How we improved FACTURAgem security, or how to set HTTPS for your rails application

As you probably know, one of the products in my company is FACTURAgem, a web application for making simple invoices targetted to those users who are currently invoicing using word, excel or a notepad and a ballpoint.

Since your invoices are something you don’t want to share with the rest of the word, all the pages protected by login were securily encrypted and served via https since the first day, and the session cookie was automatically expired when the browser is closed, so the system was pretty safe.

Still, there was a very small chance of someone hijacking your session, if you were using FACTURAgem and you happened to be sharing a public network with a hacker nearby who was interested in accessing your FACTURAgem account. Due to the profile of both our users and our application this scenario was not likely to happen, and we never had any security breach since we launched the product.

However, with the proliferation of public networks and the quick adoption of smartphones, ipads, netbooks and a myriad of always-connected portable devices, we wanted to add an extra layer of security for our users, so now they can safely use FACTURAgem at any place without any worries.

Since yesterday, all the pages in FACTURAgem, both private and public, are securily served via https. Even if you forget to include the “s” when accesing the apllication, our servers will redirect appropriately to the safest version.

For the technically savvy, I will explain the highlights of the process:

note: FACTURAgem is running on an Apache/Passenger/Rails stack. If you are using a different setup, details might be differ, but the spirit is the same.

We had to cover different fronts of the https problem:

Configuring a certificate and SSL virtual host for Apache.

This was already done in our case since the beginning of the project. There’s a lot of information out there about how to do this.

Telling Apache to redirect all the traffic to https

We had to instruct our non-ssl virtual host to redirect all the traffic to the SSL one, so if you type http://www.facturagem.com/help you should be redirected to https://www.facturagem.com/help instead.

This is easily done with:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Unfortunately, in our case, we had an extra constraint. There are a couple of subdirectories we don’t want to put under SSL, because they are served by an external service that cannot run under https. For those pages, we will not store any session information, so they will not be a security problem. All we had to do is telling Apache not to redirect if the url is in one of those directories

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !.(fictional_directory_name|another_fictional_directory_name).*
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

By doing this, if you try to visit http://www.facturagem.com/fictional_directory_name/whatever you will not be redirected to https.

Making sure we marked the cookie as secure, so we are 100% sure it will never be passed to non-encrypted pages

By setting a cookie as “secure” your browser is smart enough to send the cookie back only when asking for a SSL resource. That way, even if you are browsing unsafe pages from the same domain, the cookie will not be transmitted, so your session is not subject to attacks.

If you are setting your cookies “manually”, secure is one of the attributes you can set. But if you are using session cookies in Rails, it’s as easy as setting an extra parameter when configuring your session cookie.

ActionController::Base.session = {
:key => '_your_application_secure_session_id',
:secret => '11111222312321321321321313213213213213213213213237761223213213213213131231231321321312',
:secure => Facturagem.config.secure_cookie
}

Some things to consider here. If you are changing a live application, as it was our case, it’s a good idea to change the name of the cookie. That way, you are sure everybody is going to be using the secure version. Otherwise, users with a valid cookie would still use the non-secure version in some browsers. By changing the name, you are sure everyone is setting a new cookie and everyone is secure using your site. The collateral effect is you will be signing out all of the users browsing your site, so take it into account.

Also, note how we are using a config variable to set a secure cookie (or not). This way, our developers can work without locally enabling SSL.

Removing any references to http external resources, so we avoid the “mixed content” message in some browsers

By this point everything should be working fine, but if you are using any resources directly by absolute URL (as is the case of external js or, in many ocassions, images referenced from your stylesheets), then you will be having the “mixed content” message and your users will feel something is not right.

Your first impulse can be changing all the “http://” ocurrences in your files for “https://”. That would fix the problem on production, but should any developer work without SSL, she would experience the mixed content alerts.

