Since I am still working hard on getting more documentation in place it is the right time to start also building an example application. However building a blog application seems to be the "hello world" for webapplications lately. There is even a war going in which language you can implement it with less code. Certain people obviously think that this is a sign of quality. But for me it is not a matter how to easily build such a simple application but rather how easy it is to extend with more sophisticated features.
Anyway I am currently building the application and in parallel writing it down what I am doing. The result will be a nice PDF showing the reader step by step how to build an application with jZonic.
It also helps me at the moment to find weak parts where I need to improve and add certain features.
So if anyone is reading this then stay tuned for the upcoming release.
Donnerstag, 2. April 2009
Donnerstag, 19. März 2009
Writing and writing and writing
Seems like I have a real good week when it comes to write some documentation. Although not my favourite kind of work it needs to get done. There are more and more people using jZonic I have to do it. So tonight I spent a fair amount of time and wrote a few more pages. Still soo much to write down.
I made a list of topics I need to cover and this list and really long. Next time I start an open source project I will keep the features to a bare minimum. Just to be sure I can document it by a single page.
Anyway back to work. Or maybe play a bit of quakelive in the meantime....
I made a list of topics I need to cover and this list and really long. Next time I start an open source project I will keep the features to a bare minimum. Just to be sure I can document it by a single page.
Anyway back to work. Or maybe play a bit of quakelive in the meantime....
Dienstag, 17. März 2009
Too much security can kill your server
Sometimes you have to learn the hard way and that is what I did a few days ago.
But let me start at the beginning. At the company I am working for we have one golden rule
that says that every public website that we launch needs to be tested. I am talking about a pentest here.
A pentest bascially checks your website for any kind of vulnerability like XSS (cross site scripting),
SQL injection and all these nasty kind of attacks. These test are performed by an external company
pentest.co.uk. They are doing a great job.
So a few weeks ago we launched a new website that I am responsible for and of course a pentest
was executed last week. The results are pretty impressive (thanks to jZonic) and no vulnerabilities were found.
Anyway of course they usually also complain if your servers are too noisy. For example if they show up
their name and version in the HTTP header or on a 404 page. Also they firgured out that the HTTP TRACE
method was still available. Nothing serious but it usually reveals too much internal information.
Our livesystem usually combines an apache2.2 running upfront and then resin3.2 for the webapplication
itself and both working together using mod_proxy.
Now I tried to fix the issues but changing the server header in apache is not that simple. But there was
mod_security to the rescue. I installed it and simply used the default configuration. In case you do not
know mod_proxy you can check it out here. There is a huge ruleset available that you can use.
The installation is pretty simple and you can for example change the server header. After the installation
I was pretty happy since I solved the open issues and went back to my regular work.
During the day I saw that all of the sudden the performance of the website went nuts. A "htop" revealed that all of a sudden the machine was really busy. But traffic did not went up as well. Even a restart of resin did not solved the problem. After some digging I figured out that it probably was a problem with mod_security. It was the only thing that I changed that day so it had to be it. First step was to disable it and the server went
back to stable conditions immediately.
Now it was the time to probably take a deeper look at the configuration of the mod_security.
That was actually my problem. You can download a HUGE set of rules for mod_security and that is what I did and I enabled ALL of them. So it was time to take a closer look at these rules. I was able to get rid of 70% of the rules. After enabling the mod again the server is still in stable conditions.
The conclusion is that mod_security is great. It should be part of any apache installation. BUT take a closer look before you use it.
That is the story how too much security killed my poor server.
But let me start at the beginning. At the company I am working for we have one golden rule
that says that every public website that we launch needs to be tested. I am talking about a pentest here.
A pentest bascially checks your website for any kind of vulnerability like XSS (cross site scripting),
SQL injection and all these nasty kind of attacks. These test are performed by an external company
pentest.co.uk. They are doing a great job.
So a few weeks ago we launched a new website that I am responsible for and of course a pentest
was executed last week. The results are pretty impressive (thanks to jZonic) and no vulnerabilities were found.
Anyway of course they usually also complain if your servers are too noisy. For example if they show up
their name and version in the HTTP header or on a 404 page. Also they firgured out that the HTTP TRACE
method was still available. Nothing serious but it usually reveals too much internal information.
