What a better day to improve a network that the last day of the year? Indeed, it’s what I’ve done with mine. Today, I’ve installed a reverse-load-balancer proxy in my network, Nginx.

I was feeling the need for a reverse proxy since the beginning. Once the VServer installed and with the freedom to create as many machines as wished, it seemed logical to have each site’s Apache instance running in a dedicated vserver. This would not only divide each server, thus increasing the security, but would give the owner of each site to play with the server as he sees fit without the risk of breaking someone else’s site.

The implementation on the other hand was a bit problematic. I run behind a router doing NAT, and thus I had to choose a single server as my solely web server. When I decided to create an HTTP driven svn server in a different machine, I had to choose another port (8000) to avoid conflicts. Thus, very fast I saw the interest of installing a reverse proxy.

Due to pure laziness, I’ve spend quite a lot of time documenting and looking for different alternatives. I wanted as much as possible a consistent network with a minimum of software to maintain. As I wanted to substitute in the long term my heavy Django mod-python Apache servers with something lighter, I looked for a load-balancer that could also serve static files and, why not?, FastCGI.

There is several options in the market:

• Apache with mod_proxy
• Balance
• HAProxy
• Lighttpd
• Nginx, with english documentation here.
• Pen
• Perlbal
• Pound
• Squid
• Varnish

Squid and Apache were discarded because too heavy. I did not want another performance hole in my already strained server.

Pound does not serve any content. Furthermore, it uses important quantities of RAM and has limited documentation.

Perlbal does seem to lack documentation, as does Varnish, another otherwise nice-looking piece of software. Maybe in the future…

Finally, Lighttpd is known for it’s memory leaking, important number of bugs and spotty documentation.

Update: I’ve discovered HAProxy, Pen and Balance so I’ve added them. Pen and Balance seem to be simple TCP proxies, and thus not exactly what I’m looking for. I added them for completeness. HAProxy looks nice though.

I’ve decided to use Nginx. It has all functionalities I was looking for, has a very good reputation of stability, speed and scalability, relatively good documentation and I was feeling adventurous. As I would see later, they also have a very responsive mailing list.

So… Nginx. You can either download the source and compile it or download a package for Debian, Ubuntu or an rpm.

I went the lazy way and used the Ubuntu package. This implies I don’t have the latest version, but that it will work. And indeed it works! I had to solve a couple of dependencies and it was ready to go.

The first thing I did was to configure it to redirect all incoming requests into the correct web server.

All the configuration files are located in /etc/nginx/. Among many files, the main one is (oh, surprise!) nginx.conf. This one holds all the generic (and specific if desired) configuration for web servers and proxies. My file looks like this:

user  www-data;
worker_processes  2; # 5 is the default
error_log  /var/log/nginx/error.log warn;

# pid of nginx master process
pid        /var/run/nginx.pid;

events {
    worker_connections   1024;
       }

http {
    #pull in mime-types. You can break out your config
    # into as many include's as you want to make it cleaner
    include       /etc/nginx/mime.types;

    # set a default type for the rare situation that
    # nothing matches from the mimie-type include
    default_type  application/octet-stream;

    # configure log format
    log_format main      '$remote_addr - - [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
    log_format combined  '$remote_addr - - [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_host" $request_time "$http_x_forwarded_for" "$http_via" "$gzip_ratio"';
    access_log  /var/log/nginx/access.log combined;

    # These are good default values.
    keepalive_timeout              65;
    tcp_nodelay                    on;
    tcp_nopush                     on;
    sendfile                       on;
    server_names_hash_bucket_size  128; # this seems to be required for vhosts

    include         /etc/nginx/mysites/www.guindilla.eu.conf;
    include         /etc/nginx/mysites/svn.guindilla.eu.conf;
    include         /etc/nginx/mysites/www.haruki.eu.conf;
    include         /etc/nginx/mysites/complu.haruki.eu.conf;

     }

Those files are stored in /etc/nginx/mysites/. Each one of the files look very alike:

    server {
        listen           80;
        server_name      www.guindilla.eu;
        # vhost specific logs
        access_log       /var/log/nginx/www.guindilla.eu.access.log combined;

        location / {
            proxy_pass   http://192.168.0.3;
            include      /etc/nginx/proxy.conf;
                   }
           }

I’m simply asking that every request that arrives to my server be redirected to my web server, 192.168.0.3. If I was using a different port, it would have been as easy as adding it at the end: proxy_pass http://192.168.0.3:81;

The file proxy.conf holds my generic pr
ox configuration:

proxy_set_header        Host             $host;
proxy_set_header        X-Real-IP        $remote_addr;
proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;

The proxy configuration works, and redirects transparently to the server. But there is still one problem, the logs. Indeed, the web server’s logs will only log 192.168.0.2, the proxy IP address. How to solve that?

