[Instantrails-users] Application error (Apache) on virgin install of 1.2

David Morton mortonda at dgrmm.net
Mon Apr 10 21:11:34 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Russell wrote:
> For the Instant Rails Developers:
> I can't help but wonder why and SCGI server is needed in instant rails.
> Why not just pre-configure apache to use mod_ruby or embed the fast CGI
> code some other way? That's not meant to be a rhetorical question
> either. I'm really curious.

Well, the first reason, I think, was that getting SCGI to run on windows was far
easier to accomplish than getting fcgi or mod_ruby installed.

Second, it looks like SCGI may be on the way out in favor of mongrel... but that
idea needs some more work.

Finally, the question of why have a seperate process... this is a concept I wish
more people would grasp.  Some of this argument is more specifically for unix
platforms, but it may have some application to windows... Let me get up on my
soap box...

If you have multiple sites running in a webserver using php, mod_perl, mod_ruby,
fcgi... all of the sites run as the same user.  This means that any of the
applications must be able to read any of the sites configuration files, and
thus, every application can access any other application.  This is a huge
security risk.  Hosting companies work around this with monstrous scripts to
create virtual servers with xen or some sort of chroot environment.  Yuck.

A better model is to let the web server have access to any public static
content, but to proxy all requests back to an application server which runs as a
unique system user and as such is the only application that has access to
sensitive files.  This is basic security 101, and the apache web server has
ignored this its entire life.

It would be possible in windows to do this too, although for simple development
it may be overkill.  I would highly recommend this model for any production system.

Also, this system allows for greater horizontal scalability... the front end web
server can proxy the request to any number of middle tier application servers.
Then the webserver can do what it does best: serve static content, and the
application server (mongrel or scgi) can do what it does best.

...ok, I'll get off the soap box.

Obviously, InstantRails is not there yet, but the use of SCGI was a sound idea,
and I'm looking forward to seeing mongrel if it does better. It may make things
easier too... for basic development, I recommend mongrel and no apache - it's
fast and easy.   Then for a production environment, apache can be activated to
be the front end and proxy the requests to mongrel.  (I'm still trying to figure
out how to configure that, though)

- --
David Morton
Maia Mailguard                        - http://www.maiamailguard.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEOwJGSIxC85HZHLMRAt0CAJ9bgoGHeSHGhWyOe/cGHK+S78ggeACgkomi
HltA8WA9u+4ORPJohU4FENE=
=8uJ8
-----END PGP SIGNATURE-----


More information about the Instantrails-users mailing list