The details on NGINX Inc’s plans – Extra Scaling

nginx-smallExtra Scaling is when CodeScaling does something slightly different. In this case, we talked to NGINX Inc, the company behind the NGINX web server and reverse proxy, who recently announced they were rolling out a commercial subscription support service, NGINX Plus, which also included a number of commercially licensed, closed source modules. This, as is the way of these things, caused some controversy and consternation in the FOSS community. The devil of these things is always in the details, so we got in touch with NGINX Inc’s CEO and team to get some answers from them on those details. The answers are presented here for your edification…

Codescaling: NGINX Plus has what appears to be a proprietary shell in terms of added features for deployment and management. This leads to accusations of the “open core” approach being used to lock in customers, so…

NGINX: We’re fully committed to growing and developing the open source product – that’s the key strength of NGINX. At the same time we’re confident in our ability to serve both free open source customers and commercial customers in parallel.

It is important to note that most of our customers don’t want to be locked into software, and they want choice. NGINX Plus is exactly about choice. With NGINX Plus there are several supported product options:

  • NGINX Plus with advanced modules that provide greater functionality (standard or premium support available)
  • NGINX Plus using our current NGINX OSS (standard or premium support available)

Customers using either standard distribution or the one with advanced functionality can be 100% sure the quality standards and the code base is the same. The decision to use the advanced modules is 100% with the customer.

CS: What licence does apply to the added features of NGINX Plus? Does a customer get access to the source while a customer?

NGINX: We provide a dual license: BSD for the NGINX open source code, commercial license for advanced modules. For our commercial offering, we provide a combination of open source NGINX together with additional advanced modules (shipped as a single binary). We do not provide the source code access for these additional advanced modules.

CS: Will features be migrated from the NGINX Plus set to NGINX itself in the future?

NGINX: We plan to continue to innovate both products in parallel. The advanced features in NGINX Plus are primarily targeted at problems like ADC replacement, load balancing, edge caching, streamlined management, and security. Our users always have a choice to either implement additional functionality and build customised solutions themselves, or introduce our certified commercial offerings as part of their web architecture. We obviously appreciate both approaches but want to help companies who don’t have either time or budgets to create and maintain DIY-style solutions in their production environments.

Features that are more generally applicable and related to the web server side of NGINX will continue to be in the OSS stream, and we’ll always continue to add more. Some examples of include SPDY and WebSocket modules, and the request authentication module that was released in August.

However, it is early and we’re listening to our customers and to NGINX users like we always did. We aren’t going to make decisions in a vacuum and will be listening to the needs of customers and users to determine where future enhancements will appear.

It is reasonable to assume that proprietary features will make their way into the open source product, and as we cross that bridge further down the road, we’ll have a very clear strategy to share.

CS: What rules will define where future enhancements appear, in NGINX or NGINX Plus?

NGINX: We’ll base our development of future enhancements on the existing use cases. Our open source community largely deploys NGINX as a web server in front of PHP, Python, Java and other application containers. Our enterprise/commercial customers use NGINX for a number of other scenarios, e.g. replacing a hardware ADC with NGINX in a cloud environment, load balancing, edge caching, security, automated provisioning, management and monitoring — avoiding chained, DIY-style solutions.

We will continue the same development as we’ve always done on the OSS side, and continue to address the cases enterprises are facing. We won’t close-source or remove existing open source features.

CS: What drove the decision to choose this model for business?

NGINX: This was the model requested by our customers. They asked for support but also wanted advanced features. They were clear that if they could get these advanced features in a supported build from Nginx Inc then this would be of value and they would be happy to purchase a subscription.

CS: Can instances of NGINX and NGINX Plus be mixed on a site?

NGINX: Yes. Moreover, NGINX Plus provides support for both NGINX and NGINX Plus code. As long as the customer has active subscriptions, we are able to support both.