There is a not-so-known-but-perfectly-fine solution for this. You can use relative network-path references , also known as protocol relative urls. To make a long story short, if you write ‘//www.google.com/jsapi’ it will use http or https depending on which protocol you are using on the current page. That way, you can forget about which schema you are on. There’s a caveat with explorer downloading twice the javascript files (at least until IE8 there was), and if you want more info Paul Irish has it ready for you.

That was it! by following those steps we were able to make our site more secure and it took just some hours to set up. Now you can use FACTURAgem when you need to, without worrying who your neighbours are.

If you are out of Spain, pay attention to @facturagem, because we are going to be launching an international version pretty soon.

Installing a Rails plugin from a github branch

Today I wanted to install a plugin from github into a rails project. So far so good, you would think. You only need to run script/plugin install and start coding right away.

Unfortunately, the branch of the plugin I need is not the master one, because this applications runs on rails 2.3.x and the master branch has been adapted to rails 3 already.

I could just download the tar file from github, or I could make a git clone and checkout the branch I wanted.. but it turns out I don’t need to do any of those, because old good script/plugin has an option to checkout a specific branch

script/plugin install http://github.com/rails/exception_notification.git -r 2-3-stable

And I can start coding right away.. and that’s exactly what I’m going to do after publishing this post.

Happy 4th birthday ASPgems

Four years ago I thought I was at the top of my career. The company I had co-founded was starting to look much like a nine to five job and I decided to resign and accept a great position as a post-sales engineer in FatWire, where I would have the chance to improve their content server solution, which in my opinion was the best of the market by then. Things were looking sweet: new challenges, smart jobmates, important clients, interesting salary… and then I got an IM from Ana Isabel that changed it all (you gotta love it was not a phone call, mind you)

She told me about this brand new tiny company she was starting up together with Agustin Cuenca and some other folks I didn’t know by then, and who resulted to be brilliant. The idea was to be an Application Server Provider and offer products in the later so-called cloud to help small and medium size companies manage their businesses. They would also develop web applications for third parties. And they would do it all using this new toy called Rails, after a successful proof of concept for a real client by Xavier Noria. Regarding project management, they didn’t want to use a traditional approach, but going down the Agile road and use Scrum. The name of the company was ASPgems, where ASP stands for Application Server Provider and “gems” was something related to this Rails thing.

I was very reluctant to join them. Apart from having just landed into a great job position, I had a lot of doubts about the new company. They didn’t have any money, so I would have to cut down my salary and trust the company would eventually make it; they were working remotely, so I thought nothing would get really done; they didn’t have any big clients, and I came from the banking/public sector/corporate world; and to top it all they were using this Ruby on Rails framework and these requirementless agile methodologies.

My first experience with Ruby, some years before, was painful. I had to make some kind of automatic web crawler and I found libraries for doing it both with Ruby and Jython. I didn’t knew any of them so I tried them both. Right now I don’t remember why I didn’t choose the Jython library, but I know why I didn’t choose Ruby. After half a day trying, it was impossible to make the thing work on my windows machine, and all the documentation was in Japanese, so good luck with it. I finally coded my own crawling solution in good old Java and XML.

So you can imagine I was skeptical about Ruby. Then I started to read about Ruby and Rails and I panicked: no static type check, lack of hosting options, poor windows support, opinionated instead of configurable, with a certain disdain for the database layer… my Java instincts were alerting me with a lot of red signals. And then I made “the mistake” of having lunch with Ana and Agustin. They were really excited about the company, they saw a world full of possibilities, and the sense of adventure was just too strong for me to resist. Besides Agustin had been the guy who started Qarana, the best company I had worked for until then. It was just natural for me to join ASPgems.

By adopting Rails as her development framework, ASPgems was making a statement: We don’t care what other people are doing, we want to use the best tools available with or without the support of the rest of the industry. Living up to that statement takes a lot of work. First you have to be sure you are using the best tools available, so you have to be scanning the surroundings all the time to see when it’s time to move to the new best thing. Besides, you have to keep up to date on all the changes and on the new libraries available. And of course in many occasions you will have to be the one building those libraries, because getting there first means no one did the work for you yet. This living on the edge thing can be really time consuming, but things get much easier when you find a friendly community sharing your passion. And in Ruby/Rails we are really lucky on that issue.

