Update: add these awesome ones!


Goal: find the fastest possible C++ https library that can score an A on the SSLLabs test. Ties broken by ease of use, then by support for websockets.

Initial results (see wiki for latest…):





apache A 3 N need to write a module, apache remains in charge of message loop (unacceptable)
libwebsockets 7 Y
proxygen 7 only easy to build on ubuntu so hasn’t been stood up on my gentoo server yet; huge kitchen sink of helpers
Simple-Web-Server  B 10 Y websockets in a seperate compatible project; may be able to leverage asio to improve score (capped by RC4); no forward secrecy
websocketpp  uses asio, specifies a “modern” mode that only allows TSL1.2
mongoose 3 messy ton of hand-crafted portability C code scared me off
onion looks like a strong C lib
libmicrohttpd GNU c lib, not sure it supports modern algos, check score…

I have a couple of urls that have become quite attractive to spammers as of late, for some stupid reason. Stupid in that most situations involving spam are stupid, as the inefficiencies would make anyone of any intelligence balk at the very concept. But still, many desperate and immoral thugs persist.

My urls that appear to make spambots salivate with misguided hope are those that allow anonymous users to add content that will be later displayed to others. Specifically, there are two:

  • anonymous trac ticket creation
  • wordpress comments

Both trac and WordPress have fantastic tools that fight spam (Akismet, for one, is priceless). These tools prevent tons of spam on my sites every day. But thanks to mindless bots, the spam, while pretty much always unsuccessful in creating tickets due to Akismet and captcha, can morph into the DOS category. I was getting 5 apache requests every second, 24×7.

I started using mod_evasive to stop the flood, which certainly helped. But it did not break the spambots to the point where they gave up. I was dealing with some seriously inept and overzealous spambotting – I don’t even have heavily trafficked sites. What recourse is left if you just. keep. getting. mindlessly. hammmered!?

I got out the big gun and decided that, in the case of my trac ticket site, it was better to just move the whole damned url. The ticket site is a part of a larger site devoted to my music player project, and valid users should really navigate through the top site anyway. It took me a while to decide this was best. It’s certainly not optimal for supporting a site that might be heavily bookmarked by end users. It’s kind of out of the box thinking. But in my case it was worth the cost.

For trac, it was just a matter of a couple trac.ini and apache config changes, and then changing the referring websites.


base_url = https://mysite.com/mynewurl

apache conf:

WSGIScriptAlias /mynewurl /var/lib/trac/apache/trac.wsgi

I get spammers slamming my little web sites all the time. A couple of my pages seem to have gotten added to some bot list, and there is no end of attempts to add comments to my WordPress blogs and tickets to my trac issue tracker. There are lots of ways to fight this, and both WordPress and trac have pretty decent built-in tools. One apache-based tool I recently added is mod_evasive, and it is so simple and elegant there’s really no reason not to use it. It’s small and appears to use an in-memory hash table for live state tracking so it shouldn’t slow things down much. All it does is look for rapid access from the same IP address, and put a temporary block on that address for a short time period. So as not to interfere with access by real people, it only takes action against obvious abuse. Here’s my configuration, with notes:

# MDM i thought about changing these to block 5 ticket requests in 60 seconds
# BUT THAT'S TOO MUCH for any other part of my websites
# This really isn't going to solve the trac problem... but i'll leave it for DOS attacks
# I did make it a little tighter:
# lowered page count from 5 to 3 (3 page requests within 1 second)
# upped site count from 100 to 50, interval from 2 to 10 (50 site requests in 10 seconds)
# MDM The only thing getting blocked is me, prolly due to HangTheDJ pings, doh
# Forget this, set it back high again.  It's ONLY going to stop true DDOS attacks.
# We'll set up mod_qos or something else for trac ticket spammers.
# MDM Actually looks like spammers are dropping off...?  didnt see any logging tho... huh
# I'll tighten up a LITTLE; site count from 100 to 30; page interval from 1 to 2; blocking period from 10 to 20
# MDM OK it seems to be working great now!
# But why limit the block to 20 seconds?  I'm upping it to 5 minutes.
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 30
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 300

The latest reincarnation of Hang The DJ, my music player, is coming along nicely. In the alpha stage, it’s currently an excellent way to stream your massive music collection to your laptop.

It sits atop an open source media streamer called Ampache. I had to extend Ampache to support the more advanced features of Hang The DJ. But this extended version of Ampache still retains its full feature set.

I have plans for a full set of Hang The DJ mobile clients, but they are further down the roadmap.

In the meantime, I can still use Ampache with my iPhone in a couple different ways. There are some Ampache iPhone clients but they are rough and limited. However, Ampache by itself has a nice web interface. You can play your music by downloading, by streaming, or through a bare-bones flash player.

Flash is out on the iPhone. Downloading each song is cumbersome. But the streaming works! It’s not foolproof. The silly Safari browser on the iPhone has a ridiculously short timeout on streaming requests, something like 16 seconds, and I don’t know of any way to adjust it. So for a long time, it just didn’t seem to work for me. But following these rules, I can get to my whole music collection from my iPhone:

  • Make sure you have a decent server. I recently upgraded my server to use a quad core i7 cpu and it seems to help.
  • Make sure your upload bandwidth is sufficient, obviously. I have really crappy crappy “10Mbit” service from CenturyLink, which gives me about 20kbps upload. Hates it. But it’s currently my only option and it’s working.
  • Make sure your iPhone is in a 3G zone. Edge service through AT&T didn’t seem to work. Stupid AT&T.
  • Stream 1 song first. This is your best chance of completing the setup between Apache and Safari before timing out. Once that’s confirmed to work, slowly bump it up until you get timeouts. I can do 3-4 songs but 20 seems to fail consistently.

Yeah it’s not ideal. Just more motivation to get going on the iPhone client! 🙂

In the meantime, shoot me an email if you’re willing to try Hang The DJ out on a desktop or laptop, that would rock. Peace.

I have been so happy with my gentoo boxes lately, having had zero problems for the past few months, and no itch to bump. I must have lucked out and hit a really stable spot in the ever-changing world of open source.

But I don’t want to get too comfortable. Much longer and I probably won’t have a clean upgrade path. Besides, I think I smell something shiny out there somewhere… Seriously, I am looking forward to the latest XBMC changes. That software absolutely rocks.

Here we go! (continued…)