Feedly API, RenderScript for all, JavaScript database, Node.js openness – Snippets


  • Feedly API opens: Feedly, one of the web-based RSS aggregator replacements that stepped in when Google dropped the Reader ball, has announced its opening up its feedly Cloud API to all. And its quite an extensive API with realtime hubs, read-tracking, personalisation graphs and more. An existing app ecosystem may be about to get a lot bigger and diverse.
  • RenderScript for all: Google has been adding feature to Android’s RenderScript computation framework over the recent releases and says it has been being asked for those features to be evenly available in older versions of Android. Now, a new RenderScript Support Library and updated SDK is available that makes that possible. If you wonder what RenderScript is used for, one example is the Google+ Android app where it helps power the photo editor with C99 based computational effects. The idea with RenderScript is its quicker and cleaner to use than going the full NDK for performance.
  • JavaScript indexed: Looking for a particular JavaScript library or wanting to browse through whats available? Check out JSDB.IO, which indexes, rates and links to nearly 500 JavaScript libraries. A nice idea, cleanly executed.
  • Node.js openness: In a guest post in VentureBeat, Ben Wen, VP of product at Joyent, home of Node.js, goes on the record talking about how Joyent and Node.js interact and how they are avoiding the anti-patterns that many open source projects with corporate backers fall into. It’s also a plug for SmartOS the open source OS they have been developing.

Mozilla, Upsource, SVG.js and Bluetooth LE – Snippets


  • Mozilla updates: Firefox 24 and Thunderbird 24 landed yesterday. The release of Thunderbird sees the ESR version merged back into the main release tree and a couple of new tricks with zooming in compose windows, email supporting IDN based email addresses and ignoring message threads. There’s also six critical fixes in the update too. Firefox gets new Max scrollbars, right-closing tabs and tear off chat windows, SVG improvements, a better browser console and 7 critical fixes.
  • Upsource: The world of collaborative coding platforms is getting more interesting with the news that JetBrains are developing Upsource. JetBrains are the creators of IntelliJ IDEA Java IDE, with its open source community edition along with many other IDEs all based on a common architecture. Upsource is a server platform which looks to bring their IDE’s smarts to a web platform. There’s code browsing, diffing, commit viewing, analysis and more. Plans are unclear for the platform and there’s no early access programme yet but there’s meant to be a Upsource demonstration which will let you browse two of JetBrains projects (but its down at the time of writing).
  • SVG with JavaScript: SVG is still something thats a bit of a bore to generate and deal with. SVG.JS looks to make things easier with a 9K MIT licensed library which can handle animating, positioning and transforming SVG images, create SVG text, create gradients, group elements and bind events to elements.
  • Bluetooth LE: ReelyActive have an interesting blog post about working with BLE (Bluetooth Low Energy) and how they use it in-building location and how, with the arrival of iOS7 and its full BLE support, they’ll be able to swap out physical tags for smartphones. Next month, they present at the IEEE Conference of Local Computer Networks and publish a paper which should shed light on how we’ll be followed around in future.

An ExceptionalMail, a Contrail, a Concord and a Phenom(enon) – Snippets


  • Expect the Exceptional: A system admin is faced with a regular pattern of emails arriving that confirm things have either worked or occasionally failed. The admin scans them for the “is on fire” part and acts accordingly. But there’s also the other case where no mail was generated, but how would you know that email hadn’t arrived. With that in mind, Alan Bell has just rolled out This is a system designed to detect that exceptional moment when the mails don’t appear or do appear and have trigger words in them and then make sure you realise that this exceptional thing has happened. He’s written a blog post about the system, the AGPLv3 licensed source of which is up on GitHub.
  • Juniper’s SDN Contrail: Juniper has open sourced its SDN controller for its Contrail Software Defined Networking offering and started to host the Apache 2.0 licensed software. Plus points to Juniper for using open protocols like XMPP for messaging between components. They are also running labs to get developers up to speed and the source is available on GitHub. So, if you want another open source way to manage the physical and virtual networking between physical and virtual servers, there’s another option. The SDN world is rapidly evolving and being open source seems to be the easiest way to get partner/competitors on board though in this case, Juniper’s VP of Software Bob Muglia says the switch to open source was driven by customers says who are going down the OpenStack and CloudStack paths. Interestingly, this release is ahead of schedule as it was due in 2014. Lets see how Juniper plays with the world.
  • Concord: The good part – Dave Winer has released an outliner called Concord which is designed to be embedded “anywhere information is structured and organised”. The bad part – Winer says he want to ensure compatibility between features added by developers and has licensed the JavaScript code under the GPL which in no way stops someone from adding entirely incompatible features and breakage to their version while making it unlikely to be used in many public facing web projects where permissive licenses are much more common. Still, at least GPL3 licensed projects have access to an outliner now. You can find the code over on GitHub
  • Something like a Phenom(enon): Facebook have quietly release libPhenom, an eventing framework for Linux and OS X applications written in C. It lets developers break up their applications into Jobs which can be scheduled by the library, comes with memory management which keeps count, has streaming, buffered I/O, a set of useful data structures, a data type for JSON and a printf implementation which can be taught about how to format different objects. It looks light and simple, its licensed under Apache 2.0 and its in active development. If you are writing C based servers and want to make them scale, this may be one to check out.

