JSON Web Token (JWT) have come in to my life. I like them and you will too… Pronounced “jot”, the short version is that they are cryptographically signed blobs of JSON. They pass data around that can be viewed, but not tampered with.

whois is a command line tool to look up registration information for domains, things like owner, location, and contact info. WHOIS (all caps) is a protocol for querying databases of domain registration (and other related) information. Each domain registrar is required to maintain a database of the domains they register. I use it fairly often when dealing with spammers and or looking at other security issues. However, it has a few rough edges that need to be rounded off.

Speaking of secrets, here’s how I keep them in the shell. Why do I have secrets in the shell? Typically, they are things like API keys and passwords for web services that I use in scripts. For example, I have a script display issues that are assigned to me on the desktop using Geektool. Or scripts to tweet from the command line, when I’m in a command line kind of mood.

Last time, I looked at keeping environment specific configuration using YAML files and Rails.application.config_for. One big issue with this approach is security. It’s very common to have different sets of API keys and API settings for different environments. A simple example is credit card processing. Outside of production you use a sandbox and test cards. Only in production are live API credentials needed.

We need a way to securely handle this information.

Previously, I looked at the simply way of creating Rails stages that shared same configuration with Production by simply importing production.rb into the new stage:

require Rails.root.join("config/environments/production")

This is a good start, however it makes a bad idea, stage conditional code, worse:

if Rails.env.staging? || Rails.env.beta? || Rails.env.production?

A quick tip — When I’m deploying Rails apps to Staging or Beta I try to keep the configuration as close to Production as possible. I’ve gotten bitten one too many times by things that only break in production due to configuration (assets for example).

The simple way to avoid this issue is to use the exact same configuration for those extra environment, but there’s a wrong way and a right way.

I covered Server Name Indication (SNI) a while back, but it still surprises me how little people know about it. So, it’s time to look at configuring Apache to use SNI.

As a quick refresher, SNI allows multiple web sites to live on the same IP address, IPs being relatively expensive resources. SNI has been around for a long time (Apache has supported it since 2009), but was generally ignored do to the perception of a lack of browser support. However, it’s been hitting the big time with PAAS like Heroku and CDNs like CloudFront making it their default for HTTPS.