I started writing Bandit and Thousand Island almost four years ago (!), initially as a bit of a joke. Despite its humble beginnings it quickly became apparent to me that there was something to the project beyond humour, and once things started getting a bit more serious with the project I broke down the work to get to a 1.0 release, a journey which ended up looking something like this:

• 0.1.x series: Proof of concept (along with Thousand Island) sufficient to support HAP. Nov 2019 to Nov 2020 (12 months)
• 0.2.x series: Revise process model to accommodate forthcoming HTTP/2 and WebSocket adapters. April-May 2021 (2 months)
• 0.3.x series: Implement HTTP/2 adapter. May-Sept 2021 (4 months)
• 0.4.x series: Re-implement HTTP/1.x adapter. Sept 2021 to April 2022 (7 months)
• 0.5.x series: Implement WebSocket extension & Phoenix support. April-Nov 2022 (7 months)
• 0.6.x series: Comprehensive performance optimization & telemetry coverage. Nov 2022 to Mar 2023 (5 months)
• 0.7.x series: Enhance startup options, general quality-of-life issues. Mar-Apr 2023 (2 months)
• 1.0.0-pre.x series: Ready for general use, without reservation. Apr 2023-today (5 months)

All in all, I think my planning was pretty solid! There were a few periods where I would put the project down for months at a time and a few periods (mostly in the run-up to conference presentations!) where I would do months worth of work in the span of a few weeks, but generally progress was pretty steady (if a bit slower than I was expecting).

One mistake that I will note was that I called the 1.0.0-pre.x series far too early. In hindsight I ought to have run a 0.8.x series to shake out any lingering bugs before moving to a pre-release series, particularly because Hex requires people to opt-in to get pre-release versions. As a result the testing pool for the pre-release series wasn’t as large as it should have been.

Throughout it all I’ve been lucky enough to talk about Bandit & Thousand Island at a number of conferences (ElixirConf 2021, EMPEX MTN, and ElixirConf EU 2023) and have been a guest on several podcasts to talk about my work on Bandit and networking in Elixir more generally. It’s been a great trip, and has produced some of the best work I’ve ever done. For anyone out there who’s pondering starting up their own project that seems ambitious but attainable at the same time, 10/10 would recommend. It’s a lot of fun.

After all of this, it seems a bit anti-climactic to say that Bandit and Thousand Island are both going 1.0 later today. There’s still a lot more work to be done (see below!) but none of that work needs to block a 1.0.0 release from happening. So here we are, get ‘em while they’re hot:

{:bandit, "~> 1.0"},
{:thousand_island, "~> 1.0"}

I’d be in remiss if I didn’t call out all the folks who have helped out along the way; over 20 different people have submitted PRs large and small to the projects, and many more have filed thoughtful bugs that helped highlight some of the corner cases in the underlying RFCs. In particular, moogle19, Ryan Winchester, and Alisina Bahadori have been extremely helpful, reviewing PRs & helping to triage issues from the community. The project wouldn’t be what it is today without their (and many others!) help. Thanks everyone!

Looking to the future, we still have a bunch of stuff in the works:

• Adding support for WebSockets over HTTP/2, as defined in RFC8441. This requires a fairly extensive overhaul of the HTTP/2 process model, but should be doable while maintaining backwards compatibility and so will be a later 1.x release
• Moving protocol switching into Thousand Island, to mirror the transport upgrade work currently in progress
• Implementing NIF/Rustler based support for native implementations of hot code paths within Bandit. This will be opt-in by default, but should provide for some substantial performance gains in many common cases
• Implementing improvements to Plug (or elsewhere) to facilitate gRPC style connections. This is likely a 2.0 feature
• HTTP/3 support remains on the horizon, though it’s still a long way away

As I’ve talked about before, bandit was originally created out of necessity to sit in between Thousand Island and HAP. The 0.1.x releases of bandit were very much works in progress, with little testing and rough edges aplenty. It really only implemented the barest of requirements to satisfy the HTTP/1.1 needs of the HomeKit Accessory Protocol, with Thousand Island providing the custom socket-level encryption required. Now that HAP has more or less reached completion, I’m turning my attention back to bandit to focus on its usefulness as a general purpose Plug-centric HTTP server.