Security Snippets : Django updated, Lua exploited, Internet scanned


  • Urgent Django Update: There’s a security update for Django released on Sunday which has been rushed out as the issue was reported on the Django developers list and thus was already public. It’s a DoS problem wherein an attacker can use very large passwords to tie up the system as it hashes the password using PBKDF2. The fixes make passwords greater than 4K automatically fail authentication.
  • Lua 5.1 exploitation: A detailed post on GitHub’s Gists looks at the process of escaping the Lua 5.1 sandbox on a 32-bit Windows system explaining how the exploit works and loads a DLL from within the what should be a locked-down environment. An interesting read for a “whirlwind tour” of the Lua VM involved.
  • Fast scanning the net: Errata Security’s Robert Graham talks about Masscan, his port scanning software which can scan “the entire internet in 3 minutes” using only a quad core desktop processor… oh and a dual port 10Gbps Ethernet card. Want to do that yourself? You can read the source at GitHub along with even more details about how to build the program. But don’t assume its open source – the License says you have no permission to use or run it (and yes, we’ve asked and we’ll update when we know more).

Qt Blinks, OJ codes and Pi (ad)blocks – Snippets


  • Qt goes with Chromium: The Qt toolkit has used a Qt port of WebKit for some time now to provide web content rendering. With Google forking WebKit to create Blink, Digia has been looking at what fork to follow and has now decided to go with Chromium and Blink. This means the QtWebKit development will be frozen after Qt 5.2 and the new QtWebEngine which will replace it is short some APIs (QWebElement and QObject embedding). Digia say there’ll be lots of benefits and the choice is a long term decision.
  • Object JavaScript: An interesting bit of web technology is OJ which uses JavaScript objects to create web pages by mapping them to HTML and CSS and other JavaScript. It has a whole load of components and plugins and is published under the MIT licence. Worth a curious look, especially at the tutorial.
  • Pi Adstopper: One of the latest additions to Adafruit’s ‘learning system’ of tutorials is a guide to making a Raspberry Pi-based Ad Blocking Wi-Fi Access Point which includes details on setting up DHCP, DNS, the ad IP address blacklist and setting up a “pixel-server” to return a pixel (rather than a 404 which penalises performance) for blocked content.

Google’s Coder is for more than just Pi

coderlogoGoogle’s Creative Lab has released Coder, an operating system image for the Raspberry Pi which can be booted from an SD card and offers an easy to use environment for learning about coding in JavaScript, HTML5, CSS and working with Node.js. It is in fact a relatively portable Node.js application which could be hosted on the desktop, in the cloud or wherever it is needed. Google have crafted the image for the Pi so that its an easy to deliver, and dare we say attention grabbing, way of putting the technology in educators hands.

So what’s in Coder? Its more like an educational Web IDE which quick launch buttons for projects. A simple panel of launch buttons, plus one “+” button to create new projects, greets the user. Selected an application lets that application run. Clicking the “Hack” button in the top right brings up some variables that can be changed to get people into that basic idea of that yes, you can change things. Clicking the “Coder” button brings up a multi-tab IDE with syntax colouring and the option the edit the HTML, JavaScript, CSS or even the Node.js server file for the application. There’s also a media browser/manager and an app preview mode. And that pretty much covers it. Here’s a gallery to let you have a look at it.

This slideshow requires JavaScript.

So, a good general purpose tool. The archive comes complete with a image-to-SD writer for the Mac which simplifies the process by detecting the SD card to be written by asking the user to plug it in. Under the covers its the Raspbian version of Debian with various extra scripts and configuration buts bolted on.  I ran the image on one of the Raspberry Pi’s here and it all seems to work with some caveats. Connectivity is odd. Much is made of the optional Wi-Fi support but I tried two different Wi-Fi dongles with no success. I’ll be digging in to find out whats up with that when I’ve got a chance, but if you are going to try Coder plug in an Ethernet cable – it’ll save time.

