Those lovely people at Pedal On Parliament are organising Pedal On Postbox. The idea is to get together a like minded group of people to descend on a local postbox (ideally a golden postbox so as to hook into the Olympic legacy vibe) for a photo opportunity of us all posting letters and postcards to our local councillors highlighting areas in need of change where cycling infrastructure is concerned, and encouraging them to become agents of these changes.

I saw this as an opportunity to organise my own local event. Other events are happening in Edinburgh, Glasgow and Dumfries. There is a golden postbox in the city of Dunblane, in honour of Andy Murray’s Men’s Singles Olympic gold, which is not far from where I live, so I decided to organise an event there at 2:30 pm, Sunday September 16th, 2012.

I live in Alva, which is in the same constituency as Dunblane (our MSP is Keith Brown), but is not in the same local council area. Stirling council are responsible for Dunblane, while Clackmannanshire council look after Alva.

Since I work in the Stirling area, and travel there most weekends I believe I am justified in writing to Stirling council, despite not living within their borders.

Clackmannanshire

Clackmannanshire council have done a fairly good job of late. They have completed the path between Menstrie and Tullibody, and laid smooth tarmac on a stretch of the Menstrie-Alva back road that just a year ago was a gravelly lump.

Menstrie - Tullibody Path

The lovely new path between Menstrie and Tullibody

Alva Back Road

Some new tarmac on the back road, plus gates to stop it becoming a rat run.


View Larger MapGoogle Street View shows how it used to look.
There is a good network of paths in Clackmannanshire, but there are still a couple of journeys that are tricky.

The back road to Menstrie is the only way out of Alva that does not involve a busy main road. If you want to head to Tillicoultry then your choices are either the A91 which is busy, fast and a favourite speedway for some of the local idiots, or up into the hills via the Woodland park, which is tarmac up to the park, but soon becomes bumpy gravel that only the sturdiest mountain bikes can traverse.

If you want to get to Alloa or Sauchie then you can either take the long way via Menstrie, or get your heart in your mouth heading up Brook Street and over the Collyland Roundabout (with its wide lanes, fast approaches and mad drivers).

So, I would like to see Clackmannanshire Council improve cycle access from Alva to other parts of the county, not just Menstrie.

Dunblane

I don’t live in Dunblane, nor do I visit often, but since we’re meeting here I feel I should mention cycle access to the city. There are numerous quiet roads heading north, but Dunblane is a popular residence for people working in Stirling. To get to Stirling on a bike you have three choices.

The first is up the main road towards the Keir roundabout. This roundabout is where the M9 motorway meets the A9 dual carriageway. The traffic here is crazy. I cycle it myself but I would never consider taking anyone but the most confident road cyclists that way.

Dunblane Cycle Path

Cycle path in Dunblane. It’s really just a bit of extra road that was left over when the inside lane was turned into parking spaces. It goes into the door zone in parts.

End of CycleLane

The cycle lane is short-lived. What should I do here? Buckle my wheel on the kerb? Swerve into traffic? This is really poor.

Footpath out of Dunblane

The footpath alongside the road out of Dunblane. It’s not well maintained and not, legally speaking, suitable for cycling.

This video shows how busy the Keir Roundabout gets. This was taken around lunch time on a Friday.

Another choice is via Sherrifmuir. Well, only if you’re a serious climber who likes taking the long way round. It’s a serious climb.

Finally there is Glen Road. Ah, Glen road. It used to be a tarmac road between Dunblane and Bridge of Allan, and was used by motorised traffic. However, subsidence into the Allan water meant that the road was closed to motors and given over to walkers and cyclists. Glen road would be the ideal way between Dunblane and Bridge of Allan and beyond if it were not for one problem. The road is a mess. I rode it late last year and managed it on my road bike, even though it was a little slushy. Today I went up there to discover great chunks gouged out of the road. There is also a bit where there has been a mud slide onto the road. The solution has been to use a few logs to make steps up to a narrow muddy path.

Glen Road, Bridge of Allan

Glen Road at the Bridge of Allan end. Shake dem bones on this surface.

Glen Road Sign

According to the sign, Glen Road is a shared use path, with cycling as one of the available uses.

Mud Pile on the road

But a big pile of mud on the road makes access difficult for everyone.

Water damage

What on earth happened here? Flood damage?

Mud Slide

Wow! That’s an impressive mud slide.

Mud Slide Solution

I really hope this makeshift path around the mudslide is not the final solution. It’s not suitable for cyclists or horses.

Dirty Bike

My filthy bike after traversing Glen Road.

Stirling Council need to consider the solutions. Either we need a decent cycleway between Dunblane and Bridge of Allan via the Keir roundabout, fully protected from motorised traffic around the roundabout, or we need a decent surface on Glen Road.

A91 and A907

Travelling from Clackmannanshire to Stirling has been made easier since the new Stirling to Alloa road was opened. The original road is now a joy to cycle, and is easy to access via the paths from Alloa and Menstrie. However, on crossing into Stirling District you then encounter the roundabout where the A907 crosses the A91. This is another crazy roundabout. The only provision here for cyclists are a few dropped kerbs and signs telling us to get off and walk. But where to? Beyond this roundabout there is no cycle provision in any other direction. All you can do is join a busy main road, and believe me the roads are busy enough that I would not like to take my family on them. Would it be possible to build a path from the end of the old Alloa road towards the railway, and cross the A91 under the bridge alongside the railway? I don’t know, but something needs to be done at this roundabout because the status quo is not acceptable. This video shows the roundabout at 5pm on a Friday from the point at which the old Alloa road ends.

These are the three areas that I will be mentioning to our councillors in my letter to them that will be posted in the golden postbox on Sunday.

April 28th 2012 was the most amazing day. I was there. One of around 3000 people who gathered at The Meadows in Edinburgh to cycle to Holyrood and hand in an 8 point manifesto that we believe will make cycling in Scotland safer, and encourage more people to choose cycling over less sustainable forms of transport. Yes, 3000. Seeing the line stretch back along the meadows was fantastic.

More information on Pedal On Parliament can be found at their website. Other people have done an excellent job of blogging about the day, so rather than repeating them, here is my story.

I drove to Edinburgh. I know, I’m sorry, but I live 35 miles from Edinburgh and had my young family with me. Three bikes on the rack and one in the boot, we drove to West Bryson Road where there is free parking on Saturday and it is just by Harrison Park where we met the feeder ride.

There we met Andy who had volunteered to ride my bike and tow my 5 year old son. Andy runs Story Bikes in Edinburgh. My boy really enjoyed riding with him.

I then met THE CONTRAPTION.

A Hase Pino semi-recumbent tandem had been borrowed in order that I might ride on the front playing my guitar. My pilot was Steven, whom I had never met before, and who had never ridden a Pino before that morning. When flung into a situation like this you have to bond and trust each other pretty quickly, and I think we managed it. Eventually. After we had sorted out how to pilot this thing the group set off for the meadows. At the first set of traffic lights the group turned left. All except myself and Steven who had not worked out how to do such a sharp turn and carried straight on. After jumping off and crossing the road on foot we managed to catch up with the group.

Harrison Park Feeder Ride heading towards The Meadows.

Photo by Neil McManus

The feeder ride was an opportunity to get to grips with the Pino, and grip was what I did. By the end of it Steven and I had sussed out how to work together and were a little less wobbly. I even managed to bang out a few chords on the guitar. The police guided us onto The Meadows where we stopped for a picnic and a sing-song.

Photo by Andy Hunter

People then started to move towards the path ready to start so we joined in. We were about 200 yards from the front. Before we headed off there was a minute’s silence in honour of those recently killed in cycling accidents on Scotland’s roads. The minute’s silence was followed by a mass ringing of bells to celebrate cycling in Scotland.

#POP28 – post-minute’s-silence-dinging from wingpig on Vimeo.

Then we were ready to go.

Waiting to leave The Meadows.

Photo by David Martin

By the time we left The Meadows I had got the hang of riding and strumming.

It’s just under a mile and a half to Holyrood from The Meadows and it is hoaching with tourists. A lot of photos were taken that I’ll never see. It’s not everyday you see a madman on a bike playing a guitar.

Stopped on the Royal Mile.

Photo by Richard McCaig

This video gives an excellent summary of the ride. Listen carefully at around 5:40 for a rendition of “Crazy Little Thing Called Love” from a cyclist who makes a fleeting appearance at the right hand side of the picture.

My only regret is that it was after the event that I thought of doing a modified version of The Proclaimers’ “500 Miles”. I’ll stick it in my pocket for next time. Before we knew it we were at Holyrood.

It was only after my kids had been in the pool that I saw the sign advising against it. My wife looked after the kids so I could listen to the speeches.

I am left feeling optimistic after hearing the MSPs promise to present our manifesto to Parliament.

It was getting late and the family were tired so we decided to head home. Andy handed my bike back and went off with his wife. Steven headed off on his own with the pino, and I managed to sling the guitar round my shoulders and ride my own bike towing my boy. We followed a cyclist with “Harrison Park Feeder Ride” pennants but he shot off into the distance. I’d like to extend a massive thank you to the heroic Kevin who (despite not heading in our direction) guided us to the Union Canal and pointed us in the right direction along the tow path.

Thanks to Sara for organising the Pino, Robert for lending it to us, Steven for piloting me, and to Andy for taking Douglas and freeing me up to have one of the most fun bike rides ever.

In case you are interested here are a few links about the event.

Firstly is the Pedal On Parliament Flickr group.

David Brennan is the man who started it all. Here’s his blog.

Join our Facebook group if you have not yet done so.

Oh, and we got a beautiful write up from STV.

I’m really excited about Pedal On Parliament on 28th April. To celebrate and publicise it I created this wee music video.

If you want you can get the song as an MP3 – getonyourbike.mp3

Or help yourself to the ringtone – bikeringtone.mp3

In part 1 I showed you how to use a combination of pound, haproxy and stunnel to create a cookie based load balancing solution on Debian GNU/Linux 6.0. In part two I will show you how to make the system more resilient.

Aims

If you have followed the instructions in part 1 you should have two web servers and a server that is acting as a load balancer between them. This solution will work well, but in the event of an unexpected failure in one of the nodes the system will cease to function properly. Either half your users will have their connection forwarded to a broken web server, or (if the load balancer fails) the whole system will be unavailable.

In this part we will set up two new features.

  1. A second stand-by load balancer that can take over load balancing should the primary one fail.
  2. A system that monitors the web servers and adjusts the load balancing rules to remove servers that have failed.

Outwith the scope of this document is the monitoring that you should be doing anyway so that you can react to failed services. My preference is Nagios but other monitoring systems are available.

