The details on NGINX Inc’s plans – Extra Scaling

nginx-smallExtra Scaling is when CodeScaling does something slightly different. In this case, we talked to NGINX Inc, the company behind the NGINX web server and reverse proxy, who recently announced they were rolling out a commercial subscription support service, NGINX Plus, which also included a number of commercially licensed, closed source modules. This, as is the way of these things, caused some controversy and consternation in the FOSS community. The devil of these things is always in the details, so we got in touch with NGINX Inc’s CEO and team to get some answers from them on those details. The answers are presented here for your edification…

Codescaling: NGINX Plus has what appears to be a proprietary shell in terms of added features for deployment and management. This leads to accusations of the “open core” approach being used to lock in customers, so…

NGINX: We’re fully committed to growing and developing the open source product – that’s the key strength of NGINX. At the same time we’re confident in our ability to serve both free open source customers and commercial customers in parallel.

It is important to note that most of our customers don’t want to be locked into software, and they want choice. NGINX Plus is exactly about choice. With NGINX Plus there are several supported product options:

  • NGINX Plus with advanced modules that provide greater functionality (standard or premium support available)
  • NGINX Plus using our current NGINX OSS (standard or premium support available)

Customers using either standard distribution or the one with advanced functionality can be 100% sure the quality standards and the code base is the same. The decision to use the advanced modules is 100% with the customer.

CS: What licence does apply to the added features of NGINX Plus? Does a customer get access to the source while a customer?

NGINX: We provide a dual license: BSD for the NGINX open source code, commercial license for advanced modules. For our commercial offering, we provide a combination of open source NGINX together with additional advanced modules (shipped as a single binary). We do not provide the source code access for these additional advanced modules.

CS: Will features be migrated from the NGINX Plus set to NGINX itself in the future?

NGINX: We plan to continue to innovate both products in parallel. The advanced features in NGINX Plus are primarily targeted at problems like ADC replacement, load balancing, edge caching, streamlined management, and security. Our users always have a choice to either implement additional functionality and build customised solutions themselves, or introduce our certified commercial offerings as part of their web architecture. We obviously appreciate both approaches but want to help companies who don’t have either time or budgets to create and maintain DIY-style solutions in their production environments.

Features that are more generally applicable and related to the web server side of NGINX will continue to be in the OSS stream, and we’ll always continue to add more. Some examples of include SPDY and WebSocket modules, and the request authentication module that was released in August.

However, it is early and we’re listening to our customers and to NGINX users like we always did. We aren’t going to make decisions in a vacuum and will be listening to the needs of customers and users to determine where future enhancements will appear.

It is reasonable to assume that proprietary features will make their way into the open source product, and as we cross that bridge further down the road, we’ll have a very clear strategy to share.

CS: What rules will define where future enhancements appear, in NGINX or NGINX Plus?

NGINX: We’ll base our development of future enhancements on the existing use cases. Our open source community largely deploys NGINX as a web server in front of PHP, Python, Java and other application containers. Our enterprise/commercial customers use NGINX for a number of other scenarios, e.g. replacing a hardware ADC with NGINX in a cloud environment, load balancing, edge caching, security, automated provisioning, management and monitoring — avoiding chained, DIY-style solutions.

We will continue the same development as we’ve always done on the OSS side, and continue to address the cases enterprises are facing. We won’t close-source or remove existing open source features.

CS: What drove the decision to choose this model for business?

NGINX: This was the model requested by our customers. They asked for support but also wanted advanced features. They were clear that if they could get these advanced features in a supported build from Nginx Inc then this would be of value and they would be happy to purchase a subscription.

CS: Can instances of NGINX and NGINX Plus be mixed on a site?

NGINX: Yes. Moreover, NGINX Plus provides support for both NGINX and NGINX Plus code. As long as the customer has active subscriptions, we are able to support both.