The reverse proxies inject a variable in the HTTP headers in order to keep track of the IP of the clients that started the request. This is done in the X-Forwarded-For or X-Real-IP fields. What we want is to use this variable instead of the proxi’s IP.

There is two solutions (thanks Igor and Alexandar):

• We can use mod_rpaf with Apache. But I find it a bit overkill.
• We can rewrite the log definition by changing %h with %{X-Real-IP}i or with %{X-Forwarded-For}i in the logs.

I chosed the second solution, by adding in apache2.conf:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" guille

and in each site definition:

CustomLog /var/log/apache2/www.guindilla.eu.log guille

And now… it works. Everything just works. I love easy jobs!

Como todos los años en estas fechas, se acerca el momento de la dolorosa, siendo este el momento en el que millones de españoles nos enfrentamos a Hacienda en la declaración de la renta.

Personalmente le tengo fobia al dolor, que sea de muelas, espalda o bolsillo. Al no poder evitarlo intento reducirlo un máximo. Y es que, oh! sorpresa!, a mí tampoco me gusta pagar impuestos.

Visto mi edad casadera y mi ausencia de hogar, he decidido ampararme en el IMPUESTO SOBRE LA RENTA DE LAS PERSONAS FISICAS R.D.LEG 3/2004, DEDUCCIÓN INVERSIÓN VIVIENDA HABITUAL, CUENTA VIVIENDA, 123578-REQUISITOS, comúnmente llamado Cuenta de Ahorro Vivienda.

En efecto, esta acción me permitiría ahorrarme el 15% de la cantidad anual depositada en una cuenta específica con un máximo de 9015,18€. Es decir, un máximo de 1352,28€, que es un dinerito.

Ahora viene la pregunta del siglo: ¿Que cuenta tengo que abrir?

La versión de la ley es sencilla:

Las cuentas han de ser entidades de crédito cuyo destino sea la primera adquisición o rehabilitación de
la vivienda que constituya o vaya a constituir la residencia habitual del
depositante, siempre que se trate de cuentas separadas de cualquier otro tipo de
imposición. Y ya está. Sin más.

Sin embargo, al llamar a diferentes bancos (Caja Madrid, ING, Banco Popular, Banco Santander,…), me juraron y perjuraron que la cuenta de ahorro vivienda tenía que ser absolutamente el producto que ellos vendían bajo la denominación ahorro vivienda. Curiosamente, estas cuentas son cuentas con tasas de interés inferiores a otras cuentas. Como son para ahorrar solo… Pues bueno, ¡¡esto es mentira!!

En efecto, y para que podáis callarles la boca, al día de hoy y según Manual Práctico Renta y Patrimonio 2005 (pdf:13.5Mb), una ayuda de la Agencia Tributaria del Ministerio de Economía y Hacienda, más precisamente en la página 381, dice que las cantidades deben ser depositadas en cuentas separadas de cualquier otro tipo de imposición, sin que sea necesario que tengan la denominación especifica de cuenta vivienda.

Pues sí, aquí lo tenéis. ¿Por qué mienten los bancos? Pues porque están ahí para ganar dinero y engañar a la gente poco informada.

Ya, pero entonces, los que nos informan, ¿Nos mienten, o es pura incompetencia? Ni lo uno ni lo otro. Sencillamente, les mantienen en la ignorancia porque la mejor mentira es la que uno mismo se cree. De hecho el empleado que me atendió se lo creyó solo después de consultar al departamento jurídico de su empresa.

