Display current requests with Nginx - nginx

How to know what nginx handles exactly now?
I search for request uri, request start time, request headers and another info.
I could not use access log becaise it contains only finished requests.

Nginx provides only the total numbers of accepted, dropped and active connections in the community builds. The complete description of statistics provided is here.
Commercial builds provide more information, but frankly I don't see anything that would match your needs. The documentation is here.

Related

Why does CORS ask new domain and not original domain?

I believe I am finally grok-ing CORS and its motivations.
In brief, I understand that a script originating from original.com attempting to request a resource from other.com is potentially risky (for all parties: user, original.com and other.com) due to information leaking; thats the motivation behind CORS. My question is not about this.
CORS mandates that other.com opts-in/agrees to the request from the scripts that originates from original.com.
It took a while to grok because I had a certain intuition I had to go against. My intuition was that its supposed to be original.com (and not other.com) that had to opt-in/agree to the cross-origin request.
The line of thinking was that original.com is the domain that the user trusts (after all, user went to original.com in the first place). Hence the browser (enforcer of CORS) should trust whomever the user trusts.
e.g.
If original.com says to trust other.com, ads.com and/or tracker.com then go ahead and allow requests to them. But if subsequently ads.com returns a script that requests something from shadows.com (whom original.com does not trust) then block it.
Currently, CORS will cause the browser to ask shadows.com if it accepts a request from original.com. And I imagine shadows.com to be a villain in a leather armchair saying 'why yes, absolutely' >:).
In short and a bit simplified, it's because data is downloaded from the other domain. In your example, other.com holds the data and can decide who (what origins) it shares that data with.
The kind of trust that you are mentioning is by the way also present. When a user visits original.com in the example above, he trusts that original.com will only make him download stuff from domains deemed ok to download data from by developers of original.com. However, whether those other sources (other.com, etc.) want to serve a request when it comes from a user visiting a different site (original.com), it's a decision for the other domains to make.

What is the X-REQUEST-ID http header?

I have already googled a lot this subject, read various articles about this header, its use in Heroku, and projects based on Django.
However, it's still all confused in my head.
What is the purpose of this header?
Does it violate user privacy?
Can it help tracking a user?
When you're operating a webservice that is accessed by clients, it might be difficult to correlate requests (that a client can see) with server logs (that the server can see).
The idea of the X-Request-ID is that a client can create some random ID and pass it to the server. The server then include that ID in every log statement that it creates. If a client receives an error it can include the ID in a bug report, allowing the server operator to look up the corresponding log statements (without having to rely on timestamps, IPs, etc).
As this ID is generated (randomly) by the client it does not contain any sensitive information, and should thus not violate the user's privacy. As a unique ID is created per request it does also not help with tracking users.
Purpose: Idempotency
With an ID that changes for every request, but stays the same in case of a retry of a request, the receiver can ensure the request won't get processed more than once.
This is a quote from some API provider:
All POST, PUT, and PATCH HTTP requests should contain a unique
X-Request-Id header which is used to ensure idempotent message
processing in case of a retry
If you make it a random string, unique per request, it won't infringe on your privacy, nor enable tracking.
If you want to know more of what idempotency has to offer, read this insightful article.
N.B. As Stefan Kögl comments, this header is not standardized - hence the (deprecated) "X-" prefix.
Explanation using a story/analogy
You can think of X-Request-ID like your driver's license (some type of ID card).
Imagine visiting the DMV:
You present your ID card to gain admission, and then you
Stand in line, for 16 hours,
after 16 hours - the DMV tells you to go home. i.e. your request timed out. The petty tyrants at the DMV don't work a second past 4:31 pm.
An entire day wasted - you complain to the congressman - hey: I waited in line for 16 hours etc. The congressman replies:
"Buddy, we get 1000s of people visiting the DMV everyday - When I look through the DMV records, how am I meant to identify you - when you came etc.?
That's where the X-Request-ID comes in.
Application of story to HTTP
The same applies to http requests - it's an id used to help back end devs find out what went wrong. Clients submit requests with that id - and it's a ID that they create (i.e. some random number etc.). Now servers can keep track of it.
Story given to help you remember. Hopefully you're not confused further - post a comment if I have and i'll try to clear it up. thx.
This request header can be used for syncrhonization. Let's say you've built a ToDo list that offers offline capability. Your user creates 3 items and each of them are given a unique UUID on the offline application. When network connectivity is available, the records are POSTed to the server and the corresponding IDs auto-generated from the database are returned. You can then replace the IDs in your app (e.g. "id" attribute of HTML "li" element).