An ExceptionalMail, a Contrail, a Concord and a Phenom(enon) – Snippets


  • Expect the Exceptional: A system admin is faced with a regular pattern of emails arriving that confirm things have either worked or occasionally failed. The admin scans them for the “is on fire” part and acts accordingly. But there’s also the other case where no mail was generated, but how would you know that email hadn’t arrived. With that in mind, Alan Bell has just rolled out This is a system designed to detect that exceptional moment when the mails don’t appear or do appear and have trigger words in them and then make sure you realise that this exceptional thing has happened. He’s written a blog post about the system, the AGPLv3 licensed source of which is up on GitHub.
  • Juniper’s SDN Contrail: Juniper has open sourced its SDN controller for its Contrail Software Defined Networking offering and started to host the Apache 2.0 licensed software. Plus points to Juniper for using open protocols like XMPP for messaging between components. They are also running labs to get developers up to speed and the source is available on GitHub. So, if you want another open source way to manage the physical and virtual networking between physical and virtual servers, there’s another option. The SDN world is rapidly evolving and being open source seems to be the easiest way to get partner/competitors on board though in this case, Juniper’s VP of Software Bob Muglia says the switch to open source was driven by customers says who are going down the OpenStack and CloudStack paths. Interestingly, this release is ahead of schedule as it was due in 2014. Lets see how Juniper plays with the world.
  • Concord: The good part – Dave Winer has released an outliner called Concord which is designed to be embedded “anywhere information is structured and organised”. The bad part – Winer says he want to ensure compatibility between features added by developers and has licensed the JavaScript code under the GPL which in no way stops someone from adding entirely incompatible features and breakage to their version while making it unlikely to be used in many public facing web projects where permissive licenses are much more common. Still, at least GPL3 licensed projects have access to an outliner now. You can find the code over on GitHub
  • Something like a Phenom(enon): Facebook have quietly release libPhenom, an eventing framework for Linux and OS X applications written in C. It lets developers break up their applications into Jobs which can be scheduled by the library, comes with memory management which keeps count, has streaming, buffered I/O, a set of useful data structures, a data type for JSON and a printf implementation which can be taught about how to format different objects. It looks light and simple, its licensed under Apache 2.0 and its in active development. If you are writing C based servers and want to make them scale, this may be one to check out.

Security Snippets : Django updated, Lua exploited, Internet scanned


  • Urgent Django Update: There’s a security update for Django released on Sunday which has been rushed out as the issue was reported on the Django developers list and thus was already public. It’s a DoS problem wherein an attacker can use very large passwords to tie up the system as it hashes the password using PBKDF2. The fixes make passwords greater than 4K automatically fail authentication.
  • Lua 5.1 exploitation: A detailed post on GitHub’s Gists looks at the process of escaping the Lua 5.1 sandbox on a 32-bit Windows system explaining how the exploit works and loads a DLL from within the what should be a locked-down environment. An interesting read for a “whirlwind tour” of the Lua VM involved.
  • Fast scanning the net: Errata Security’s Robert Graham talks about Masscan, his port scanning software which can scan “the entire internet in 3 minutes” using only a quad core desktop processor… oh and a dual port 10Gbps Ethernet card. Want to do that yourself? You can read the source at GitHub along with even more details about how to build the program. But don’t assume its open source – the License says you have no permission to use or run it (and yes, we’ve asked and we’ll update when we know more).

Google’s Coder is for more than just Pi

coderlogoGoogle’s Creative Lab has released Coder, an operating system image for the Raspberry Pi which can be booted from an SD card and offers an easy to use environment for learning about coding in JavaScript, HTML5, CSS and working with Node.js. It is in fact a relatively portable Node.js application which could be hosted on the desktop, in the cloud or wherever it is needed. Google have crafted the image for the Pi so that its an easy to deliver, and dare we say attention grabbing, way of putting the technology in educators hands.

So what’s in Coder? Its more like an educational Web IDE which quick launch buttons for projects. A simple panel of launch buttons, plus one “+” button to create new projects, greets the user. Selected an application lets that application run. Clicking the “Hack” button in the top right brings up some variables that can be changed to get people into that basic idea of that yes, you can change things. Clicking the “Coder” button brings up a multi-tab IDE with syntax colouring and the option the edit the HTML, JavaScript, CSS or even the Node.js server file for the application. There’s also a media browser/manager and an app preview mode. And that pretty much covers it. Here’s a gallery to let you have a look at it.

This slideshow requires JavaScript.

So, a good general purpose tool. The archive comes complete with a image-to-SD writer for the Mac which simplifies the process by detecting the SD card to be written by asking the user to plug it in. Under the covers its the Raspbian version of Debian with various extra scripts and configuration buts bolted on.  I ran the image on one of the Raspberry Pi’s here and it all seems to work with some caveats. Connectivity is odd. Much is made of the optional Wi-Fi support but I tried two different Wi-Fi dongles with no success. I’ll be digging in to find out whats up with that when I’ve got a chance, but if you are going to try Coder plug in an Ethernet cable – it’ll save time.

When setting up, be warned that Coder does my favourite password anti-pattern… reject passwords on the basis of rules it didn’t tell you beforehand… you’ll need upper case, lower case and a number in your password. Otherwise, it looks good, and its quick enough on the Pi though beware, it uses mDNS to make itself into “coder.local” on the network so if you set up a couple for a class you are going to need to tweak the images; the project appears to be working on classroom management tools too though and this is only version 0.4 of Coder.

If you haven’t got a Raspberry Pi, then you can always build it for desktop system. One Hacker News reader (fdb) offers up a quick recipe for running it on a Mac with Homebrew (if you have a Mac and code and don’t have Homebrew, get it) and the routine should be pretty much similar to that for other platforms. Also interestingly, the project is hosted on GitHub rather than Google Code but thats for pondering another day. It’s all under an Apache 2.0 Licence. Good work Google… Mozilla have shown similar tools, but Google’s Creative Labs team seem to have worked out that its all about how you package and deliver to the classroom to make a difference.

WordPress, Containers and Spark – Snippets


  • WordPress 3.6 vulnerability explored: The serialisation vulnerability which was fixed in WordPress 3.6.1 is looked at in detail by its discoverer in a blog posting which explores the issue of passing user content through unserialize() and why it can blow up so badly.
  • Container power: Containers revolutionised the shipping industry… could they do the same for the cloud? There’s a lot of activity around container based clouds which we’re looking into. One of the big drivers is Docker, which lets makes lightweight containers easy to build and run, and then there’s the orchestration layers like the open source PaaSs Deis which uses Docker, Chef and Heroku Buildpacks and Flynn which uses Docker and builds on Dokku. There’s something big going on there.
  • Java “Sinatra” Spark:  Micro web frameworks are extremely handy; they let the web reach into places you wouldn’t normally implement the web in. Sinatra showed how you can do it in Ruby and, inspired by Sinatra, there’s Spark for Java. It looks like a quick way to bring a web server into Java applications and wire it in in a readable form.

As foretold, Cassandra 2.0 cometh


Version 2.0 of the Apache Cassandra database has just been released. The Apache Software Foundation are leading on the addition of lightweight transations and triggers to the database. Cassandra originated at Facebook who donated it to Apache in 2008. It is designed to work with massive data sets and mixes Google’s Big Table data model with Facebook’s own distributed architecture Dynamo.

Datastax, who produce a commercial version of Cassandra, have the detailed blog entries on lightweight transactions which can ensure an update is committed to all replicas through a prepare/promise/propose/accept process, on triggers which can start processing tasks as changes in tables are detected and on the enhancements made to CQL, Cassandra’s SQLish query language. There’s also a roundup of all the other changes in Cassandra 2.0, such as the requirement to use Java 7, varios spring cleaning and performance optimisations. The Datastax documentation has also been updated for 2.0 and is also available as a PDF.

Usually with Apache project releases (and other events), the decision to release and the actual release can be a matter of some weeks, but this time round it was less than a week between those two events. Could this be a sign that the ASF will synchronise their announcements more with events than an artificially paced schedule? We shall see.

Feedbin opened – Time to tuck in

FeedbinIconBW120In the aftermath of Google’s bone-headed-but-determined execution of Google Reader, there has been some great work done developing alternatives to Google’s service. One open source implementation was NewsBlur, but at least from our experience at, it was a bit tetchy and the user interface was idiosyncratic. Among the other services we tried was Feedbin, with its clean stripped down user interface, growing app support and good RSS pickup speed. But it wasn’t open source, at least until now when Ben Ubois announced Feedbin was being opened.

While we at are still happy with Ubois’s hosted version of Feedbin at (currently priced at $3 a month or $30 per year), it’s really good news to see him open up the code under an MIT licence and host it on a GitHub repository. It means that users of the Feedbin service know they have an alternative they can host themselves, that they can get involved in development and help take the cause of better RSS aggregation forward. “It’s because Feedbin is making money that I felt comfortable doing this” said Ubois on a Hacker News thread.

The code itself is a Rails 4.0 application, running on Ruby 2.0 and using both Postgres 9.2 and Redis 2.6 for data storage duties. Instructions for getting the system running on Mac OS X are available in the Github readme; partial instructions for Ubuntu 12.04 are also present. “Install a local Feedbin server” is now on our to-do list (though that is a very long list).