How bandit Works

Like almost any server, bandit has a pretty straightforward job:

1. Wait for connections from clients
2. Handle each connection to completion
3. Do the above as efficiently as possible

Fortunately for us, steps 1 and 3 are largely addressed by the underlying Thousand Island library. As a socket server, its job is to listen for connections on a TCP port (with optional SSL/TLS security) and pass each separate client connection to a handler module for processing. Thousand Island doesn’t concern itself with what a handler module actually does with the connection; the handler could be an HTTP server or any other protocol, custom or otherwise. A socket server’s only job is to accept client connections as they come in and to efficiently pass them up to whatever handler module is configured.

I’ll have lots more to say about Thousand Island in a future post, but for now it’s sufficient to understand that every client connection ends up as a distinct Elixir process; one TCP connection equals one Elixir process. Each such process is handled in complete isolation from one another, so a handler module implementation only needs to concern itself with how to handle a single connection. A handler process is free to take as long as it needs to properly handle its single connection, without regard for the overall (network) scalability of the server.

When it comes to implementing a handler module to actually handle an HTTP client connection and see it through to completion, the particular details of HTTP as a protocol come into play. The atomic unit of an HTTP connection is a request. If you’ve ever connected to an HTTP server via telnet or nc you’ve likely seen something like the following:

$ nc example.com 80
> GET /hello_world HTTP/1.1
>
< HTTP/1.1 200 OK
< Content-Length: 12
< 
< Hello, World

This is the simplest example of an HTTP/1.1 request from start to finish; a client connects, asks to undertake a specific action on a specific resource (to GET the /hello_world resource in this example), and the server responds with the result.

In the case of bandit and other Plug based servers, the actual business logic of fulfilling a request is carried out by an application by means of the Plug API. Each client HTTP request is translated into a Plug.Conn struct and passed to the application via the Plug behaviour. The Plug API provides functionality to enable application code to render responses back to the client, which again is mediated back to a server implementation via the Plug API (the Plug.Conn.Adapter behaviour in this case). At its core, even a complex application framework such as Phoenix is ‘just’ a Plug application¹.

Putting all this together, we have a stack that looks something like this:

The job of a Plug based HTTP server is to accept client connections and convert every request within that connection into a Plug call. With HTTP/1.x clients such as the previous example, this is fairly straightforward. HTTP/1.x connections can only make a single request at a time (and in fact often only ever issue a single request before closing the connection). From a process perspective things are simple; since Thousand Island provides us each connection in its own process, and since only a single request can be in progress at a given time within that connection, it is a natural fit to simply host the Plug call in the same process that Thousand Island provides us. It’s a simple process model that completely captures the needs of the protocol while also being scalable.

Supporting HTTP/2 is a bit trickier. The primary benefit of HTTP/2 over previous versions is that it supports making multiple concurrent requests within a single connection (in HTTP/2, these separate requests are called streams). At any given time, an HTTP/2 connection may have zero, one, or hundreds of concurrent streams on the go, and the job of an HTTP server becomes much more complicated as a result. Various failures and error conditions are local to the stream (in which case other streams within the connection are unaffected), while some are fatal to the connection as a whole. Moreover, since each stream contains its own request and each request maps directly onto a Plug call, we need to devise a way to run each stream within its own process but still be subservient to the overall connection process.

As it turns out, this isn’t actually all that difficult thanks to the wonders of OTP’s process model. I’ll be covering the bandit HTTP/2 process model in detail in a future post, but the implementation is actually pretty straightforward; we end up with a single process to manage the overall connection (this is the same process that is handed to us by Thousand Island), as well as one process per stream. The individual stream processes are essentially thin wrappers around a Plug call, and exist mostly to allow streams to be processed concurrently. Meanwhile, the connection process takes care of marshalling the stream processes, ensuring synchronization of network communication, and managing the overall connection life cycle.