When setting up, be warned that Coder does my favourite password anti-pattern… reject passwords on the basis of rules it didn’t tell you beforehand… you’ll need upper case, lower case and a number in your password. Otherwise, it looks good, and its quick enough on the Pi though beware, it uses mDNS to make itself into “coder.local” on the network so if you set up a couple for a class you are going to need to tweak the images; the project appears to be working on classroom management tools too though and this is only version 0.4 of Coder.

If you haven’t got a Raspberry Pi, then you can always build it for desktop system. One Hacker News reader (fdb) offers up a quick recipe for running it on a Mac with Homebrew (if you have a Mac and code and don’t have Homebrew, get it) and the routine should be pretty much similar to that for other platforms. Also interestingly, the project is hosted on GitHub rather than Google Code but thats for pondering another day. It’s all under an Apache 2.0 Licence. Good work Google… Mozilla have shown similar tools, but Google’s Creative Labs team seem to have worked out that its all about how you package and deliver to the classroom to make a difference.

WordPress, Containers and Spark – Snippets


  • WordPress 3.6 vulnerability explored: The serialisation vulnerability which was fixed in WordPress 3.6.1 is looked at in detail by its discoverer in a blog posting which explores the issue of passing user content through unserialize() and why it can blow up so badly.
  • Container power: Containers revolutionised the shipping industry… could they do the same for the cloud? There’s a lot of activity around container based clouds which we’re looking into. One of the big drivers is Docker, which lets makes lightweight containers easy to build and run, and then there’s the orchestration layers like the open source PaaSs Deis which uses Docker, Chef and Heroku Buildpacks and Flynn which uses Docker and builds on Dokku. There’s something big going on there.
  • Java “Sinatra” Spark:  Micro web frameworks are extremely handy; they let the web reach into places you wouldn’t normally implement the web in. Sinatra showed how you can do it in Ruby and, inspired by Sinatra, there’s Spark for Java. It looks like a quick way to bring a web server into Java applications and wire it in in a readable form.

Linus vs SSDs, FirefoxOS Security, Eloquent JavaScript reboot – Snippets


  • Linus vs SSDs: It appears that Linus Torvalds is now working off his laptop to finish the Linux 3.12 merge after his desktop’s SSD drive died on him. Linus doesn’t have backups though as he’s moved to using “replaceable machines” instead. Oh, and apparently he’d upgraded the rest of the machine ten days ago.
  • FirefoxOS Security: Trend Micro took a look at FirefoxOS’s security model and have some examples of how it could be exploited, via direct attacks on the B2G process in the Gecko layer and what mitigates against that. An interesting short read which leads on to their look at HTML5 attack surfaces.
  • Eloquent JavaScript rebooted: The author of 2007’s freely available JavaScript textbook Eloquent JavaScript has started a crowd-funding campaign to fund a new edition of the book which will not only be modernised, but have new artwork, expanded sections on DOM, a chapter on node.js and more. He’s not using a Kickstarter or similar platform, but his own system which allows you to select which tasks you want your money or bitcoins spent on.

Ember.js burns through to 1.0

0cf15665a9146ba852bf042b0652780aOver the weekend, the Ember.js team announced the final release of Ember.js 1.0 after two and a half years in development. The big thing with Ember.js is that it aims to get back to a web where URLs were sharable and bookmarkable and away from the modern idiom for webapps of one URL and the server saving logins and state. In the process of creating that, the developers also put together auto-updating Handlbars templates that keep themselves up to date when the underlying data model changes, added Web-Component-like custom HTML tags and made the process of JSON to field mapping easy.

Explaining that they had picked out a push back against the big HTML-abstracting frameworks, heading towards what they felt were simplistic abstractions in microframeworks, the developers set a course to come up with a new platform which took care of the complexity using HTML, CSS and JavaScript, and not trying to pretend they weren’t there. It was when they were heading down this path that they realised that it wasn’t just what was displayed in the browser but how it could be navigated to that they came up with the idea of using the URL and took the big step of rebooting the development process to make the URL king of the framework. That change has paid off and with 1.0 they feel they are in a good place. The APIs won’t have breaking changes now till 2.0 which they “don’t anticipate happening for some time”.

The road to 1.0 has seen the router enhanced, the groundwork done for adding modules in the future, the basics of a testing framework, a Chrome extension that handles inspecting Ember in the browser and the first beta of Ember Data 1.0, a rebooted data-layer codenamed jj-abrams. There’s also much activity in the Ember community as Ember 1.0 arrives and the development process switches to a new release every six weeks.

Ember.js essentials: