techblog 

We have a number of applications where we have to limit the access of users, otherwise the systems would collapse under the strain of excessive use. For that we rely heavily on the excellent token bucket algorithm. This has three different ways (at least) in which it can be used.

Rate limiting

The most basic use of token bucket is to rate limit a client to a number of operations within a specific time period. For example you could use it to limit the number of whois lookups to 60 per 60 seconds for a particular client. The way to do this is to assign a bucket of 60 tokens to each client when it makes its initial request. Each time it makes a request a token is removed from the bucket. If there are no tokens left then the request is not carried out and so the client is effectively blocked. Every 60 seconds the bucket is refilled to a maximum of 60 tokens and so request can once again be processed.

Rolling window

There are times when you might not be worried about the rate but you do want to limit a client to a maximum number of operations within a rolling time window. For this example lets say you want to limit a client to 10,000 operations per rolling 24 hours and you are going to recalculate every hour. You start by giving each client the maximum 10,000 tokens when it first connects. Once again a token is removed each time a request is serviced and no tokens means no service. Every hour the total number of requests over the last hour is calculated and stored.

The algorithm to refill the bucket is a bit more complex. The total the number of requests received over the last 23 hours (the 23 is the key) is calculated and this total is then subtracted from 10,000, which leaves the maximum remaining requests that could be made over the next hour. So the number of tokens in the bucket is then increased (or decreased) to that maximum.

Just to make sure you get this, assume you want to limit a client to Q queries over a rolling window of W time and you are going to recalculate every P time units. Then every P you refill the bucket to be equal to Q - (Total queries for previous period of (W - P)).

Rolling window and rate limiting

Combining the two is pretty simple if you want to limit a client to a certain number of queries within a rolling window time period plus limiting the maximum rate at which they can carry out operations. Say for example you wanted to allow a maximum of 10,000 operations per rolling 24 hours, with a maximum rate of 1,000 per hour and you are going to recalculate every hour. This time you give each new client a bucket of 1,000 tokens. Once again a token is removed each time a request is serviced and no tokens means no service. Again, every hour the total number of requests over the last hour is calculated and stored.

The algorithm to refill the bucket works like this. Again the total number of requests over the last 23 hours is calculated and again this is substracted from 10,000. This time though the bucket is filled to either this figure if it is less than 1,000 or to 1,000 otherwise. This effectively limits the rate to a maximum of 1,000 per hour.

Of course in the last two examples if someone does exceed their limit then they could be blocked for up to an hour, which may be far too long for your application. The processing requirements obviously increase as you make the recalculation window shorter.

Every server we access here is via ssh. On occasion I need to run X on a server and display this back to my desktop. In the past I have been doing this insecurely due to NOT tunnelling my X session over ssh, I would have to mess around setting xhost + on the local machine and setting the DISPLAY variable on the remote server.

So to securely run a remote X session ensure you have the following set in both ssh_config on your LOCAL machine and in sshd_config on the remote server

ForwardX11 yes

Interestingly when you log in to the remote server you should see your display automatically set to:

localhost:10.0

Final tip is that if you ssh as user A but want to run a remote X session as user B, copy the

~/.Xauthority

From yourself to the user you are interested in and manually set your display variable:

export DISPLAY=localhost:10.0

This is a short description of how to install Blojsom blogger so that URL’s are
stripped of upper level subdirectories to look like
http://hostname/userid/ instead of http://hostname/blojsom/blog/userid/
or http://hostname/blog/userid/

It is presumed that you’re using Apache
Web server, Tomcat 5
and mod_jk
connector. You’ve also followed Blojsom installation instructions on http://wiki.blojsom.com/wiki/display/blojsom/Installation
and made it work as http://hostname/blojsom/blog/userid with Apache Web
Server as a frontend and mod_jk connector.

First, remove (or move elsewhere) the default ROOT application:

mv $TOMCAT_HOME/webapps/ROOT ~/

and copy Blojsom application to the ROOT:

cp -R
$TOMCAT_HOME/webapps/blojsom
$TOMCAT_HOME/webapps/ROOT

edit $TOMCAT_HOME/webapps/ROOT/WEB-INF/web.xml and replace

<url-pattern>/blog/*</url-pattern>

with

<url-pattern>/*</url-pattern>

edit $TOMCAT_HOME/webapps/ROOT/WEB-INF/blojsom.properties and replace

blojsom-installation-directory=$TOMCAT_HOME/webapps/blojsom/

with

blojsom-installation-directory=$TOMCAT_HOME/webapps/ROOT/

edit $TOMCAT_HOME/webapps/ROOT/WEB-INF/userid/blog.properties and
replace

blog-base-url=http://hostname/blojsom
blog-admin-url=http://hostname/blojsom/blog/userid/
blog-url=http://hostname/blojsom/blog/userid/

with

blog-base-url=http://hostname/
blog-admin-url=http://hostname/userid/
blog-url=http://hostname/userid/

Make the following changes in Apache Web server configuration:

SetEnvIf Request_URI
"/resources/*" no-jk
SetEnvIf Request_URI "/admin-basic.css" no-jk
SetEnvIf Request_URI "/admin-tabs.css" no-jk
SetEnvIf Request_URI "/atom.css" no-jk
SetEnvIf Request_URI "/blojsom.css" no-jk
SetEnvIf Request_URI "/favicon.ico" no-jk
SetEnvIf Request_URI "/index.html" no-jk
SetEnvIf Request_URI "/powered-by-blojsom.gif" no-jk
SetEnvIf Request_URI "/quicktags.js" no-jk
SetEnvIf Request_URI "/rdf.gif" no-jk
SetEnvIf Request_URI "/rss.gif" no-jk
SetEnvIf Request_URI "/search.png" no-jk
SetEnvIf Request_URI "/trackback.gif" no-jk
SetEnvIf Request_URI "/xml.gif" no-jk
JkMount / worker1
JkMount /* worker1
<Directory $TOMCAT_HOME/webapps/ROOT>
Options None
+SymLinksIfOwnerMatch
AllowOverride None
order allow,deny
allow from all
</Directory>
DocumentRoot
$TOMCAT_HOME/webapps/ROOT

Now restart Apache web server and Tomcat server. Everything should now
work as expected.

Chapter 6 of the weirdest technical book ever has just come out. Why’s (Poignant) Guide to Ruby explains the concepts of the Ruby Programming Language using Cartoon Foxes, Elves and Chunky Bacon. And that’s the sanest bits. I want some of what he’s taking…

After upgrading to OSX 10.4 (Tiger) I found that Firefox crashed each time I tried to load it. I checked this with Firefox 1.0.3 and 1.0.2 but both had the same problem. Out of curiosity I downloaded Camino and that had the same problem.

With a bit of digging on the OSX support forums I found half the solution and with a little bit of checking finally got it fixed.

The problem is caused by the Java Embedding Plugin, which I had installed some time ago and forgotten about. The version on my system was not compatible with OSX, though the new version is. To get around this I deleted the following directories and everything worked.

/Library/Internet Plugins/MRJplugin.plugin
/Library/Internet Plugins/JavaEmbeddingPlugin.bundle
~/Library/Internet Plugins/MRJplugin.plugin
~/Library/Internet Plugins/JavaEmbeddingPlugin.bundle

For those of you who don’t know the ~ means my home directory, so /Users/jay/