Assumptions

The IP addresses will change slightly here. Since 192.168.0.1 was the address of the load balancer, it will remain the address of the load balancer, but only from a user’s perspective. Here are the addresses as they should stand now:

192.168.0.1 – Load balancer IP address that will float between the two load balancers.

192.168.0.2 – Web server 1

192.168.0.3 – Web server 2

192.168.0.4 – Load Balancer 1

192.168.0.5 – Load Balancer 2

Initial Set Up

Change the IP address of your current load balancer to 192.168.0.4, then head over to part 1 and set up your second load balancer with pound, haproxy and stunnel. Make sure to configure pound to listen on address 192.168.0.1, and also to tell haproxy to listen on 192.168.0.1:80 if you are load balancing http as well as https.

Heartbeat

Heartbeat is the software that will allow the secondary load balancer to take over if the primary one fails. Install it with:

apt-get install heartbeat

Then, on both load balancers, configure it by creating the following files:

/etc/ha.d/ha.cf

logfacility     local0
keepalive 2
deadtime 10
warntime 10
initdead 20
udpport 694
auto_failback on
node    balancer1
node    balancer2

ucast   eth0 <other nodes ip address>

In <other nodes ip address> insert the ip address of the other load balancer on each one. This tells heartbeat the IP address of the other node in the cluster. balancer1 and balancer2 are the resolvable host names of the two load balancers.

/etc/ha.d/haresources

balancer1 192.168.0.1 stunnel4 haproxy pound

This tells heartbeat to manage the 192.168.0.1 ip address and also to start/stop stunnel, haproxy and pound. It also specifies balancer1 as the primary load balancer. This, plus the auto_failback on setting tells heartbeat to always use balancer1 if possible and to revert to using it as soon as it comes back to health.

Once you have configured heartbeat, restart it on both load balancers and check the ip address with ifconfig. You should see eth0:0 on the active node with the ip address of 192.168.0.1. Shut down heartbeat on balancer1 and run ifconfig on balancer2 and you should see it take over 192.168.0.1. Start heartbeat on balancer1 and it should take the ip address back.

Monitoring the Web Servers

Monitoring the web servers is done using mon. Mon will constantly monitor the web servers. If one goes down mon will trigger an alert that will adjust the load balancing configuration. The alert program works by maintaining a sqlite database in which it records the “state of the world” and then uses the contents of that database to regenerate the haproxy configuration before restarting haproxy.

From our perspective an SQL database is the simplest way to maintain the “state of the world” so that we do not have to write our own faffy flat file handling code, but the amount of data and amount of access is too small to require a full blown MySQL, Postgres or (God forbid) Oracle installation. For this reason I chose sqlite.

All the steps shown below in this section should be executed on both load balancers.

Install the software:

apt-get install mon sqlite3 libdbd-sqlite3-perl

SQLite Database

Next we need to create our sqlite database as follows:

sqlite3 /etc/mon/balance.db
CREATE TABLE balance (type text, checkurl text, targeturl text, status text);
INSERT INTO balance
VALUES('plain','webserver1','server webserver1 192.168.0.2:80 cookie webserver1 maxconn 5000','up');
INSERT INTO balance
VALUES('plain','webserver2','server webserver2 192.168.0.3:80 cookie webserver2 maxconn 5000','up');
INSERT INTO balance
VALUES('ssl','webserver1','server webserver1 127.0.0.1:82 cookie webserver1 maxconn 5000','up');
INSERT INTO balance
VALUES('ssl','webserver2','server webserver2 127.0.0.1:83 cookie webserver2 maxconn 5000','up');
.exit

That will create your sqlite database. In order for mon to be able to maintain it ensure that balance.db is owned by mon and that mon has read/write access to it. You should also ensure that the /etc/mon directory  has mon as its gid and has group write permissions.

The event handler

By default mon event handlers (or alerts as they are known) live in /usr/lib/mon/alert.d

In this directory we need to create the balance.alert program as follows:

#!/usr/bin/perl
use DBI;
use Getopt::Std;
getopts ("g:u");

my $dbargs = {AutoCommit => 1,
              PrintError => 1};

my $dbh = DBI->connect("dbi:SQLite:dbname=/etc/mon/balance.db","","",$dbargs);

if ($opt_u)
{
        $dbh->do("UPDATE balance SET status='up' WHERE checkurl='$opt_g'");
}
else
{
        $dbh->do("UPDATE balance SET status='down' WHERE checkurl='$opt_g'");
}

open HAP, ">/etc/haproxy/haproxy.cfg";
print HAP << "EOT"     global         log 127.0.0.1 local0 notice         user haproxy         group haproxy         daemon         maxconn 20000     defaults         log global         option dontlognull         balance leastconn         clitimeout 60000          srvtimeout 60000         contimeout 5000         retries 3         option redispatch      listen http 192.168.0.1:80          mode http          cookie WEBSERVERID insert          option httplog          balance source          option forwardfor except 192.168.0.1          option httpclose          option redispatch          maxconn 10000 EOT ; my $statcursor=$dbh->prepare("SELECT * FROM balance WHERE type='plain' AND status='up'");
$statcursor->execute();
while(my $statrow=$statcursor->fetchrow_hashref())
{
        my $targeturl=$statrow->{'targeturl'};
        print HAP "     $targeturl\n";
}
$statcursor->finish();

print HAP << "EOT"     listen https 127.0.0.1:81          mode http          cookie WEBSERVERID insert          option httplog          balance source          option forwardfor except 192.168.0.1          option httpclose          option redispatch          maxconn 10000 EOT ; my $statcursor=$dbh->prepare("SELECT * FROM balance WHERE type='ssl' AND status='up'");
$statcursor->execute();
while(my $statrow=$statcursor->fetchrow_hashref())
{
        my $targeturl=$statrow->{'targeturl'};
        print HAP "     $targeturl\n";
}
$statcursor->finish();

close HAP;
$dbh->disconnect();

my $heartbeat = system("/sbin/ifconfig | grep 192.168.0.1");
if($heartbeat == 0)
{
        `sudo /etc/init.d/haproxy restart`
}

Mon runs this program using options -g to specify the web server on which it is alerting, and -u  if it is alerting that the server has recovered.