Our livesystem usually combines an apache2.2 running upfront and then resin3.2 for the webapplication
itself and both working together using mod_proxy.
Now I tried to fix the issues but changing the server header in apache is not that simple. But there was
mod_security to the rescue. I installed it and simply used the default configuration. In case you do not
know mod_proxy you can check it out here. There is a huge ruleset available that you can use.
The installation is pretty simple and you can for example change the server header. After the installation
I was pretty happy since I solved the open issues and went back to my regular work.
During the day I saw that all of the sudden the performance of the website went nuts. A "htop" revealed that all of a sudden the machine was really busy. But traffic did not went up as well. Even a restart of resin did not solved the problem. After some digging I figured out that it probably was a problem with mod_security. It was the only thing that I changed that day so it had to be it. First step was to disable it and the server went
back to stable conditions immediately.
Now it was the time to probably take a deeper look at the configuration of the mod_security.
That was actually my problem. You can download a HUGE set of rules for mod_security and that is what I did and I enabled ALL of them. So it was time to take a closer look at these rules. I was able to get rid of 70% of the rules. After enabling the mod again the server is still in stable conditions.
The conclusion is that mod_security is great. It should be part of any apache installation. BUT take a closer look before you use it.
That is the story how too much security killed my poor server.
Montag, 16. März 2009
Some updates on jZonic
I was a bit scared when I saw that my last post is actually 6 month old. So I thought I just take the time and write something that I would like to get anounced.
This time I thought I just write something about jZonic. Guess nobody has ever heard of it before. Anyway this is a web application framework that I am working on for several years. Cannot even remember when Terry Dye and myself started with it.
Over the years it has grown up to a mature framework which we use for all our web applications of course. You have to eat your own dogfoot. Anything else would be ridiculous.
Way back in 2002 or 2003 there was a huge gap and nearly no sensible frameworks available. The world has chaned ever since and there are now many frameworks available. At that time there was Struts and one called expresso. None of them were even close to be a usuable framework at all. So we started our own.
The name jZonic has some weird history as well. At that time we were listening a lot to music /MP3s during the day. One of our favourite records was "Sonic temple" from "The cult". That actually gave the name to our work. The "j" was added because it is a java framework. Also at that time it has hip to spell words slightly different. So the name "jZonic" was taken. Maybe not the best choice.
However beside all the nice features we have implemented over the time we did one very poor job. The documentation up to day is still close to non existing. I hate writing documentation. The others hate it as well.
But finally we have a new website running and whenever I feel like I start documenting one of the features.
If you like to follow me here read the website. Again there is not much yet to find.
Like many times before I have said to me myself that I really have to change my attitude and write more.
At least for this week I am doing it. Probably next week it will change again and I will get back to me writing-hibernate.
This time I thought I just write something about jZonic. Guess nobody has ever heard of it before. Anyway this is a web application framework that I am working on for several years. Cannot even remember when Terry Dye and myself started with it.
Over the years it has grown up to a mature framework which we use for all our web applications of course. You have to eat your own dogfoot. Anything else would be ridiculous.
Way back in 2002 or 2003 there was a huge gap and nearly no sensible frameworks available. The world has chaned ever since and there are now many frameworks available. At that time there was Struts and one called expresso. None of them were even close to be a usuable framework at all. So we started our own.
The name jZonic has some weird history as well. At that time we were listening a lot to music /MP3s during the day. One of our favourite records was "Sonic temple" from "The cult". That actually gave the name to our work. The "j" was added because it is a java framework. Also at that time it has hip to spell words slightly different. So the name "jZonic" was taken. Maybe not the best choice.
However beside all the nice features we have implemented over the time we did one very poor job. The documentation up to day is still close to non existing. I hate writing documentation. The others hate it as well.
But finally we have a new website running and whenever I feel like I start documenting one of the features.
If you like to follow me here read the website. Again there is not much yet to find.
Like many times before I have said to me myself that I really have to change my attitude and write more.
At least for this week I am doing it. Probably next week it will change again and I will get back to me writing-hibernate.
Abonnieren
Kommentare (Atom)