Allow some paths when your app is in maintenance
August 5th, 2008
Those of you who already follow Ezra's great guidance on setting up nginx as a front end to a mongrel cluster will know that it already includes a nice block to enable maintenance mode when you trigger it in capistrano (creates a /shared/system/maintenance.html page and rewrites all requests to it).
if (-f $document_root/system/maintenance.html) {
rewrite ^(.*)$ /system/maintenance.html last;
break;
}
However, we had a customer the other day who wanted to put his application into maintenance mode but still get to the admin area. After much tinkering with nginx rewrite rules we came up with a solution that worked and also let you host your images and css from the same application without having those calls rewritten as well. Basically it just required a reordering of the rewrite rules within the location block to a more sane order.
See an example nginx config which implements this - based on Ezra's original to give the customer complete anonymity.
One important thing to note about this config is that if you serve images or css via processing in your mongrels this will skip processing them - indeed, anything that ends css, jpg, png or gif will never make it to mongrels and be served by nginx instead. Consider this and remove the relevant if statement if this applies to you. In particular this will apply to Mephisto which serves css via controller processing in order to then cache it out statically to disk.
0 comments »FireFox 3 triggers an OpenSSL bug
June 22nd, 2008
Secure Connection Failed
An error occurred during a connection to xyz-abe.com
SSL received an unexpected Change Cipher Spec record.
(Error code: ssl_error_rx_unexpected_change_cipher)
I’ve been seeing more and more customers report this in the lead up to FireFox 3 going live…now the release has come I think the only thing you can do is try and get your production servers upgraded to the latest OpenSSL (0.9.8h) as soon as possible. Unfortunately the only other work around involve users disabling something in about:config or disabling SSLv3 on your server.
Some background reading on the bug:
Additionally I’ve seen FireFox 3 introduce another bug related to incorrectly signed HMAC codes in SSL transactions. After some digging around I noticed that FireFox 3 supports the Camellia cipher which AFAIK isn’t widely supported amongst other browers yet. During SSL negotiation the browser seems to end up using Camellia even though it could have negotiated the more familiar AES cipher. I hacked around this in one clients nginx configuration by adding the following to their http block:
ssl_ciphers ALL:!CAMELLIA;
Feed me