In order for mon to be able to run this program you need to ensure that the mon user can write haproxy.conf in the /etc/haproxy directory. You also need to tell sudo that mon can run the /etc/init.d/haproxy script without needing a password. In /etc/sudoers add the following (preferably by using visudo to edit it):

mon ALL = NOPASSWD: /etc/init.d/haproxy

This program, firstly updates the sqlite database with the status of the web server on which it is alerting. It then reads from the database and creates /etc/haproxy/haproxy.conf according to the servers that are registered as “up” and then (if running on the active load balancer) restarts haproxy.

mon.cf

Configure mon as follows:

cfbasedir   = /etc/mon
alertdir   = /usr/lib/mon/alert.d
mondir   = /usr/lib/mon/mon.d
maxprocs        = 20
histlength = 100
randstart = 30s
logdir = /var/log/mon
dtlogging = yes
dtlogfile = dtlog

hostgroup webserver1 webserver1.stir.ac.uk
hostgroup webserver2 webserver2.stir.ac.uk

watch webserver1
        service apache
        interval 10s
        monitor http.monitor
        period wd {Sun-Sat}
        numalerts 1
        alert balance.alert
        upalert balance.alert

watch webserver2
        service apache
        interval 10s
        monitor http.monitor
        period wd {Sun-Sat}
        numalerts 1
        alert balance.alert
        upalert balance.alert

Once done, restart mon.

Extra Resilience

Pound, haproxy and stunnel are fairly robust but I have known stunnel to crash before now. If you want to guard against any of the key processes crashing then you can configure mon to watch for them, and to shutdown heartbeat if any of them die (thus migrating load balancing to the secondary server which will start its own processes up at that point.

Mon does not provide an easy to use monitor to check if processes are up so I chose to use nagios for this purpose since the systems I use are already set up for full nagios monitoring and event handling.

Please get in touch if you have any comments or ways to improve this.

I am really sorry if I have angered you, as angering motorists is not something that I set out to do today when I got on my bicycle.
However I’d like to try and reason some of your anger away and respond to some of the typical issues.

Common Myths Regarding Cyclists

You Don’t Pay Road Tax

Please do not use this as an excuse for believing that cyclists have fewer rights on the road than you. “Road Tax” was abolished in 1937 because the government did not want those who pay it to believe that they have more rights than those who do not. The money you spend on your paper disc is not the sole funder of the roads. Roads are funded from general taxation, typically from central government for the main highways, and from local authorities for local roads. Therefore as a payer of income tax, VAT and council tax I pay my contribution towards the upkeep of the roads.

What most people call “road tax” is actually “vehicle excise duty” and is levied on the basis of emissions. There are many classes of road users who do not pay VED but still have the right to use the roads. Cyclists are one such class. In fact cyclists and horse riders have an automatic right to use the public highway. Motor vehicles are only allowed there by license after a series of stringent tests have been passed. Before flaming cyclists you need to ask if your driving was up to the standard required from the DVLA.

Please see http://ipayroadtax.com for further details.

You should be in the Cycle Lane

Cycle lanes are provided for the convenience and safety of the cyclists that choose to use them, however their use is not compulsory. The highway code has this to say about their use.

 

61

Cycle Routes and Other Facilities. Use cycle routes, advanced stop lines, cycle boxes and toucan crossings unless at the time it is unsafe to do so. Use of these facilities is not compulsory and will depend on your experience and skills, but they can make your journey safer.
62

Cycle Tracks. These are normally located away from the road, but may occasionally be found alongside footpaths or pavements. Cyclists and pedestrians may be segregated or they may share the same space (unsegregated). When using segregated tracks you MUST keep to the side intended for cyclists as the pedestrian side remains a pavement or footpath. Take care when passing pedestrians, especially children, older or disabled people, and allow them plenty of room. Always be prepared to slow down and stop if necessary. Take care near road junctions as you may have difficulty seeing other road users, who might not notice you.

[Law HA 1835 sect 72]
63

Cycle Lanes. These are marked by a white line (which may be broken) along the carriageway (see Rule 140). Keep within the lane when practicable. When leaving a cycle lane check before pulling out that it is safe to do so and signal your intention clearly to other road users. Use of cycle lanes is not compulsory and will depend on your experience and skills, but they can make your journey safer.

Cycle lanes are not always the safest places to ride. Sometimes they are too narrow and encourage cars to overtake too close. They may contain debris, potholes, snow, or sunken drains. They may take you into the “door zone” of parked cars, that area where a carelessly flung open car door could cause a fatal accident. They may be at the side of bus lanes and encourage cyclists to go up the left hand side of a larger vehicle which is extremely dangerous. Some of them are just downright stupid in their design. See here for some examples of brainless cycle lane design.

