoc is to run gem_server and access it with your browser.
[13] Remember, easiest way is gem_server.
[14] Fuzzing is a technique where you try to break applications by handing them mountains of random data. It works amazingly well.
[15] Not Matt Pelletier, a different Matt (there are a few of us around).
[16] Install it with gem install ruby-prof.
[17] In the security world it’s an established practice to use a “whitelist” rather than “blacklist” when trying to create a secured access policy. Instead of configuring your security to say “I accept everything, except…” you configure it with “I reject everthing, except…”.
[18] Zed has a theory that there’s a correlation between ambiguity in the grammar specification for HTTP 1.1 and potential for security defect in the Web server or client protocol handler.
[19] You can actually compare them side-by-side to make sure Mongrel is following the specification. That’s not possible with a hand-written parser.
[20] Using Ragel also helped cut down development time, made it easier to validate against the RFC, made it possible for others to reuse the parser in their projects, and was just a really great idea.
[21] More than a few giant companies (including one that does-no-evil) and several proxy server vendors all were caught not honoring the “Connection: close” response in their proxy server software. Ironically they came to me claiming Mongrel didn’t follow the RFC, when it was actually their proxy servers that didn’t.