Http/REST method for starting a service

I want to design a REST API to start a database. I can't find a suitable http method (aka verb).
I currently consider:
START /databases/mysampledatabase
I've browsed through a few RFCs, but then I thought someone here might point me to a de-facto standard verb.
Methods I've discarded (before I got tired of looking):
RFC 2616
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
CONNECT
RFC 2518
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
RFC 3253
REPORT
CHECKOUT
CHECKIN
UNCHECKOUT
MKWORKSPACE
UPDATE
LABEL
MERGE
BASELINE-CONTROL
MKACTIVITY
There's a bunch of thinking flaws here.. first off, the additional HTTP verbs (aside from the CRUD ones) should be considered not-restful.
So there's two ways I can interpret this question, and I have an answer for both:
1. What's the most appropriate HTTP method for starting a service
There's nothing quite like what you need, and I would advise simply using POST.
2. What's a good RESTful way to start a service
First, you should not see 'starting the service' as the action. It's easier to think of the 'status' (being started or stopped) as the resource you are changing, and PUT to update the resource.
So in this case, each service should have a unique uri. A GET on that uri could return something like :
{ "status" : "stopped" }
You just change 'stopped' to 'started', PUT the new resource.. and then the service could automatically begin running.
I wonder how useful this is though.. I'm not a REST zealot, and I think a simple POST is the best way to go.
edit I can't delete accepted answers, but since 2013 my thoughts on what is and isn't RESTful has nuanced quite a bit. I still think my example to represent the changable state of each service as a property still holds.

appropriate user-agent header value

I'm using HttpBuilder (a Groovy HTTP library built on top of apache's httpclient) to sent requests to the last.fm API. The docs for this API say you should set the user-agent header to "something appropriate" in order to reduce your chances of getting blocked.
Any idea what kind of values would be deemed appropriate?
The name of your application including a version number?
I work for Last.fm. "Appropriate" means something which will identify your app in a helpful way to us when we're looking at our logs. Examples of when we use this information:
investigating bugs or odd behaviour; for example if you've found an edge case we don't handle, or are accidentally causing unusual load on a system
investigating behaviour that we think is inappropriate; we might want to get in touch to help your application work better with our services
we might use this information to judge which API methods are used, how often, and by whom, in order to do capacity planning or to get general statistics on the API eco-system.
A helpful (appropriate) User-Agent:
tells us the name and version of your application (preferably something unique and easy to find on Google!)
tells us the specific version of your application
might also contain a URL at which to find out more, e.g. your application's homepage
Examples of unhelpful (inappropriate) User-Agents:
the same as any of the popular web browsers
the default user-agent for your HTTP Client library (e.g. curl/7.10.6 or PEAR HTTP_Request)
We're aware that it's not possible to change the User-Agent sent when your application is browser-based (e.g. Javascript or Flash) and don't expect you to do so. (That shouldn't be a problem in your case.)
If you're using a 3rd party Last.fm API library, such as one of the ones listed at http://www.last.fm/api/downloads , then we would prefer it if you added extra information to the User-Agent to identify your application, but left the library name and version in there as well. This is immensely useful when tracking down bugs (in either our service or in the client libraries).

Logging in Http Module

We have created an http module to mobile detection and redirection. What the http module will do is according to the coming request it will find the device and redirect accordingly.
So here we want to log the methods in the http module. But i don't know whether it is a good practice to log all the requests? We planned to use text file logging. We have concerns about the performance since it will log all requests.
Please give your suggestions.
Depending on what information you want to log, all request are logged in iis. You can these log at %SystemDrive%\inetpub\logs\LogFiles. If the information is not there you can add extra information or add extra logging in the global asax. Good loggers will have minimal impact on you application. You should watch you diskspace at all time, and make a business case on what you want to do with the information.

Resources