Mongrel Web Server 0.3.12.1 -- Iron Mongrel

Discussion in 'Ruby' started by Zed Shaw, Apr 4, 2006.

  1. Zed Shaw

    Zed Shaw Guest

    Hello All Mongrel Users,

    For the unintiated, Mongrel is a web server that runs Ruby web applications
    really fast. Read http://mongrel.rubyforge.org/ to get find out more about
    it.

    This is the Iron Mongrel release. It is the result of trying to trash
    Mongrel until it can't move and then fixing anything that comes up. The
    work was done on EastMedia's and VeriSign's upcoming project in order to
    make sure it can handle heavy loads and potentially malformed requests. The
    project is a security and identity project so having a web server that is
    able to block bad requests is very important.

    The testing methods used were (are):

    1. Unit testing what I can. Mongrel is a server so many tests have to be
    done "live".
    2. Thrashing Mongrel's HTTP parser internally with random or near-random
    data (called fuzzing).
    3. Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash several
    live apps with randomness.
    4. Running several extensive little scripts to explore the edges of death
    for Mongrel.
    5. Heavy code audits covering as much code as possible to find any possible
    loose ends.

    The end result is a lot of little fixes which make Mongrel more robust
    against badly behaving clients and possibly against many potential security
    risks in the future. In general Mongrel 0.3.12.1 behaves more consistently
    compared to past releases when given random data or maliciously formatted
    data.

    The main changes are related to how IO is processed and how the HTTP parser
    rejects "bad" input. What the parser now blocks is:

    * Any header over 112k.
    * Any query string over 10k.
    * Any header field value over 80k.
    * Any header field name over 256 bytes.
    * Any request URI (the file part, not the whole thing) greater than 512
    bytes.

    As soon as these conditions are detected the client is disconnected
    immediately and a log message is printed out listing the IP address, the
    exact cause, and the data that caused it. I'll remove the data dump later,
    but I want people to shoot me valid requests that cause parser errors.

    That's not all though. I've started a "security":security.html page where
    I'll publish the results of security threats, tests, and improvements as
    well as any advice for folks.

    This release also features a few little features here and there:

    * Initial support for a "config script". I'll be documenting this more, but
    it basically lets you use the Mongrel::RailsConfigurator to augment your
    application's config via a small script. Just pass "-S config/mongrel.rb"
    and put any Mongrel::RailsConfigurator statements that are reasonable.
    * Mongrel will report the correct REMOTE_ADDR variable, but it does a little
    trick where if there is an X-FORWARDED-FOR header then it sets REMOTE_ADDR
    to that.
    * Fixes for little bugs like double log messages, but not a lot of changes
    to the overall core.

    Go ahead and install the usual way: gem install mongrel *or* gem upgrade


    Zed A. Shaw
    http://www.zedshaw.com/
    http://mongrel.rubyforge.org/

    P.S. The snazzy Iron Mongrel logo is courtesy court3nay from
    http://caboo.se/
     
    Zed Shaw, Apr 4, 2006
    #1
    1. Advertising

  2. Zed Shaw wrote:
    > This is the Iron Mongrel release. It is the result of trying to trash
    > Mongrel until it can't move and then fixing anything that comes up. The
    > work was done on EastMedia's and VeriSign's upcoming project in order to
    > make sure it can handle heavy loads and potentially malformed requests.
    > The
    > project is a security and identity project so having a web server that
    > is
    > able to block bad requests is very important.


    Any plans for an Mongrel XML-RPC hook, a la XMLRPC::WEBrickServlet? I
    didn't see any other than what comes with ActionWebService. I am using
    XML-RPC with WEBrick now and I'd love to move off of it and onto
    Mongrel. Would you accept a patch if submitted?

    --
    Toby DiPasquale

    --
    Posted via http://www.ruby-forum.com/.
     