As mentioned earlier bicycles are allowed on the road by right, so the existence of a cycle lane does not mean a cyclist has to use it.

This brings us on to…

You’re in the middle of the road

By this I assume the middle of the lane, rather than cycling down the white line? It is a common misconception that cyclists should hug the gutter. There are several reasons why hugging the gutter is a bad idea.

  1. No escape route. If a pothole, drain or other obstruction appears you can only swerve right to avoid it, possibly into the path of the car that is overtaking you too closely.
  2. It encourages close passes. Some drivers are unaware how much space they should give a cyclist. If there is room to overtake without crossing the central line some drivers will do so.
  3. Visibility. You are more visible to traffic turning onto the road out of junctions or parking spaces the further out from the kerb you are.
  4. You are turning right. You should never overtake a vehicle that is signalling to turn right, and this includes cyclists. A right turning cyclist will move across the lane and should be able to do so unimpeded by overtaking motor vehicles.

The highway code has this to say about overtaking.

 

163

Overtake only when it is safe and legal to do so. You should

not get too close to the vehicle you intend to overtake
use your mirrors, signal when it is safe to do so, take a quick sideways glance if necessary into the blind spot area and then start to move out
not assume that you can simply follow a vehicle ahead which is overtaking; there may only be enough room for one vehicle
move quickly past the vehicle you are overtaking, once you have started to overtake. Allow plenty of room. Move back to the left as soon as you can but do not cut in

Give vulnerable road users at least as much space as you would a car

take extra care at night and in poor visibility when it is harder to judge speed and distance
give way to oncoming vehicles before passing parked vehicles or other obstructions on your side of the road
only overtake on the left if the vehicle in front is signalling to turn right, and there is room to do so
stay in your lane if traffic is moving slowly in queues. If the queue on your right is moving more slowly than you are, you may pass on the left
give motorcyclists, cyclists and horse riders at least as much room as you would when overtaking a car (see Rules 211-215)

Remember: Mirrors – Signal – Manoeuvre

 

It also includes this image to demonstrate how to overtake a cyclist.
How to safely overtake a cyclist

You can see from this that a cyclist has the right to use as much of the lane as they see fit. If you cannot overtake safely then you should wait patiently until you can.

You should not be cycling two abreast

The highway code states that we should not cycle more than two abreast, and should cycle single file on busy or narrow roads and when cornering.

Particularly when out with a group it is often advisable to cycle two abreast. It means that the train of cyclists is shorter and so easier to overtake. It also means that you cannot overtake when there is oncoming traffic and so encourages safer overtaking.

You’re a bunch of red-light-jumping pavement-cycling hooligans

It is true that some cyclists are idiots that jump red lights and break other highway code rules. However, the same is true for some motorists. It is not intelligent to tar us all with the same brush and use this as an excuse for anger towards a cyclist whom you have not witnessed cycling in this manner.

Common driving errors that irk cyclists

If you are guilty of one of these manoeuvres then you can expect a cyclist to berate you and possibly post a video of your sin on youtube, since some cyclists have started using video cameras while riding.

The close pass

Not much needs to be said about this since I show above how to overtake cyclists. Please do so safely as no one likes to be cut up.

The left hook

If you are turning left you should not be overtaking just before you do so. Overtaking a cyclist and then immediately slowing to turn left is extremely dangerous. You should hang back for a few seconds and let them clear the junction before you turn.

SMIDSY

“Sorry Mate, I Didn’t See You”.

The misjudged pull-out

A cyclist can be travelling at up to 40MPH, typically in the high 20s on the flat. Don’t assume that you have loads of time to pull out in front of one.

The task was simple. Create a load balancing solution in an attempt at creating high availability on a crucial service. The solution must support SSL and must support cookie-based persistence so that clients will always be sent to the same backend server.

Firstly I’d like to credit Bob Feldbauer of CompleteFusion whose instructions provide the basis for this solution. However Bob’s instructions were slightly lacking in that communication between the load balancer and the application servers is in the clear. Here I attempt to show how to encrypt all network traffic.

HAProxy is an extremely powerful load balancer and is up to the job for the most part. It can insert its own cookies for persistence, however it does not support SSL. This is not a show stopper, but is the reason why I felt the need to document my set up as it is a little complicated.

In order to ensure that haproxy was not involved in SSL I used stunnel. However stunnel can operate in client mode, or server mode, but not both. Creating two instances of stunnel could get messy so I decided to use stunnel in client mode to talk to the application servers, and to use pound on the load balancer to receive connections from the clients.

This system is running on Debian 6.0 (squeeze). Please adjust accordingly if you are using a different system.

Firstly make sure that all the software you need is installed.

apt-get install pound haproxy stunnel4

If you need your application servers to know the IP address of the originating client then check out Bob Feldbauer’s instructions on building your own stunnel including the xforwarded-for patch. Should you choose to build your own stunnel then the simplest way to make sure you are running it is to edit /etc/init.d/stunnel4 and set the DAEMON variable to the location of your hand-built stunnel binary.

Assumptions

I am using three servers here. The load balancer at 192.168.0.1, app server 1 at 192.168.0.2 and app server 2 at 192.168.0.3. Please substitute your appropriate IP addresses (but you knew that anyway, if that was not obvious to you then you shouldn’t be attempting any of this).