Current Status

As of 0.3.2 (released today), bandit should be usable for almost everything you can throw at it from common HTTP/1.x and HTTP/2 clients. There are a number of HTTP/2 features still to implement, but most interactions should be able to hobble along in their absence. The general roadmap forward is as follows:

• Implement HTTP/2 support in the 0.3.x release train (targeting a Q321 completion)
  • Implement CONTINUATION frame support in 0.3.3
  • Implement WINDOW_UPDATE and PRIORITY frame support in 0.3.4
  • Implement PUSH_PROMISE frame support in 0.3.5
  • Improve SETTINGS compliance in 0.3.6
  • Tackle any remaining h2spec conformance issues in 0.3.7
• Re-implement HTTP/1.x support in the 0.4.x release train (the current implementation is somewhat patchwork as it dates from my earliest 0.1.x work)
• Add WebSocket support in the 0.5.x release train (details TBD)
• Improve overall documentation, configurability & telemetry support in the 0.6.x release train
• Integrate with Phoenix’s adhoc Cowboy support in the 0.7.x release train
• Roughly targeting Q122 for a bandit / Thousand Island 1.0 release

A primary goal of bandit is strict protocol conformance. Throughout the 0.3.x release train, I have been making extensive use of the h2spec test suite, and have wired it up into the bandit test suite. This is actually a pretty neat little bit of test tooling (due credit to Ace’s h2spec test which was the inspiration for this). This setup makes it possible for me to develop features while testing directly against an external conformance suite, even narrowing the tests down to a particular section of the HTTP/2 spec:

# Let's test some stream state transitions...
$ H2SPEC=http2/5.1 mix test.watch --only external_conformance

These tests are in addition to exhaustive protocol and Plug API conformance testing, both done using more conventional ExUnit testing. The combination is proving to be both comprehensive and efficient, and I’m hoping to set something similar up for the upcoming HTTP/1.x and WebSockets work.

Wrapping It Up

Over the next several months I’ll have lots more to say about bandit, Thousand Island, and HAP. I’m planning on doing a series of long-form articles diving into the details of each library and also some shorter pieces covering current development progress along the way towards 1.0 releases of bandit and Thousand Island. Please check out the Thousand Island and bandit projects, kick the tires on them and let me know what you think (and of course, PRs are always welcome!)

The answer, as it turns out, is ‘rather’.

I’ve mostly reached the end of this project (or at least, I’m far enough into it to have a complete map of everything that needs to be done to get it over the line), and along the way I’ve had to take quite a few detours:

• I built a Nerves powered desk clock to learn the ins and outs of Nerves (I did a talk about it). There were a few sub-detours here as well to draw things and also to display them
• I wrote Thousand Island, a pure-Elixir socket server (along the lines of ranch) to power the socket-level encryption required by the HomeKit Accessory Protocol (I did a talk about this too)
• I wrote a pure-Elixir HTTP server called bandit to work alongside Thousand Island
• I implemented the HomeKit Accessory Protocol in Elixir and released it as HAP. It allows Elixir apps to act as HomeKit accessories & be natively controlled from any iOS device (HomeKit support is built into iOS)
• Along the way I submitted a half-dozen or so upstream issues, ranging from QR code rendering to a subtle but nasty crypto bug in OTP

I’m a big fan of the make hard changes easy philosophy, and so while the list of diversions I’ve taken along the way may seem long, it was really just a matter of iteratively breaking the large problem down into a series of small ones & working them through. And now—finally!—I’m at the point where I can write a simple Nerves app that uses HAP to talk to HomeKit & interfaces with an IR blaster to actually control our air conditioner (I haven’t quite figured out that last bit yet, but it’s a solvable problem & just needs to be done).