Y para los que se crean que me callo: Esas mismas palabras que he escrito aquí se las dije al empleado del banco. Dejé claro que no le tomaba a él personalmente como responsable, y que no era solamente su banco, sino muchos otros. Pero se lo dije. Y me quedé a gusto. ¡Faltaría más!

PS: Citibank fué una excepción en un mar de mentira y me informó correctamente.

I have described my server structure in a previous post. And that’s all very well. But you need a backup strategy.

Indeed, as I always say, if you think you should do a backup, it’s already too late. And lately, I have been thinking a bit too often about making backups.

One of the good readings for backups is The Tao Of Backup. It is funny, easy to read and covers at the same time all the basics of backups:

• Coverage
• Frequency
• Separation
• History
• Testing
• Security
• Integrity

Here, I will present a backup script I am using that was inspired by this article. This scripts allows me to ensure coverage, frequency and separation. History and security is missing from the schema, but could be easily added. Testing and integrity are aspects that are not relevant to this article, as they should be taken care in the general strategy, as it’s partly the case with security.

Coverage is ensured by backing up not only the VServers, but also the host system.

Frequency is a matter of how often you run the script. It is intended to be done once a day.

Separation is also done outside the script, as it depends of where you send your backups. Personally, I do it outside my house, at rsync.net.

Some options of rsync allow to add history to the schema.

The lack of encryption is a security problem that could be solved with the use of duplicity. This might be handled later. As my server is not storing any confidential information (besides some girls birthdays…), I can afford not to encrypt anything. Just remember it is a dangerous option to dismiss.

As I have said, the first thing the script does is to do a full backup of the host system. After this, the VServers are rsync’ed. The problem with VServers is that they must be correctly synchronized, and in order to do that they must be stopped.

In a fast network the synchronization can be done in a fast way. But in a slow network as mine (my connexion to rsync.net is not very fast…), the delay can be a problem. The original script did stop all the VServers at the same time, only restarting them once all synchronizations finished. My script does a sequential shutdown one VServer at a time, thus minimizing the downtime of each VServer and the overall downtime. This is a good thing.

Another technique to minimize downtime is to synchronize as much as possible while the server is running. In order to do this two synchronizations are made. The first one with the VServer running, and a second one with the VServer stopped. During the second synchronization, only minimal changes will be transmitted, thus minimizing the downtime. Thus, we end up with tho rsync passes, the second being the shorter.

To restore the system is really easy, just rsync all the data back into a base-install server. 

#!/usr/bin/env sh

# Performs remote backups of servers with vserver instances# Copyright (C) 2006 Guillermo Fernandez Castellanos## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation; either version 2 of the License, or# (at your option) any later version.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA## Backups over a network are much slower that between local hard drives.# On the other hand, vservers need careful synchronisation to avoid problems.# Those problems can only be avoided by rsync'ing the vservers while stopped.## In order to achieve this, this script goes through the following steps:#    1) Full backup of the mother system.#    2) For each vserver defined, do:#       2.1) rsync of the running server.#       2.2) stop the vserver for a final rsync and restart it again.## /dev, /proc nor /sys are in the backups because they are automatically# filled at start-up. /sys has been added in the 2.6 kernels.## This script is heavily inspired from:#   http://lena.franken.de/linux/debian_and_vserver/vserver_fastrestore.html## Guillermo Fernandez Castellanos <guillermo.fernandez.castellanos _at_ gmail.com>#

#### START USER_DEFINED VARIABLES

# Verbosity of the output of rsync. Can take the values 0 or 1.VERBOSE=0

# Destination directory or remote system. No trailing slash!#DESTINATION=/backup/path
DESTINATION=user@server:/backup/path # Directory where the vservers are kept. No trailing slash!VSERVER_DIR=/vserver

# Name of all the vservers to backupVSERVERS="server1 server2 server3"

#### END USER-DEFINED VARIABLES

date >> $HOME/backup_status.txt

echo %% `date` %% Backup host system >> $HOME/backup_status.txt if [ $VERBOSE -ne 1 ]then   OPTIONS="--archive                   --perms                   --delete"else   OPTIONS="--archive                   --verbose                     --progress                   --perms                   --delete"fi