Today is ASPgems’ fourth birthday and I’ve been a part of the company almost from the first month. If I have to judge in terms of personal development, I can say without any doubts this is the best company I’ve worked for, and I guess that’s why I’ve stayed here longer than in any other place before.

Below are some of the things I have done in the last four years. Had I stayed in my safe Java corporate world, I’m not sure I wouldn’t have done some of these things, but I’m sure ASPgems inspired me to do most of them.

I have..

..attended more conferences (and camps, and other events) in the last four years than in the previous 10+ since I started working on IT.
..organized and presented talks in both national and international conferences
..co-started a local ruby group
..curated an extensive online presence: blog, personal page, vimeo, slideshare, mailing lists, communities…
..greatly improved my google ranking, making my conventional CV irrelevant
..written a book

..learnt how to better manage web projects
..seen clients really happy to see their projects going live on time
..shared my knowledge with both clients and competition
..launched more web applications than I can remember

..taught ruby on rails
..introduced some friends to the Ruby on Rails/Agile world
..developed a taste for being an early adopter on new technologies
..adopted ruby on rails for my personal and freelance projects
..switched to linux
..bought several domains and rented my own VPS

..learnt about SEO and Analytics
..made websites scale, and learnt a lot during the process
..learnt a lot about IT (web servers, process monitoring, system set up and configuration…)
..improved vastly my skills on client-side web developent
..been wrong many times, and happy to learn from those mistakes

..helped to build one of the most solid development teams I have seen
..worked together with the commercial department, and not against it

..kept in contact with brilliant developers from all over the world
..started repositories in github and rubyforge
..collaborated in several open source projects

..realized money is just a secondary motivation

Happy birthday ASPgems, and thank you.

p.s. By the way, remember how skeptical I was about Ruby? I was wrong, and happy to be. Go try it by yourself!

Eclipse buttons not working on Ubuntu Karmic Koala

Lately I was experiencing a strange behavior when working with Eclipse/RadRails. Some of the buttons didn’t work anymore. I could click on them, but they’d just appear as selected, without performing any actions. I had to use the enter key to actually click on the button.

Since I had run an update some days ago, I was blaming some new version of one of the installed plugins.. but I was wrong.

Today I read this post where it explains how to fix it. It’s a conflict between Eclipse and the latest versions of GTK+. By setting the GDK_NATIVE_WINDOWS variable to use native windows, everything is back to normal.

And they lived happily ever after (or until the next major release anyway)

it’s not the framework, it’s you

I’m getting tired already of the hype about Ruby on Rails and how it is better than any other framework past, present or future.

Sure Rails is a cute piece of software, and Ruby is a gorgeous language (supposing you are into programming languages, that is), but if you take a critical look at Rails, you could just say it’s another MVC framework.. Big deal.. And with some coupling issues between the layers too, which are fortunately being targeted on Rails 3.

Moreover, if you take a look at some of its components they could frankly be better. ActiveRecord, for example, is a wrapper ORM, which is implicitly tying you to the physical database layer, with one class per table, as opposed to a mapper ORM such as DataMapper or Hibernate. And the principle of least surprise is kind of a joke when it comes to some of the ActionView helpers and the parameters you have to pass along.

Still, as we like to say around here “Ruby on Rails mola infinito”, and it’s right now my favourite framework for non trivial web applications.

So.. what makes this framework so special? Is it only the absence of configuration and the sensible defaults? Would we sell ourselves for a couple of parlor tricks like those? Surely not.. specially with so many frameworks providing already sensible defaults. Come on, even in Java you can kind of forget about writing so much XML code if you make proper use of annotations and the like. No, it has to be something else.

Ruby on Rails has something that transcends the framework itself. It has you. The Mighty Developer. The Early Adopter. The Status Quo Challenger. The so-called Community —whatever that means.