Get a Certificate

One of the first things you should do is get a SSL certificate. Have a look at Paul Bramscher’s instructions on how to create SSL certificates, but instead of self-signing it you probably want to get it signed by a recognised certificate authority. When you receive your certificate you need to set it up in the appropriate format for pound to accept it. The certificate file that pound will read needs your unencrypted key at the top of the file, followed by your signed certificate, then any intermediate certificates that your CA may have sent you. In this example I have placed the full certificate file in /etc/ssl/certs/fullcertificate.crt.

While you are in certificate mode I recommend creating self-signed certificates for each of the web servers. These should be installed appropriately on your web server software and will be used by stunnel to verify that it is talking directly to the web servers.

Configuring Pound

Once you have a certificate you can configure pound to receive SSL connections, decrypt them and send them on to haproxy (which we will configure to listen on port 81) in the clear.

Create the following /etc/pound/pound.cfg:

User "www-data"
Group "www-data"
LogLevel 1
Alive 30
Control "/var/run/pound/poundctl.socket"

ListenHTTPS
    Address 192.168.0.1
    Port    443
    Cert    "/etc/ssl/certs/fullcertificate.crt"
    Service
        BackEnd
            Address 127.0.0.1
            Port    81
        End
    End
End

Also (on Debian) you need to edit /etc/default/pound to set startup=1. You can then run pound:

/etc/init.d/pound start

Configuring HAProxy

We will configure two aspects of haproxy. Firstly we can tell it to simply forward requests on port 80 to port 80 on the application servers. Secondly we tell it to take requests on port 81 (ie from pound) and forward them onto stunnel (which we will configure to forward the requests via SSL to the application servers).

Here are the contents of /etc/haproxy/haproxy.cfg (shamelessly copied from Bob Feldbauer and tweaked).

    global
        log 127.0.0.1 local0 debug
        user haproxy
        group haproxy
        daemon
        maxconn 20000

    defaults
        log global
        option dontlognull
        balance leastconn
        clitimeout 60000
        srvtimeout 60000
        contimeout 5000
        retries 3
        option redispatch

    listen http 192.168.0.1:80
        mode http
        cookie WEBSERVERID insert
        option httplog
        balance source
        option forwardfor except 192.168.0.1
        option httpclose
        option redispatch
        maxconn 10000
        reqadd X-Forwarded-Proto:\ http
        server webserver1 192.168.0.2 cookie webserver1 maxconn 5000
        server webserver2 192.168.0.3 cookie webserver2 maxconn 5000

    listen https 127.0.0.1:81
        mode http
        cookie WEBSERVERID insert
        option httplog
        balance source
        option forwardfor except 192.168.0.1
        option httpclose
        option redispatch
        maxconn 10000
        reqadd X-Forwarded-Proto:\ https
        server webserver1 127.0.0.1:82 cookie webserver1 maxconn 5000
        server webserver2 127.0.0.1:83 cookie webserver2 maxconn 5000

Here’s a quick run through of what is going on here.

In the global section we set users, daemon mode and logging. If you want haproxy to log to syslog then you’ll need to switch on UDP port 514 in rsyslog. Find the MODULES section in /etc/rsyslog.conf and add the following lines.

$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1

Then restart rsyslog (/etc/init.d/rsyslog restart)

Once you have finished and got everything working you may wish to turn logging down to “notice” instead of “debug”.

The listen http 192.168.0.1:80 section is telling haproxy to load balance port 80 between the two webservers and to insert its own WEBSERVERID cookie that it can use for webserver persistence.

The listen https 127.0.0.1:81 section is telling haproxy to receive data on port 81 (from pound) and forward it on to either of the two webservers, but to do so via stunnel (which will be configured to listen on ports 82 and 83 and forward them on via SSL to the webservers). It also sets and uses the WEBSERVERID cookie.

Edit /etc/default/haproxy and set ENABLED=1 before starting haproxy (/etc/init.d/haproxy start).

Configuring stunnel

We configure stunnel (in /etc/stunnel/stunnel.conf) to receive data on port 82 and send it to port 443 over SSL to webserver 1 and to receive data on port 83 and send it to webserver 2. This version uses certificates to verify that it is talking to the web servers and not being intercepted by a man-in-the-middle. If you don’t care to verify the webservers then set verify = 0 and don’t bother with the CAfile lines.

You will need to create the certificate files in the appropriate directory (in this case /etc/stunnel/certs). Each certificate file should contain (in this order) your signed certificate, any intermediate certificates, and finally your private key.

client = yes
verify = 1

#sslVersion = SSLv3

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = /var/log/stunnel4/stunnel.log

[webserver1]
accept = 82
connect = 192.168.0.2:443
CAfile = /etc/stunnel/certs/webserver1.crt

[webserver2]
accept = 83
connect = 192.168.0.3:443
CAfile = /etc/stunnel/certs/webserver2.crt

End of Part One

If you have followed this guide so far you should have a single IP address that load balances across two servers using SSL, both on the front end and on the back end. In Part Two I will look at creating a second load balancer that can take over should your first one fail, and monitoring the web servers so that we can automatically update the balancing rules should one of them fail.

“We suffer, so they don’t” is a most appropriate slogan. It is the slogan of Action Medical Research for their Ride 100 series of bike rides.

I stayed the night at my in-laws who are about half a mile away from Stirling High School where the ride started and finished. I cycled from Alva to Stirling on Saturday evening. The alarm woke me at 6 am. After three chocolate weetabix, a banana and coffee I was ready to head out. I managed to leave the house without waking anyone.

It was a dreich day. Almost completely over cast with some light refreshing rain for much of the route. This was far more preferable to beating sun.