In the spirit of do things, tell people I’ll be laying out a series of posts here over the next several months describing this journey & the things I’ve built along the way, as well as the parts I still have to build. While I think there’s a lot of value in HAP on its own, I’ve come to believe that Thousand Island and bandit are probably the real crown jewels of this whole project and I’m excited to share them with people.

The Elixir web stack is developing at a breakneck speed, with Phoenix pioneering a bunch of features that are miles beyond most other platforms. However, the layers further down the Elixir networking stack start to become quite opaque quite quickly. Cowboy and ranch are both fantastic libraries, but they can be quite daunting reads for an Elixir developer unfamiliar with Erlang, even more so as they do quite a bit more than serve requests to a Plug API. As a result the lower levels of the Elixir network stack aren’t as discoverable as they should be, which is a particular shame as this is one of the places where the unique genius of OTP really shines.

Thousand Island and bandit are key missing pieces to help bridge this gap. Between them, they provide some very tangible benefits to the Elixir community:

• Thousand Island provides straightforward & extremely flexible APIs entirely in native Elixir, making it easy for any Elixir developer to build their own network services using a familiar set of tooling. Applications get essentially unlimited network scaling for free, based on Thousand Island’s use of standard OTP design principles. Comprehensive telemetry instrumentation provides built-in visibility all the way down to the socket level

• bandit provides a modern web server with robust & extensively conformance tested implementations of foundational standards such as RFC 2616 (HTTP/1.1), RFC 7540 (HTTP/2), and RFC 6455 (WebSockets) and is built specifically to serve a Plug API. Less complexity & modern idioms make bandit the obvious choice for future development on emerging standards such as QUIC

• Both libraries have been built from day one to be approachable, clean in design, and easy to understand and extend. They both deeply embrace OTP design principles and serve as great case studies for what the platform is capable of

• By providing a second implementation of a supporting HTTP server, bandit will help to improve the robustness and flexibility of the Plug and low-level Phoenix APIs to ensure that they are truly agnostic to the underlying library & can grow to adopt currently unsupported features such as HTTP trailers

All-in-all, I’m very excited to see where the rest of this journey takes this project. While it’s still early days, I don’t think it’s too audacious of a goal to see Thousand Island & bandit take the lead as the go-to libraries for networking in Elixir, or even to see them as the default choice in new Phoenix installs sometime in the future. Stay tuned!

Setting the scene

From January through May, we were living in Waterloo with my in-laws. We moved back to our house in Toronto in May, and spent August in Italy. That gives us about six months of ‘normalcy’. Taking into account the work I started while living in Waterloo, I’m counting roughly 7 months of work done in 2012. Now that our family’s health issues are (hopefully) behind us, I’m expecting 2013 to be a full year work-wise (which means roughly 10½ months of paying work planned for 2013).

What went well

I’ve had three large contracts throughout the year, plus a few smaller one-off engagements. At a high level, I’m really enjoying contracting. Although I remember my time as a wage-slave with nostalgia, I prefer the freedom (both time and technical) that contracting affords. So that’s good.

I spent about 40% of my time in 2012 on iOS development, and having developed 8 apps from conception to ship-ready, I now consider it my most solid platform. Sharecropping issues aside, I really enjoy writing in it, am very productive, and have enough contacts for future contracts that I can keep busy (and command a good rate) for the foreseeable future. In that sense, my iOS work has been a good short-to-medium term investment. I’m wary of basing a long-term career on it, but for now it’s too lucrative (and frankly too enjoyable) to pass up.

The same goes (to a lesser extent) with Javascript, where I also spent about 40% of my time. I’ve now done enough work that I have my own style (and reasons for it, and am perfectly comfortable with the idioms and limitations of the language. I don’t really like it all that much, but it’s an undeniable fact of life, and with my long term goal of moving towards the open world, I can’t ignore it.

Money wise, we’re well ahead of our monthly burn rate, with lots of money left over (if anyone is interested, I’m happy to talk harder numbers, just not in public). All my contracts are reliable clients, so collecting hasn’t been an issue (with the caveat that waiting to get paid for the first few months of contracting was really tough). So overall we’re good on the money front.