Bottom line is, when I get together with people working with Rails, they are always in search of the holy grail of web development —or the nearest tavern, whatever comes first.. you have to love that kind of pragmatism. We like to break our assumptions, to learn new things and forget about the ones we already know.

We embrace Rails *today* but we are willing to embrace any other tool as long as we like it better. Do you remember the months before the Merb-Rails love affair? Half the Rails developers I know were already making eyes at Merb without the slightest hint of shame.

And by challenging the system, we are obliged to keep learning… and to find new ways to build the web. And instead of trying to make a carbon copy of what we did before, we like to start anew, because that’s where the fun is.

Sure you can argue this attitude is not the exclusive property of the Rails community. And I would second you on that based on theory.. but in practice, I have seen other some other communities lack this need of challenging. Maybe it’s because they have maturity models and certifications and black belts and whatnot…. And maybe having so many constraints is killing creativity; but fact is in some environments trying to take a step forward is seen as something odd, not desirable.

Rails will pass —or not— but as long as we keep alive the spirit of embracing change, we are entitled to be on the fun side of web development.

So, if you ask me, that’s the secret ingredient of Rails. Sure the language and the framework are cool, but the real power of Ruby on Rails is you.. and me.

update: please read the comments, since I was a bit ambiguous in the post and some points needed further explanation :)

My slides for “Jruby on Rails: Ruby on Rails sobre la JVM”

It was interesting to be at the Sun Open Communities Forum and meet people I used to work with (or even teach to) as back in time as in 1996.

It was also interesting to have the opportunity to introduce Ruby and Ruby on Rails to Java developers and show them how they could use it from the familiar JVM.

As usual, I uploaded to slideshare the slides I used in my presentation.

The layout might be a bit enterprisey for my standards, but I was representing my company, so I used the company template. Anyway, the presentation is under Creative Commons, so feel free to use it in any way you can imagine, as long as you respect the “non commercial attribution share alike” license.

Speaking about JRuby on Rails at the Sun Open Communities Forum

I’ve been invited to speak about JRuby on Rails at the Sun Open Communities Forum. This event is the evolution of the former editions of OpenJavaDay/OpenSolarisDay, revamped to include more Open Source communities.

Apart from the predictable “all-things-java” sessions, this year there are some interesting labs and talks about MySQL Scalability, REST, AJAX, the cloud, development frameworks and different languages running on the JVM.

Most of the talks, including mine, will be delivered in Spanish, but there will be some in English too.

My session will be

JRuby on Rails. Ruby on Rails on the JVM

And the excerpt I’ve sent for the talk goes something like this

Ruby is a dynamic programming language with a focus on simplicity and productivity. Ruby on Rails is a web framework optimized for programmer happiness and sustainable productivity. The JVM is one of the world’s most heavily-optimized pieces of software. The combination of these three elements provides a superb platform for building web applications.

In my session I will explain the highlights of Ruby, how Ruby on Rails has changed the rules of web development, and how JRuby allows for the integration of Ruby (on Rails) and Java.

Inscription is free and if you cannot attend, there will be live streaming as well. Notice you also have to inscribe (checking the “Lo seguiré por internet” radio button) if you want to watch the streaming.

Cucumber, Selenium, Webrat, and Windows

I spent last Saturday hacking around with some really smart people in Madrid. It’s not widely known than in Spain there’s a thriving Ruby on Rails community -my guess would be a language thing- but if you take a look at some of the Rails patches, Hackfest winners or the official Rails documentation project, you would be surprised to see how many -and how good- contributions are coming from this side of the world.

Once in a while we like to get together and take code challenges, so we can learn from each other and eat pizza to match the stereotype ;)

Thing is I’m a Windows guy. I know I should be sorry, I know it’s for housewives (or househusbands for that matter), but that’s life. (disclaimer: I’m planning to switch to Ubuntu in the near future)

As you know, developing software in windows while entirely possible is a bit more difficult than in other systems, specially when it comes to compiling, forking and the like.

