[nycbug-talk] (no subject)

Marc Spitzer mspitzer at gmail.com
Sat Jul 14 21:56:52 EDT 2007


On 7/14/07, Jonathan Vanasco <nycbug-list at 2xlp.com> wrote:
>
> On Jul 14, 2007, at 4:45 PM, Marc Spitzer wrote:
> > Looks reasonable.  The only thing is you need to also have a
> > application level firewall in the mix.  A proxy firewall to inspect
> > all inbound http/s traffic for bad things ,
>
> that's always good.
>
>
> >  sql injection and out of bounds values(ie what happens when I
> > order -3
> > TVs) come to mind.
>
> that is really really bad.  it creates a false sense of security.
> its a good thing to have, but your underlying webapp should be able
> to handle that ( ie, always use bind with sql, escape / validate
> input, etc ).  if you're an admin, and you do that to safeguard
> yourself against bad programmers -- great.   but if you're a
> programmer, you shouldn't know/expect any of that to exist.
>
> thats just a sore spot for me.

It is part of defense in depth.  Face it people screw up all the time,
myself included, and having having 2 ways to be "safe" is better then
1.  Also things like -3 TV's should be checked by unit tests before it
ever gets to production.  I think that most problems are caused by a
lack of discipline not ignorance or malice.  Especially when deadline
loom people can be pressured into doing things that may be less then
good.

>
> On Jul 14, 2007, at 2:15 PM, Aleksandar Kacanski wrote:
>
> > Through experience and lengthly troubleshooting sessions I am weary
> > of FW  and persistent connections and work around with
> > socket_keepalive properties. I am specifically referring to apache
> > and ajp proxy plugin but I saw number of production issues with
> > real proxy servers and fw.
>
> i don't know about the ajp proxy plugin.  apache + keepalive can
> create lots of issues though.
>
> i do a lot of mod_perl programming, and keepalive can often jam the
> whole damn server , which makes me want to FOI)(@*#@#* break
> apache.   to combat that, i run nginx on port 80 and then proxy to
> apache when needed.  nginx can handle the keepalive requests without
> blocking, and a keepalive between apache & nginx makes stuff run even
> faster.

That is good to know

marc
-- 
Freedom is nothing but a chance to be better.
Albert Camus



More information about the talk mailing list