2012 was also the first time that I’ve ever bothered doing any formal paperwork in terms of running a business (for now that means registering as a sole proprietor & getting an HST number. I’ll look at incorporating next year). While Freshbooks isn’t perfect, it’s 90% of what I need, and it’s free. Tax prep doesn’t look that much harder than previous years, and most of the financial decisions to be made with respect to incorporating / taxation / etc are quite clear to me. Contract negotiation and client management isn’t that hard either. In short, the actual running of a business is nowhere near as daunting as I’d always thought it to be. It’s actually kinda fun as long as I’m not doing it every day.

I also kicked out a couple of fun side projects this year, notably matchat, Easel, and two yet-to-be-released iOS pods. One thing I really missed about working at Well.ca was the amount of fun & short duration side projects I worked on. I’d like to design my work around more of those in 2013.

Near the end of the year I started doing weekly Skype checkins with an old friend and colleague with the aim of having a technical sounding board for tactical decisions, mostly technical in nature. This is helping a lot, especially with iOS development where I’m the only one of my Toronto cohort who’s on the platform. I’d like to keep doing more of this in 2013.

What went badly

While we were still living in Waterloo (and while I was waiting for the paperwork to be processed on the first contract I picked up), I spent about two months putting three iPhone apps together. All of these apps are basically store-ready at this point, yet only one of them is actually in the store. Even though none of these apps are real money-makers, there’s still a psychological price to be paid for not shipping, especially with products that are this close to being done. I need to get better at this.

Networking. I did some in 2012, but not as much as I’d like. I’d set some goals in this respect with a few colleagues, and we all did a collectively awful job in living up to them. I’d like to do a better job of this in 2013.

Tuning out on vacation. We spent August in Italy, and I made some promises regarding workload during that time that I wasn’t able to keep. I let people down and created needless stress for myself when the better approach would have been to just unplug for the month. Next year, I’ll do that.

Other than that, I think 2012 was a banner year (at least considering where we stood this time last year), and there’s not a whole lot I would have changed.

Looking forward to 2013, I have contract work lined up through the first 4-6 months of 2013, with solid leads on work for the balance of the year. I’d like to wind down from 5 days a week to 3-4 by mid-summer, and take the balance of the time to tackle my own non-paying work. Either way, it’s comforting to know that the work is there if I need it. We’re also planning on taking a month off to travel again, probably in September.

So that’s that. As we wrap up 2012, taking stock of everything has reinforced what I already kind of knew; that it’s been quite a good year. And you?

Smart Keywords is my implementation of Smart Keywords for Safari, using these new APIs. It’s super simple (28 lines of Javascript, the majority of which is code to read & write configuration data), easily configurable, and – owing to its simplicity – should be crashproof.

To install Smart Keywords, download the extension and double click on it to install. Configuration is straightforward, and is done in the extension tab of Safari’s preferences. Due to the way in which extension configurations are defined, you can define a maximum of ten keywords (this is a soft limit. If you want more, either ask me, or else fork the project and add them yourself).

To customize a keyword, enter in the keyword you want to match (say, for example ‘wiki’ to match searches of the form ‘wiki bananarama’). When you enter this keyword in the address bar, it will be replaced with the contents of the matching URL instead, with the remainder of your query being substituted in for %s in the URL. As an example, if you have the keyword ‘foo’ defined with a URL of http://example.com/search?query=%s, then entering ‘foo bananarama’ will take you to the URL http://example.com/search?query=bananarama. Note that spaces in your entered URL are automatically URL escaped to %20, which is usually what you want.

Comments / feedback are welcome. If you find any bugs or missing features, please let me know!

Agent Forwarding

The theory is described here, but here’s a distilled version of how to get SSH Agent forwarding working:

1. If you don’t already have one, create your SSH key pair via:

    ssh-keygen -t rsa
   

   Ensure that you put a passphrase on this (it can be as strong as you want, since you’ll only ever have to type it in once).