Last Saturday I was, as usual, the only windows at hand (the rest being a lot of Macs in different flavors and a lonely Ubuntu) and, as a part of the code challenge, I had to run some tests with Cucumber, Selenium and Webrat. Apart from libxml, that has been working flawlessly in my computer for months, no other binaries were involved, so you would think everything was working just fine.. well, think twice.

First problem was the test server couldn’t be started automatically. I didn’t investigate much about it (my guess being that a fork or a system call is being issued and Windows cannot cope with it) since it was easier just to start it manually before running the tests. Also it was faster, because it didn’t need to be started every time.

After this obstacle, when I was trying to run the tests, I was getting a cryptic Errno::EADDRNOTAVAIL message. At first I thought it was because of Selenium not being able to bind to the given port, but a quick test from the command line discarded that possibility.

I don’t know anything about webrat (yet) but as the song goes, with a little help from my friends I was able to locate the source of the problem. When connecting to remote control Selenium, Webrat is trying to bind to the address “0.0.0.0” and that’s something Windows doesn’t like.

All I had to do was opening the file “selecium_rc_server.rb” at the gem source and replacing “0.0.0.0” by “127.0.0.1”.

I was told I can do this much more clearly at the Webrat config, but I tried it out and I still had the same problem. Taking a look at the Webrat code I would say the config param is not honoured system-wide, but truth is I was in a hurry and I didn’t researched it thoroughly. I had a challenge to solve after all ;)

Once I did this, all was hunky dory. Selenium started, the form fields were filled in, the tests were passing (or not) and the result was displayed on my not-ansi console. Bummer.

Believe me, cucumber is not half the fun without the colors in the output. Fortunately enough, google can tell you where to find lots of ansi-aware console replacements. Unfortunately enough console2, my favourite, is not one of those.

So, there, it took a bit of extra work but now you can also run this neat stack in your good-old windows box.

Speaking at EuRuKo 2009

It’s only two weeks for EuRuKo 2009, the most important Ruby conference in Europe.

As you probably know, EuRuKo is a grassroots itinerant conference, entirely organized by -and for- Ruby developers. This year, the conference will be held in Barcelona, and I have the honor of being a -tiny- part of the organization as a member of the Spanish Ruby Users Group, the local group preparing the event.

It’s also pretty cool that ASPgems is one of the sponsors. I cannot help but feel a tang of pride (awww, the diva in me ;) ) when I see the commitment and support of the company when it comes to community events.

The list of scheduled talks looks promising. Starting with Matz’s keynote there will be sessions about things like cross-platform mobile development, voice-enabled applications, interacting with MIDI instruments from Ruby, Image processing and other non-typical uses of Ruby. They have the sweet scent of EPIC WIN all over.

Did you take a look at the list of talks? Any familiar names? Well.. yours truly’s talk proposal was accepted and I’ll be speaking about game development using Ruby and Gosu. How cool is that?

I’ve been speaking at other technical events before, and I have a good deal of experience in training, but this will be the first time I do this in English. I’m sure it’s going to be an enriching personal experience.

I’m looking forward to seeing you all there.

Rails Hot Or Not. The Movie

Una vez pasada la resaca de la conferencia Rails, y a punto de entrar en la resaca navideña, ya están subidos los videos de la conferencia rails 2008

Aunque pierde mucho enlatada, os dejo por aquí el video de la sesión Rails Hot Or Not

Y para que no se diga, también dejo la presentación que utilicé, convenientemente editada para que se vea en cada uno de los casos cuál fue el ganador elegido por la audiencia


Este material tiene una licencia Creative Commons Atribución-NoComercial-LicenciarIgual 2.5

Por supuesto, agradecer la participación y el buen rollo de los asistentes a la charla, que contribuyeron a que fuera un éxito.. aunque nunca llueva a gusto de todos ;)

searchwords: hot or not, conferencias, rails