Sunday 30 September 2007

A sigh of relief

, ,

Sunday 30 September 2007 / 15:37

I recently came across an essay by Paul Graham, entitled Holding a Program in One's Head. If you ever worked as a developer in a profit-driven company, you'll be pleased to read this controversal paragraph near the end of his essay :

Perhaps it will help if more people understand that the way programmers behave is driven by the demands of the work they do. It's not because they're irresponsible that they work in long binges during which they blow off all other obligations, plunge straight into programming instead of writing specs first, and rewrite code that already works. It's not because they're unfriendly that they prefer to work alone, or growl at people who pop their head in the door to say hello. This apparently random collection of annoying habits has a single explanation: the power of holding a program in one's head.

That thought enlightened my day when I first read it, because it makes it all very clear with simple words. Book writers may need an adequate atmosphere or state of mind to be able to write properly. Programmers just need one thing that they aren't even provided with in some places : the means to focus.

That said, it is not an excuse for any programmer to behave like a caveman and hug his code even tighter after having read that paper. Our salvation definitely doesn't lie in the software we're crafting, no matter how technically beautiful it might become. Building a wall between you and the rest of the company for the sake of Perfect Coding is one of the best ways to annihilate any hope of professional progress.

I invite you to read the other texts as well, like this essay about consumerism. The man definitely knows what he's talking about.

This post has been completed while listening to :

Ghost in the Shell Stand Alone Complex - OST 3
Ghost in the Shell Stand Alone Complex - OST 3 (Yoko Kanno)
[ Category General]  comments(0) / trackbacks(4544)

Sunday 23 September 2007

SSL Woes

, , ,

Sunday 23 September 2007 / 22:38

I recently had to add an SSL certificate to an Apache web server (v2.2.4) that already had one certificate for a site running on port 443. That Apache server runs a couple of websites, each having its own domain name. Apache handles that situation thanks to Name Based Virtual Hosts, a directive that allows it to run multiple domains on the same IP:port (obviously, port 80 for non-secured websites).
Toggle code [httpd.conf]
It would have been natural to think that it would work the same with SSL. Not at all, actually.... after a few unsuccessful attemps, I realized that it is not possible to secure two domains hosted on the same server, using the same IP and the same port. The reason is simple : by design, SSL authentication is done before Apache can check the host name.

As a result, when you ask for a secured site on one IP:port, you always get served the first matching virtual host of the Apache config, no matter what domain you ask for.

I thought of four ways to solve that issue :

  • Run all secured areas under the same certificate

e.g. secure.mycompany.com serves secured content for brandone.com and brandtwo.com.
Toggle code [httpd.conf]
While that option would be convenient for non-commercial sites or intranet tools, it was out of the question, as brand names are very important to us.
Having clients redirected to a different domain when they have to pay online is not a smart idea, especially when they haven't noticed that mycompany owns brandone and brandtwo !

  • Use another port for the 2nd secured site

Toggle code [httpd.conf]
That's what I did as a quick workaround : the 2nd site ran on port 444 for several weeks, but we knew some heavily firewalled people (don't laugh; some of them happen to have influence :/ ) couldn't reach the secured parts of the site.

  • Use an HTTP-aware router

As I know our host runs an advanced firewall, I phoned him and basically asked him if he could do host-based dispatching before reaching Apache, by proxying HTTP requests like this :

brandone.com:443 ->firewall-> apache:85
brandtwo.com:443 ->firewall-> apache:86

The answer was that it was possible... however it would require a complex set up, and it would be impossible to reproduce the whole thing in our test and pre-production environments, which left me with a bad feeling.

  • Use another IP for the 2nd secured site

Toggle code [httpd.conf]
Some of you might have already guessed : the smartest solution is to associate as many IPs to the web server as there are domains to secure. Hopefully, our host had extra IPs to give sell us :)


modSSL FAQ
Apache v2.2 - Name virtual hosts

This post has been completed while listening to :

http://ff7.ocremix.org - Voices of the Lifestream
http://ff7.ocremix.org - Voices of the Lifestream (OCRemix community)
[ Category IT]  comments(0) / trackbacks(0)

Sunday 16 September 2007

Hello world

Sunday 16 September 2007 / 15:05

...and thus was born unexpectancy.com ;)
[ Category General]  comments(0) / trackbacks(4490)