Registration was from 6:45 and I was there from around this time. I wasted no time registering, getting my bike number card with timing chip and getting to the start. As a result I was in the very first group to start.

Some of my fellow riders at the start.

As we headed towards King’s Park there was a small amount of confusion. We met a group who were coming up from the car park at Viewforth and were heading towards the school to register. The two groups mingled briefly and there was almost a collision as one group tried to turn left towards the school and another carried straight on.

Down to the A811 we went and we enjoyed a lovely flat stretch all the way to Kippen. A small group got out front and I joined a team of poursuivants behind them. They dropped me after about 7 or 8 miles and I managed to team up with a rider who seemed to be happy going at the same pace as me. We stuck together until Aberfoyle.

10 miles in and we turned right at the Kippen roundabout towards Thornhill. This road is a joy to ride. It’s flat and smooth. As we approached Thornhill we enjoyed our first climb. It’s a fairly easy one. After Thornhill we turned left onto the A873 towards Aberfoyle. This is a fairly rough bit of road and there was plenty of swerving around potholes and trying to find the smoothest sections in which to ride.

At one point along here there was a small climb. In order to conserve momentum I decided to stand off the saddle and try to power up it. This caused a nasty twinge in my right calf so I sat back down and shifted down a couple of gears.

Through Ruskie and Blairhoyle we then turned right onto the A81 towards Callander. This was the first categorised climb of the day. From 171ft to 561ft over 2.12 miles this is a category 5 climb. The easiest categorised climb. This route takes you past Loch Rusky.

The following descent is really fast. I managed to hit 37mph heading down towards Callander. McLaren High School was supposed to be the first feed stop but they had set up on a grass verge across the road without removing the signs telling you to turn into the School. After a banana and two mini flap jacks it was back on the road.

Into Callander and out to Kilmahog then onto the A821 towards Brig o’ Turk. This is a great road to cycle. It undulates just enough to power up the climbs and coast down the descents, plus the views across Loch Venechar and Loch Achray are beautiful.

Coming around Loch Achray we come to the start of the Duke’s Pass. This is a category 4 climb and is much easier in this direction than coming from Aberfoyle (which is category 3). We were joined on this climb by an ambulance which seemed to hover around us like a vulture. A screaming fast descent from the top brings us into Aberfoyle.

Through Aberfoyle towards the A81 we then came to the Rob Roy hotel. This was our lunch stop. It felt a bit odd having lunch at 9:30 but that did not stop me filling up on pasta, potato salad, cheese, tuna, apple, soup and a cup of tea. This was 38 miles into the ride. At 2.5 hours including a short break at the previous feed stop I was pleased with my time so far.

Those lovely Recyke-a-bike chaps were on hand for basic maintenance at Aberfoyle.
Recyke-a-bike at Aberfoyle

Stopped at Rob Roy Hotel, Aberfoyle.
Lunch stop, Aberfoyle.

Next it was down the A81. This is not a nice piece of road. It feels like you are going slightly downhill but really having to work at it. Also the surface is really rough. I found a smooth stretch towards the middle of the road but had to move off it to allow cars to overtake.

At Ballat Crossroads by Balfron Station we turned left onto the A811. By this point I was being overtaken a fair bit. My strategy was to allow a group of riders to overtake me then draft them for a bit before allowing them to drop me. I managed to do this about three times along this stretch. The A811 was a welcome relief after that nasty bit of A81.

We rode through Buchlyvie. Just before Arnprior was the halfway point. I deliberately stopped to enjoy a Snickers at this point. This was my first unscheduled stop.

Approaching the Kippen roundabout again it was temptation time. I was tired and really tempted to carry straight on and do the 100km instead of 100 miles. Only 10 miles on the flat would have taken me back into Stirling but I resisted. I spotted a rider in front go that way and as I climbed into Kippen saw another turn back. I guess he had changed his mind about 100 miles. But I decided it was better to try and fail than not to try at all. Into Kippen I went.

Outside a coffee shop there was a crowd applauding and cheering us on. I bowed and thanked them for their support which amused them.

The B822 between Kippen and Fintry is horrible. It’s a really long climb and I had to stop for breath a few times going up. After reaching the top and descending I suffered oxygen deprivation and felt like I was going to black out. Another stop for air was needed before continuing into Fintry.

We turned right onto the B818 towards Ballikinrain Castle. This is another rough road which climbs more than it descends. I was starting to regret choosing 100 miles at this point but then I remembered Isaiah 40:31. “They that wait upon the Lord shall renew their strength. They will rise on wings as eagles. They will run and not grow weary. They will walk and not faint.” Isaiah does not mention cycling but that did not matter. With a freshness and a lifted spirit I carried on to Killearn, turning left onto the A875 just before.

Just when I thought I had seen enough of the A81 we turned left onto it just after Killearn. This took us down to Dumgoyne. By the Glengoyne distillery was a most welcome sight. The third and final feed stop.

Feed stop at Glengoyne Distillery
The gentleman in the tent is filling plastic cups with either peanuts or jelly beans and jelly babies.

I had a packet of crisps, cup of jelly beans and jelly babies, banana and a small cupcake. I also refilled my water bag and this time got a couple of scoops of energy drink powder. This was my last rest stop. I did not stop to rest after this, not even an unscheduled rest.