EXCLUDE="--exclude $VSERVER_DIR               --exclude /mnt               --exclude /proc               --exclude /sys"

rsync $OPTIONS $EXCLUDE / $DESTINATION

echo %% `date` %% Backup of host system ended >> $HOME/backup_status.txt

if [ $VERBOSE -ne 1 ]then   OPTIONS="--archive            --perms            --delete            --delete-excluded"else   OPTIONS="--archive            --verbose            --progress            --perms            --delete            --delete-excluded"fi

for vserver in $VSERVERSdo   EXCLUDE="--exclude /mnt            --exclude /proc            --exclude /sys"

   echo %%`date`%% Backup of vserver $vserver starts >> $HOME/backup_status.txt   rsync $OPTIONS $EXCLUDE $VSERVER_DIR/$vserver $DESTINATION/$VSERVER_DIR

   echo %% `date` %% Stop vserver $vserver >> $HOME/backup_status.txt   vserver $vserver stop   echo %% `date` %% Final sync of $vserver >> $HOME/backup_status.txt    rsync $OPTIONS $EXCLUDE $VSERVER_DIR/$vserver $DESTINATION/$VSERVER_DIR   echo %% `date` %% Start vserver $vserver >> $HOME/backup_status.txt   vserver $vserver start

   echo %% `date` %% Backup of vserver $vserver finished >> $HOME/backup_status.txtdone

echo %% `date` %% Backup ended >> $HOME/backup_status.txt

datedf -h

He tenido el placer de hacerme pareja de hecho con Haruki, mi chica.

Nos conocimos hace casi 5 años, y nos hemos visto alrededor del mundo: Costa Rica, Japón, Australia, España… y tras mucho movimiento hemos decidido oficializar nuestra relación.

Tuvimos una pequeña ceremonia en el Registro de Parejas de Hecho, y entre mis padres y nuestros amigos, estuvimos bien acompañados!

Naturalmente, se celebró a lo grande en La Cocina del Desierto, entre tadjin, cuscús y otros tés a la menta.

Mis mayores agradecimientos a todos lo que contribuyeron a hacer este día un día especial!

J’ai eu le plaisir de me PaCSer avec Haruki, ma copine.

On s’est connu il y a 5 ans, et on s’est retrouvé tout autour du monde: Costa Rica, Japon, Australie, Espagne… et après tellement de voyages, nous avons décidé d’officialiser notre rélation.

Nous avons eu une petite cérémonie dans le Registro de Parejas de Hecho et, entre mes parents et nos amis, nous avons été bien accompagnés.

Bien sûr, cela s’est fêté avec la pompe nécessaire à La Cocina del Desierto, entre tadjin, couscous et autres thés à la mente.

Mes plus grands remerciements à tous ceux qui ont contribué à faire de ce jour un jour spécial!

I have had the pleasure to get a Civil Union with Haruki, my girl.

We knew each other almost 5 years ago, and we’ve met and travelled around the world: Costa Rica, Japan Australia, Spain,… and after much movement we’ve decided to make our relationship official.

We’ve had a tiny ceremony at the Registro de Parejas de Hecho and, between my parents and our friends, we felt supported.

Of course, it was properly feasted at La Cocina del Desierto, between tadjin, couscous and other mint teas.

I am very grateful to everyone who contributed in order to make this day a special day!

I am a kind of misunderstood strategy games fan. That means that I love them, but did not have much opportunity to play them. Indeed, because of lack of time or partners, my experience is limited to a few games.

In spite of that, I do not loose faith. I have just received a brand new game, A Victory Lost, from MMP , designed by Tetsuya Nakamura, and it looks just great. It simulates the counter-offensive of the Red Army around Stalingrad, Operation Saturn. The rules are a breeze to learn, and the C&C complex enough to allow for a good game.

Tetsuya Nakamura is the same designer that did Fire in the Sky, a simulation of the Pacific War. This simulation gets a very good balance between the large naval operations that could span over weeks and thousands of nautical miles, and the localized, intense and crucial battles that would be resolved in hours. The art work is beautiful on this one!

Another game I have with me at the moment is Russian Front. It is not the easiest to learn but, after all those years, it still keeps all his charm. I bought this one when I was something around 16, so more than 10 years ago.

So that’s it. Not many games, but all worth a try. now, all I’m missing is a regular opponent