    Toby DiPasquale, Apr 4, 2006
    #2
    1. Advertising

  3. Zed Shaw

    pat eyler Guest

    Heh, a new version on the day my mini writeup of 0.3.12 went live. Isn't
    that the way things always go? ;^)

    On 4/4/06, Zed Shaw <> wrote:
    > Hello All Mongrel Users,
    >
    > For the unintiated, Mongrel is a web server that runs Ruby web applicatio=

    ns
    > really fast. Read http://mongrel.rubyforge.org/ to get find out more abo=

    ut
    > it.
    >
    > This is the Iron Mongrel release. It is the result of trying to trash
    > Mongrel until it can't move and then fixing anything that comes up. The
    > work was done on EastMedia's and VeriSign's upcoming project in order to
    > make sure it can handle heavy loads and potentially malformed requests. =

    The
    > project is a security and identity project so having a web server that is
    > able to block bad requests is very important.
    >
    > The testing methods used were (are):
    >
    > 1. Unit testing what I can. Mongrel is a server so many tests have to b=

    e
    > done "live".
    > 2. Thrashing Mongrel's HTTP parser internally with random or near-random
    > data (called fuzzing).
    > 3. Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash severa=

    l
    > live apps with randomness.
    > 4. Running several extensive little scripts to explore the edges of deat=

    h
    > for Mongrel.
    > 5. Heavy code audits covering as much code as possible to find any possi=

    ble
    > loose ends.


    This sounds very cool. any chance you could write up some of your testing
    activity in more detail? I think this would be a great way to learn more =
    about
    testing beyond unit testing.

    >
    > The end result is a lot of little fixes which make Mongrel more robust
    > against badly behaving clients and possibly against many potential securi=

    ty
    > risks in the future. In general Mongrel 0.3.12.1 behaves more consistent=

    ly
    > compared to past releases when given random data or maliciously formatted
    > data.


    Again, seeing more specific examples (show us the code man!) would be
    awesome.

    >

    [deleted]
    > Zed A. Shaw
    > http://www.zedshaw.com/
    > http://mongrel.rubyforge.org/
    >
    > P.S. The snazzy Iron Mongrel logo is courtesy court3nay from
    > http://caboo.se/
    >
    >
    >



    --
    thanks,
    -pate
    -------------------------
     
    pat eyler, Apr 4, 2006
    #3
  4. Zed Shaw

    Zed Shaw Guest

    On 4/4/06 11:23 AM, "pat eyler" <> wrote:

    > Heh, a new version on the day my mini writeup of 0.3.12 went live. Isn't
    > that the way things always go? ;^)
    >

    Where's your write-up? Yeah, I'm pushing hard to 0.3.13 (and then 0.4
    hopefully before or on Canada on Rails). The core functionality won't
    change, just stability and mostly debugging enhancements.

    > This sounds very cool. any chance you could write up some of your testing
    > activity in more detail? I think this would be a great way to learn more
    > about testing beyond unit testing.
    >


    I'll see if I can write it up.

    >>
    >> The end result is a lot of little fixes which make Mongrel more robust
    >> against badly behaving clients and possibly against many potential security
    >> risks in the future. In general Mongrel 0.3.12.1 behaves more consistently
    >> compared to past releases when given random data or maliciously formatted
    >> data.

    >
    > Again, seeing more specific examples (show us the code man!) would be
    > awesome.
    >


    The majority of the changes were to simply stop accepting elements that were
    above certain fixed lengths and to read smaller chunks of IO so that errors
    are detected earlier. I'll do a more complete write-up later when I can
    breath. Or maybe a BOF at CoR?

    Zed A. Shaw
    http://www.zedshaw.com/
    http://mongrel.rubyforge.org/
     
    Zed Shaw, Apr 5, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. iron python exe problem

    , Dec 6, 2005, in forum: Python
    Replies:
    8
    Views:
    558
    Dennis Lee Bieber
    Dec 7, 2005
  2. George Sakkis

    (Iron)Python on new MS robotics platform

    George Sakkis, Jun 22, 2006, in forum: Python
    Replies:
    0
    Views:
    287
    George Sakkis
    Jun 22, 2006
  3. Jon Harrop

    Iron Python

    Jon Harrop, May 15, 2007, in forum: Python
    Replies:
    5
    Views:
    356
    Tim Roberts
    May 16, 2007
  4. Zed Shaw
    Replies:
    8
    Views:
    180
    Zed Shaw
    Apr 5, 2006
  5. rabarama
    Replies:
    1
    Views:
    163
    Luis Lavena
    Dec 15, 2009
Loading...

Share This Page