Just as I was about to leave the feed station the rain started in earnest. I carried on towards Strathblane then turned left onto the A891 towards Campsie Glen. By this time the rain was heavier than I would have liked. As I passed Campsie Glen I saw an ominous sight to the left. Crow Road. There were already a few riders on the road and you can see just how high it climbs.

Into Lennoxtown and a left onto the B822 and I was on Crow Road. This is a category 3 climb, the toughest on the route. It climbs 800ft over 3.5 miles. At this point I had done 80 miles. Throwing this hill at us after this distance is sadistic. After starting the hill I did something I had not yet done. I got off the bike and walked part of the hill. It’s not a particularly steep hill, but is a long climb to a high altitude and after 80 miles is just not a fun climb. About two thirds of the way up I started cycling and got a burning sensation in my left thigh. As I was walking up a motorcycle marshal passed and asked if I needed assistance. I politely declined.

While it is a tough hill the views make it worthwhile. Before the road turns into the Campsies you can see right over Lennoxtown including Lennox Castle. Once around the first corner there is a lovely waterfall strewn burn that flows alongside the road. After the top it’s a fabulous descent. The motorcycle marshal watched in amusement as I screamed “yahoooo” while flying past her.

But it’s not over yet. There is one more categorised climb. At the bottom of the hill we turned right onto the B818 towards the Carron Reservoir and onto the last climb. At this point tempers were getting frayed. I had not heard any bad language up until this point but a few rude words were heard regarding this climb and the distance to the finish. I waved to those fishing on the reservoir.

According to the map it is all downhill from here, but there are still a couple of steep climbs. At Carron Bridge we turned left onto New Line Road. The sign said “Stirling 8”. The short climb after this turn is punishing at this point on the route. Here I saw something I had not seen all day. My shadow. The sun just managed to peek though the clouds. By this point I was glimpsing well known landmarks between the trees. I whooped with delight when I saw Strude Mill in my home village of Alva from away in the distance. The Wallace Monument came into view and I knew I was nearly there.

I was getting really excited as I crossed the M9 motorway and could see Whins of Milton. Just before turning onto Glasgow Road I passed the marshals again and thanked them for their support.

A left onto Glasgow Road, left at the Borestone Roundabout and into St. Ninians where I got stopped by the traffic lights just before the end. Then left towards the school where a beep greeted me as I rode over the timing mat. This was around 4pm.

I nice lady greeted me with a goody bag and a pair of snips with which to remove my bike number/timing chip.
I then cycled the half mile back to my in-laws house where my wife and children were waiting with cards and gifts for Father’s day.

After an hour’s rest I put the bike on the back of the car and drove home to Alva. Feeling the need for a protein and carbohydrate fix the Great British fish and chips came to my rescue.

I started the route at 7am and finished at 4pm, so that’s 9 hours out on the road. My odometer says I was cycling for 7.5 hours (the clock only ticks when the wheel is moving) so I must have rested during the route for a total of 1.5 hours. I have since discovered that 137 riders did 100K and 366 did 100 miles. I came in 341 out of 365 with a time of 8:56:31.

I managed to raise £282 plus £52.50 gift aid makes £334.50 raised for Action Medical Research.

Here’s the route:



This is one of my favourite lunch time rides. It’s 7.5 miles, gets you right out into the countryside and should only take 30-40 minutes.

Here’s the video:

And here’s the map:



A couple of weeks ago Julia Donaldson was in the newspapers stating that she would never allow The Gruffalo to become an e-book. See the article in The Guardian.
Some reactions to this were of the “good on you” variety, but thinking about this I feel I must disagree with Mrs Donaldson.
Firstly I think I should point out where I agree with her.
A physical book is the best way to enjoy a written story, especially a children’s one where you can either curl up on the sofa or sit beside the bed for a bed time story.
I also agree that the interactivity of e-books is a distraction from the story.
So why do I disagree with her?
If she had said “I don’t think e-books are a particularly good way to access children’s books and would encourage parents to purchase and use physical copies” then I would be agreeing with her. But instead of voicing her opinion and letting parents decide she has forced the consequences of that opinion onto everyone else.
Because she is the author society seems to think that she has the right to control how her work is enjoyed. Thanks to copyright law whoever holds the rights to her work actually has the legal right to control how the work is enjoyed.
I have a purchased copy of The Gruffalo at home (as do many parents). I have paid for the right to enjoy the work and believe that paying an author for work that you enjoy is the right and proper thing to do. However, I may wish to scan the book into my computer or create a recording of my reading it. If I feel that my child would like an interactive copy of it then that should be my decision and not Mrs Donaldson’s. While I believe that few people would object to me making these copies of the work for my family’s private use, UK copyright law makes these activities illegal.

This is why I believe that our copyright law is a tyranny. While compensating authors is a good thing, copyright law places full control of a work into an author’s hands and makes illegal all uses that are not “authorised”. By giving authors the power to say “my story will never be made into an e-book/movie/musical/graphic novel/audio book etc” our copyright law creates a tyranny that removes our rights to enjoy works in ways that suit us at the pretense of being necessary to ensure that authors are compensated for their work. This is why our copyright laws are in desperate need of reform in order to serve the public interest instead of the minority interest that they currently serve.

Here’s another ride. This one takes you off road along the banks of the Allan Water then climbs up to Glen Road for a lovely descent back onto Campus. The ride is 5.4 miles long and took me 39 minutes. This time there is more time spent off the bike pushing it up hills or walking down steps.

The map is approximate since I had to draw the path through the trees rather than follow a properly mapped road.

Here’s the video:

Here’s the map: