Guyub – Konsultan F/OSS

This post was lifted wholesale from Cal Evans’s post from DevZone. I think he summed it up well and I had nothing to add.

Admittedly, I only knew Richard in passing. We’d met at a couple conferences and he was at CodeWorks last month. I wish I’d gotten to know him a little bit better.

After my earlier post Referrer and Comment spammers are a PITA I came up with two mod_perl plugins to Apache and an “apache level” firewall.

The reason for the apache-level firewall is two-fold.? There is no direct way for the Apache user to manipulate an iptables chain (as it doesn’t run as root), and second; I was not happy with suid root access or other forms of message passing to a daemon which would manipulate the firewall for me.

Architecture is thus, in httpd.conf place the following two lines:

PerlPreConnectionHandler PGREGG::httpBLBlock
PerlLogHandler PGREGG::httpBLLog

The first tells apache to run the handler in my httpBLBlock.pm module when a connection is received (before the request has been sent by the client).? In this handler, I am simply looking for a filename matching that IP in a directory that is writable by the apache user.? The contents of the file are a SCORE:httpBL_answer:[LIST].? Based on this, the module checks the mtime of the filename is in the last SCORE days, then the firewall is in effect. If so, we simply tell apache to drop the connection.? If the file has expired, we delete the file.

The second line is more interesting, and what creates the firewall filenames. In order to not impede the general speed of request handling, processing is performed in the Logging section of the Apache process. Our module is called by apache after the response has been sent, but before the access_log entry has been written.? In our module we perform the http:BL API call and compute the above SCORE based upon the Threat* level and Age* of the API response. (* both Threat and Age are octets in the DNS lookup).? We merely discount the Threat down to zero based on the Age (0-255) where an entry 255 days old reduces the SCORE to zero.
If the SCORE is larger than our trigger level (3) then we create the firewall filename, log the entry in our own httpbl.log and return Apache2::Const::FORBIDDEN.? This causes Apache to not log the entry in the normal access_log.? Otherwise, if all is ok, we return Apache2::Const::OK and Apache logs the hit as normal.

I have a bit of code tidy up, restructure the config/firewall directory and pull some common code out to a shared module before I can release to the world.

An interesting side effect to publishing the last story out through Planet PHP and other news sources along with the Project Honey Pot image is that when browsers viewed those sources, they all asked for the image off my server. In several cases, these were known spammer, Comment spammer, and other abusers. My server then created the firewall entry blocking them before they were able to follow the links back to my server.
?
I have been reading up more on Apache Bucket Brigades in an attempt to allow the firewall filter to be placed immediately after the request has been received and allow a custom response to the browser. This may help an otherwise unsuspecting user if their machine had been trojaned. I don’t mind admitting I’m thoroughly confused right now

APIs are commonly an afterthought, like a hot tub awkwardly attached to a house???a shoehorned
approach that produces a suboptimal app with scarce support that lacks
documentation. In effect, APIs are the ugly stepchild of the Web.

This is a sad reality that we are faced with, because
many companies make their living consuming third-party APIs and
mixing in their own data to create amazing
and interesting mashups.

In the initial phases of development, there is rarely
enough money to develop the app and its API. By the time there?s both demand and money, it can be hard to fit an API on top of the
architecture in such a way that the whole thing won?t fall over.

APIs should be first class citizens of the Web. Inconceivable?
Possimpible?
Not at all!

What can be done to solve this problem?

Is there a silver bullet? I?m afraid not.

My company has done a lot of API
work where we have encountered and solved a myriad of different API
problems for customers and our own apps. We even released an
API framework along the way. That?s not
to say that we haven?t made our share of mistakes on that journey???in fact, we have
made every single mistake in the book, but that?s how you grow and
learn. I firmly believe that you cannot solve a problem unless you?ve
failed at least once or twice before.

In the past, we have often been involved in bolting an API on top of
legacy apps, and on top of startup code we were directly
involved with from the beginning. Most of the time, neither situation is
ideal for attempting to use the current code base
(or to bring in behemoths like Zend Framework or Symfony)
to write an API service layer. We put together our
own lightweight API framework which can
be dropped into a code base without much fuss, and it can reuse the data
models. As a side bonus, it will automagically generate API
documentation.

Now we are getting somewhere! We had solved some of the pain
points of building an API, even if it?s bolted on afterward. That was not
enough for us, though.

The solution we came up with is fairly simple, but not glamorous at all,
I?m afraid.

A traditional web site has data models that interact with the
database and any other data source. Add an API into the mix, and it will
either be interacting with the data sources directly or potentially using
the same data models as the web site.

Our approach shakes things up a little bit.
The API is built first, and it interacts with the database and any other data
source (e.g., Oracle, MySQL, or Solr). The web site then consumes the API just as a client would.
The web site is still built with a MVC framework,
but it?s completely oblivious to where the API is pulling the
information from, so the API becomes a middle layer, a data layer.

The benefit is that the API becomes core to the system, is
built from the start, and will be maintained properly. This way you can make
an iPad app, and the web site use exactly the same API.

I also find APIs to be easier to scale, but that?s a topic for another
article.

The downside is that this development model does cost you more money in
the short term, and it means a tad longer time to market, but if you compare
it to adding the API at a later stage and maintaining to separate systems,
then you will clearly see big financial and operational gains.

Story time

An example may explain this better. This is the tale of the elusive Twitter
API.

Back in 2007, Twitter took off at SXSW with a roughly 300% increase in
tweets per day. Everyone was happy, but many people felt like the web
interface was not all that great. People asked for an API, so they could create
their own apps and mashups. Lo and behold, an API was
bolted on top of Twitter. It became evident that the initial API was not
enough for people, and thus began the organic growth of the monster that is
the Twitter API. It was a fairly under-maintained and under-staffed API in
my opinion, given it was the lifeline of Twitter. It is what kept millions
of people using the service.

This is a classic example of a bolt-on API that was not accounted for properly in
the infrastructure, and it quite possibly caused a majority of the fail whales.
The web site and the API (to my knowledge) were separate.

A shift happened in 2010, and #NewTwitter was released
in all its glory. A new web interface with many bells, whistles, and, quite
possibly, a lawnmower. However, what was most exciting about the release was
that the web site started consuming; it became a

Truncated by Planet PHP, read more at the original (another 1751 bytes)

I talk with a lot of people about NoSQL. I?ve been following it pretty closely for about 3 years now. One of the things I often tell people who are trying to wrap their heads around the concepts of NoSQL and what all of the data stores mean is to go search for Justin Sheehy and his NoSQL East Talk.

Then it dawned on me, why don?t I just embed the video on my site? Makes it super easy for people to find (travisswicegood.com/tags/riak) and I don?t have to go searching for it.

So, here?s what I consider one of the best talks to date on NoSQL.

I had a twitter/IRC exchange yesterday with Andries Seutens and Nick Belhomme regarding applications that include widgets within their layout. During the exchange, I told Andriess not to use the action() view helper, and both Andriess and Nick then asked how to implement widgets if they shouldn’t use that helper. While I ended up having an IRC exchange with Nick to give him a general idea on how to accomplish the task, I decided a longer writeup was in order.

Continue reading “Using Action Helpers To Implement Re-Usable Widgets”

Even those with a modest grasp of PHP know that code must be enclosed within special <?php and ?> tags.

<?php
// library functions

function DoStuff() {
	// code
}
?>

<?php
include('library.php');

// write a header
header('X-Demo: Example');

// set cookie
setcookie('TestCookie', 'Example');
?>

<p>End of index.php file.</p>

Warning: Cannot modify header information - headers already sent

Testing classes which generate XML can be a cumbersome work. At least, if you don’t know the right tricks to make your life easier. In this article, I will throw some light upon different approaches and show you, how XML generation can be tested quite easily using XPath.

Matthew Weier O?Phinney and I are giving an Introduction to PHP presentation this morning at Vermont Code Camp. I?ve posted the slides to SlideShare and the example PHP scripts are available on GitHub. If you are at Vermont Code Camp and attended our session, please take a minute to give us feedback on Joind.in.

Guyub -http://guyub.co.id membutuhkan segera PHP Developer untuk menjadi bagian dari tim pengembangan sebuah aplikasi berbasis web. Adapun detail persyaratanya adalah;

• Berlokasi di Palembang dan sekitarnya.
• Memiliki dasar logika dan pemrograman yang baik.
• Mempunyai etos kerja & attitude yang baik.
• Boleh memilih bekerja full atau part time.
• Nilai lebih bagi yang terbiasa bekerja dengan Free/Open Source Software.
• Nilai lebih bagi yang familiar dengan framework apa saja, web service, MySQL, dan jQuery.
• Tidak ada prasyarat khusus mengenai pengalaman dan latar belakang pendidikan, akan tetapi semua kandidat siap langsung wawancara dan tes praktik.

Bagi yang berminat silahkan langsung kirimkan lamaran disertai CV/Resume ke subair[at]guyub.co.id, menggunakan judul “PHP Developer”, paling lambat tanggal 14 Agustus 2010.