2. Push the public key component to the remote server you want to connect to:

    cat ~/.ssh/id_rsa.pub | ssh user@remote "cat >> .ssh/authorized_keys"
   

   Many OS’s (not OS X, sadly) include an ssh-copy-id user@remote command that automates this.

3. Connect to the remote machine using your new key:

   ssh user@remote
   

   If you’re on OS X or a reasonably friendly Linux box, you should get a native OS dialog asking you for the passphrase you just put on your private key. Enter it, and you should be golden. If you’re on another OS that doesn’t provide an automated agent, you probably want to look at this for more info.

4. Note that you can now make onward connections from the remote machine without being prompted to authenticate again. Magic!

Proxying connections through a bastion host

This is crazy useful for maintaining a cluster of machines without having to expose their SSH servers to the internet. All you need to keep open is ssh on your bastion host and you have access to anything on the internal machines nearly automatically. Here goes:

Let’s say you have an internal network of machines in a .internal domain (maebe.internal, gob.internal, etc). Assuming you already have SSH access to these machines as detailed in the previous section, you can simply add something like this to your ~/.ssh/config file:

Host *.internal
ProxyCommand ssh <bastion_host> nc %h %p

and you’ll magically be able to run ssh commands like the following:

ssh maebe.internal

What??? How does my machine know to resolve maebe.internal from anywhere on the internet, you ask? What’s happening here is that SSH is applying the config for *.internal to your connection request, and running the request through ProxyCommand. As such, your destination hostname actually gets looked up in the DNS context of the bastion host, which (presumably) knows how to resolve maebe.internal. Once again, Magic!

Optimal Layout fully supports Spaces: you can easily see which Space a windows is in. In the version purchased from this site you can also move groups of windows between Spaces with a keyboard command, note that this feature is not available in the version of Optimal Layout available on Apple’s Mac App Store.

As an iOS App Store developer I wish I could say I was more excited about the Mac App Store, but balkanization such as this can’t possibly bode well for the platform’s health outside the walled garden.

Oops.

whereami <note to self>

and it will start being reflected in your terminal prompt. When you sit down to work again, run

whereami

with no arguments to clean out the note to yourself. Because it works using environment variables, you can use this on any number of terminal windows without interference.

Code here:

This has also been added to my dotfile project.

On the other hand, I’ve always liked shorewall. Its config language has always seemed very flexible and easy to grok, it has great documentation, and since it’s just iptables under the covers, there’s no magic to it. Thinking about things further, I realized that most of my pain points were really more about how people go about setting up firewalls than about firewalls themselves. Such a central and yet seldom-touched piece of infrastructure is exactly the kind of place you want repeatability and process, and exactly the wrong place for ad-hoc hacks. Hence, filewall was born.

In one line, git + capistrano + shorewall = filewall

Filewall is a mix of capistrano and shorewall that lets you keep your firewall configuration in SCM, and lets you deploy it to your routers in a simple, sane and structured way. It takes a great firewall and marries it to a great deployment system to make a great deployable firewall. Wicked.

Changes made with filewall are safely deployable; deployments incorporate a dead-man switch, wherein the rule changes are temporarily turned up for a timeout duration, and actually made permanent only if you subsequently affirm that they do what you intended them to. If you accidentally fry your config, filewall will restore your old configuration as soon as the timeout expires. You’ll never be locked out again.

Committed configurations are immediately wired into the filesystem, so your firewall works predictably across reboots. And since it’s capistrano based, you have access to all the rollback awesomeness that capistrano provides.

If you’re responsible for a more complex network, you can easily store all of your configurations as branches and keep all of your sensitive network config in one place, keeping all of your routers locked up with one public key. And don’t forget that software routers are fast, so you probably won’t be outgrowing filewall anytime soon (and even if you do, filewall is hardware agnostic. As long as it runs Debian, it runs filewall).

So say hi to filewall. It’s what you want.