Version 5.1.4 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. Version 5.1.3 was skipped because of problems during the release process. Version 5.1.4 fixes an unfortunate side-effect from using a private keychain as part of the security update check on macOS, as well as some other minor nuisances. This release adds Ubuntu 17.04 "Zesty" support, and is packaged with Nginx 1.10.3.

The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Fix for System keychain bug on macOS

In 5.1.2 Passenger created a private keychain for use with the security update checker. Unfortunately the related APIs had undocumented side effects and caused issues with the system keychain which resulted in irregularities with wifi, Time-Machine, and other system services.

In Passenger 5.1.4 we reverted this change and no longer create a private keychain on macOS, and instead handle the certificate/key-pair separately to increase robustness. For more details on undoing the side effects caused by this problem, you can read here.

In addition some unnecessary logging in the non-error case was suppressed.

macOS Sierra built-in Apache support

This release adds support for compiling against the built-in Apache installation supplied with macOS 10.12 Sierra. Previous versions of Passenger failed to compile because macOS Sierra's Apache installation is incomplete and does not supply the apr-config tool. We now work around this by using hardcoded default values for macOS.

Ubuntu 17.04 Zesty packages

We’ve added Passenger packages for the Ubuntu Zesty release. In accordance with our support policy (support all Ubuntu LTS releases that are still supported by Canonical, plus the latest Ubuntu release), this means that our packages for Ubuntu 16.10 “Yakkety” are now deprecated.

Nginx 1.10.3 preferred

The preferred Nginx version is now 1.10.3, which contains several bugfixes.

We are not moving to Nginx 1.12.0 in this release because multiple modules we include are not ready for the new Nginx version.

Various other

• [Standalone] Fixes install-standalone-runtime command after regression in 5.1.2.
• Removes unnecessary logging of "No Error" from macOS Security Update Checker.
• Don't output colorized text during dependency check when output isn't a TTY, unless forced. Closes GH-1902.
• [Enterprise] Fixes send-cloud-usage command when Passenger is installed from gem.
• [Enterprise] Improves robustness of machine properties reporting for pay-as-you-go cloud-license holders.
• [Enterprise] Adds support for reporting available RAM, and CONTAINER_HOST_IDENTIFIER envvar, to support RAM-based pricing model.
• Added additional debug level logging for troubleshooting issues with bash scripts. Closes GH-1928.
• Fix missing openssl check in passenger-install-apache2-module dependency checker. Closes GH-1934.

Installing 5.1.4

Please see the installation guide.

Upgrading to 5.1.4

We strongly advise staying up to date with the latest version.

See also the upgrade notes below!

OS X	Debian	Ubuntu	Heroku
Red Hat	CentOS	Ruby gem	Tarball
Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Download issue with old gem version

Old versions of gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).

ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why:  
 Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
 - bad response Unauthorized 401 

If this happens, please upgrade to a newer version of gem:

gem install rubygems-update; update_rubygems  

Special notes about capistrano-passenger

If you are using Capistrano and capistrano-passenger, then it may fail with this error:

SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass

NoMethodError: undefined method `[]' for nil:NilClass

Tasks: TOP => passenger:restart

This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.

Final

Phusion Passenger's core is open source. Please fork or watch us on Github. :)

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

We are happy to announce that we have partnered with NGINX, Inc. and Passenger is officially certified under the NGINX Plus Certified Module Program.

In 2016, NGINX Inc. introduced dynamic modules, which make life easier by not requiring a full recompilation of Nginx when adding extra functionality through modules. Dynamic module support also offers the freedom to choose which modules not to load.

Passenger's Nginx integration has supported dynamic modules since version 5.0.28. We're proud to say that Passenger is one of the first modules that passed a series of regression tests that ensure it works correctly with NGINX Plus, loads as expected, and plays nicely with all core NGINX Plus functionality. Passenger is designed and built against a rigorous set of architectural standards, and has world-class support options available.

In short, Passenger is now an NGINX Plus Certified Module! You can read more about the program on the NGINX Blog.

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

Version 5.1.2 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. It fixes a specific use case on macOS where the new Passenger security update check would fail, as well as some other minor nuisances. We are also proud to announce the availability of our new Homebrew tap, which makes it even easier to install Passenger Enterprise on macOS.

The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Private keychain for Apache / macOS

The system Apache web server on macOS runs as the _www user by default. Since this is a daemon user without a home directory, it lacks a user-specific keychain and defaults to the system keychain. Passenger's security update check relies on accessing the default keychain to prevent unnecessary popups, which fails in this case because the _www user (correctly) doesn't have sufficient permissions.

In Passenger 5.1.2 we avoid permission issues by creating a private keychain on macOS when the system keychain is defaulted to. This change does not affect regular login users.

Enterprise Homebrew tap

The new Passenger Enterprise Homebrew tap is super easy to use. Simply run:

brew tap phusion/passenger  

You can then install Passenger Enterprise with one of the commands below:

brew install passenger-enterprise  
# -OR-
brew install nginx-passenger-enterprise  

You will be asked for your download token when installing Passenger Enterprise for the first time using this tap. The token is cached for use in subsequent installs.

The tap makes it possible for us to provide a Homebrew formula for Passenger Enterprise, which requires authentication to fetch the source code. It also allows us to provide an Nginx formula that depends on Passenger Enterprise instead of Passenger Open Source.

As with all Passenger installation methods, installing Passenger Enterprise conflicts with Passenger Open Source, so you will need to brew uninstall passenger nginx before installing Passenger Enterprise this way.

SSL certificate replaced

The certificate for oss-binaries.phusionpassenger.com has been replaced with a new one that is managed through Let's Encrypt. This is the primary domain where Passenger packages and binaries are hosted.

Older versions of Passenger (< 5.0.22, < 4.0.60) use a pinned version of the old certificate (in some cases) for downloading binaries, but they will gracefully switch to the Amazon S3 fallback domain instead.

No Nginx for builtin engine

Passenger Standalone internally runs Nginx by default in order to provide a battle-hardened webserver front for applications. If there is already another server in front of Passenger that handles things like load balancing, slow client protection and static file caching, then it is possible to use the simpler and faster builtin HTTP engine of Passenger.

Though choosing the builtin engine disables the use of Nginx, Passenger would still try to download or compile Nginx (GH-1910). This unnecessary dependency has been removed in 5.1.2.

Various other

• Fixes remaining false positives (logging) from the new Meteor cluster warning system. Closes GH-1905.
• Improve passenger-memory-stats to include JRuby processes that fail to rename as expected. Closes GH-1878.
• Improve curl check for passenger-install-xxxx-module scripts to catch (very old) curl versions that won't compile against 5.1+.
• [Standalone] Fixes --nginx-tarball option of passenger start and passenger-config install-standalone-runtime (wasn't working). Also verifies that --nginx-version is explicitly specified as it should be.

Installing 5.1.2

Please see the installation guide.

Upgrading to 5.1.2

We strongly advise staying up to date with the latest version.

See also the upgrade notes below!

OS X	Debian	Ubuntu	Heroku
Red Hat	CentOS	Ruby gem	Tarball
Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Download issue with old gem version

Old versions of gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).

ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.2), here is why:  
 Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
 - bad response Unauthorized 401 

If this happens, please upgrade to a newer version of gem:

gem install rubygems-update; update_rubygems  

Special notes about capistrano-passenger

If you are using Capistrano and capistrano-passenger, then it may fail with this error:

SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass

NoMethodError: undefined method `[]' for nil:NilClass

Tasks: TOP => passenger:restart

This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.

Final

Phusion Passenger's core is open source. Please fork or watch us on Github. :)

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

It’s been a little over a year-and-a-half since we released the first version of Passenger 5, the application server for Ruby, Python, Node.js and Meteor. It brought a large amount of major improvements.

Since then we have introduced many more major improvements. To celebrate this fact, we bumped the minor version number and are happy to announce version 5.1.1! It is the culmination of all the work that has gone into Passenger, with bugfixes, many big and small improvements, and is fully compatible with the 5.0.x line (no breaking changes).

The same period has also seen the growth of the Passenger team, as well as a significant expansion of the Passenger documentation with the introduction of the Passenger Library.

In this blog post we’re looking back at the improvements we’ve introduced in Passenger since 5.0.1. The regular description of changes since 5.0.30 can be found at the end, and includes two notable security fixes.

In an upcoming blog post we will look to the future and describe some of the exciting ideas we have in store for this year, so stay tuned!

A plethora of improvements

There are too many improvements to Passenger since version 5.0 to go into them all in-depth, so we've gathered and categorized them by how they help you to manage and run your application harder, better, faster, stronger.

Minimizing and preventing down time

Passenger has a lot of features for minimizing and preventing downtime in apps, such as rolling restarts and deployment error resistance.

After 5.0.1 we’ve further improved the robustness in challenging situations like running out of memory or crashing application code. Rolling restarts were changed to maintain an even more resource-friendly load profile.

Secure defaults and defense in depth

Passenger does the heavy lifting to provide a secure platform from which you can serve your app with confidence.

In this category one of the most notable improvements after 5.0.1 is the new Passenger security update check. This (optional) feature allows users to be notified in case there are any important Passenger-related security updates so that they can take timely action to keep their systems secure.

Security is high on our priority list and we constantly watch for potential vulnerabilities. For example, when Rails 5 was released, we did a number of tests that revealed a DoS vulnerability. Although Passenger’s design already protects users from this type of issue, we are happy the issue has been fixed in Rails.

Faster & more efficient resource use

Passenger’s design and relentless optimization enables developers and administrators to get the most performance out of their hardware.

With a couple of new options, Passenger helps high-performance servers and applications shine even when under extremely demanding loads. Conditions on a single server such as hundreds of workers, 100K+ RPM with traffic bursts can be handled flawlessly. Another interesting option is that Node.js applications can now be autoscaled; similar to what was already possible for Ruby apps.

Improve development efficiency

Passenger gives developers and administrators super powers so that they can do their jobs more efficiently.

We’ve added a ton of improvements in this category, such as new options and tools for diagnostics, validation and troubleshooting of configurations, applications and connections (e.g. Websockets). Configuration ease and flexibility, as well as maintenance-friendliness have been improved in various ways, like the possibility to configure Passenger Standalone through environment variables or via a refactored configuration template. This makes Passenger integrate better than ever with Heroku, Docker and 12-factor principles.

There are also special improvements like support for the Nginx dynamic module system, installation validation for Passenger + Apache and Docker-friendly logging for Passenger Standalone.

The list below shows the first few items, but you can expand it with the link below that to see all of the improvements.

Staying ahead of the curve

Passenger embraces modern technologies and multiple platforms to prevent lock-in and to stay ahead of the curve.

As technology moves forward through time, Passenger keeps up. For example, you can use our Passenger APT/RPM packages for the latest couple of versions of Debian, Ubuntu, Red Hat Enterprise Linux and CentOS; which includes the recently released Ubuntu 16.10 and RHEL 7.3. Passenger also supports the newly released JRuby 9.0.0.0 as well as Rails 5 + Action Cable, and a number of smaller improvements like support for IPv6 across all the different integration modes.

Changes from 5.0.30 to 5.1.1

For your convenience we've listed the improvements and bugfixes specifically since version 5.0.30 below. This includes two notable vulnerabilities that were addressed in 5.1.0. Version 5.1.0 and 5.1.1 were released in short succession due to a fix for Rails 5.0.1 Action Cable, so we’re covering them both in one blogpost.

CVE-2016-1247

On the 25th of October, an issue with the default permissions in the upstream Nginx APT package was made public. It allows local users with access to the web server user account to gain root privileges via a symlink attack on the error log. The fix has been applied to the Phusion Nginx APT-package.

Predictable tmp File Path Vulnerability

On the 1st of November, Jeremy Evans reported a file overwrite vulnerability caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content. Files written to the tmp directory now have randomized path components to fix this vulnerability.

Update: this vulnerability was assigned CVE-2016-10345.

Other bugfixes

Improvements

Installing 5.1.1

Please see the installation guide.

Upgrading to 5.1.1

We strongly advise staying up to date with the latest version.

macOS	Debian	Ubuntu	Heroku
Red Hat	CentOS	Ruby gem	Tarball
Docker

Upgrade notes

• If you are upgrading from version 4, please see the Passenger 5 upgrade notes for potential caveats.

• If you are getting a download error during a gem install, ensure you have a version of gem >= 2.2.0 (2013), for instance by running gem install rubygems-update; update_rubygems.

• If you are using Capistrano and capistrano-passenger, please ensure that capistrano-passenger is upgraded to 0.2.0 or newer to avoid "NoMethodError: undefined method `[]' for nil:NilClass".

Final

Passenger's core is open source. Please fork or watch us on Github. :)

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

In this article we will show you how Rails 5.0.0 ActionCable applications on Puma, the new default Rails app server, might be exposed to denial of service by slow clients. We will be using the OS X network shaping tools to simulate an attack, revealing the vulnerability.

In our previous ActionCable article we talked about how we stress tested ActionCable and found and solved a couple of issues. Those issues have since been fixed and the fixes have been merged into Rails. In this article we report on another issue that we have found as a result of our stress testing efforts.

A fix for the issue we found was merged into Rails a couple of months ago and was recently released as part of Rails 5.0.1. Passenger users have never been affected by this issue.

What are slow clients and how can they cause Denial of Service?

The next few paragraphs will explain the basic theory and implications of slow clients. If you are already familiar with the slow client problem and how it is mitigated you can skip this section and scroll down to "Testing whether ActionCable is protected against slow clients". In that section we explain how we simulated an attack against Rails on both Puma and Passenger and found that applications on just Puma are vulnerable to DoS by slow clients.

The theory behind slow clients

Slow clients are users of your web application that are on an internet connection that has low bandwidth. They might be connecting with their cell phone, or from a remote location or from an area that simply has bad internet connectivity. They might also be malicious attackers who deliberately limit their bandwidth to bring down your application.

There are two aspects of slow clients that can block your application. Both have to be dealt with in order to ensure reliable service; not just to the slow clients, but to all users of your application, slow or fast. Slow clients send their data slowly, and they receive their data slowly.

This means that in a naively written web application a thread or process that is servicing a request might spend seconds or even minutes receiving data, before it even has a chance to perform business logic or query a database. Then when it has finished building its response it might spend seconds or minutes again sending that response to the client.

Practical impact of slow clients

Most Ruby application servers utilize a synchronous request/response I/O model with multiple worker processes and/or worker threads, so they are (partially) susceptible to this issue.

A worst-case scenario looks like this: imagine that your application server is configured to have 100 worker processes, designed to process thousands of requests per second. Now imagine a single attacker. Sending just a hundred severely bandwidth limited requests. As each of your 100 worker processes encounters a request from the attacker it is delayed for minutes, causing other requests to queue up.

Eventually all your processes will be busy taking minutes servicing just a single attacker request, and tens of thousands requests are queued up or dropped. A more persistent attacker might delay your application indefinitely using only minimal resources.

Threads mitigate this problem somewhat, as they are much less costly than processes, and so you can have more of them, but the basic problem still remains. The attacker will simply have to perform more of those cheap slow requests.

Mitigation via evented I/O buffering system

In practice, Ruby application servers are already well-protected against slow clients on the receiving side by using an evented I/O buffering system that can handle a much larger I/O concurrency.

How do various Ruby application servers utilize an evented I/O buffering system?

• Unicorn is typically deployed together with Nginx. Nginx uses evented I/O and acts a buffering reverse proxy. It protects against both slowly-sending and slowly-receiving clients.
• Puma has a built-in evented I/O multiplexer which protects itself against slowly-sending clients. It does not protect against slowly-receiving clients, so in production deployments it is recommended to put Puma behind Nginx.
• Passenger has a built-in evented I/O buffering system and automatically protects against slowly-sending and slowly-receiving clients, with and without Nginx.

The special problem of traditional slow client mitigation in combination with WebSockets

Nginx as a buffering reverse proxy has one weakness: it must receive the entire request from the client before it forwards the request to the application, and it must receive the entire response from the application before it sends any data to the client. This is normally not a problem, but it is a problem in combination with WebSockets. WebSocket frames must be immediately received from and sent to the client; otherwise it defeats the purpose of WebSockets.

This means that in order to make WebSockets (and ActionCable, which is based on WebSockets) work, Nginx’s I/O buffering system -- and thus slow client protection by Nginx -- must be disabled. ActionCable tries to mitigate this problem somewhat by providing its own evented I/O multiplexer for incoming WebSocket data. This means that ActionCable protects against slowly-sending WebSocket clients, but not against slowly-receiving WebSocket clients.

In the next sections we’ll provide a practical example of this problem. We will also show that Passenger does not suffer from this problem at all because it is capable of buffering I/O and immediately sending data to clients. Thus Passenger is capable of protecting the application against slowly-receiving and slowly-sending WebSocket clients.

Testing whether ActionCable is protected against slow clients

With the theory out of the way it is time to move on to the practical consequences. To ascertain whether a Rails application might be vulnerable to slow client attacks we have built a small application that sends a steady stream of data to any connected clients using ActionCable.

Running this application and connecting four clients will result in the above image. Each of the clients reports their current delay. On an old MacBook that is about 10 milliseconds on average. Note that this delay includes some things like rendering and parsing the JSON objects, which are quite large for the purposes of this test, a normal application will have much smaller response times.

As we have established that the application is functioning correctly we can move on to the test conditions. To establish that there is a slow client problem we introduce a slow client and observe the response times in the other (fast) clients. If they remain the same or are minimally impacted we have not shown a problem. If they change and are significantly impacted we can conclude there is in fact a slow client problem.

Shaping network traffic on OS X

Since we do not have a 56k modem lying around and internet connections in The Netherlands are “unfortunately" very fast, we will have to simulate the network conditions of the slow client. Most modern operating systems come with tools for this, on OS X we can use pf.

First, we have to see whether pf is currently enabled by running:

sudo pfctl -s  

If it is not then it can be enabled by running:

sudo pfctl -e  

The next step is to create a dummynet like so:

(cat /etc/pf.conf && echo "dummynet-anchor \"mop\"" && echo "anchor \"mop\"") | sudo pfctl -f -

This extends the existing /etc/pf.conf with the dummynet and then instructs pf to use that configuration. If at any time you want to roll back to the original configuration you can issue the following two commands:

sudo dnctl flush  
sudo pfctl -f /etc/pf.conf  

Then we find out which connection we would like to throttle. In this example the clients are 4 instances of Chrome connected to our web server at port 3000, so we issue the following command to find out their outgoing port number:

sudo lsof -i -n -P | grep TCP | grep 3000  

This yields the port numbers we need, we pick one of them (in this example it is 58983) and insert that into the following instruction:

echo "dummynet in quick proto tcp from any to any port 58983 pipe 1" | sudo pfctl -a mop -f -  

Now all data from that port is routed through the dummy network. The last step is to reduce the flow of traffic:

sudo dnctl pipe 1 config bw 56kbit/s  

The effect should be immediate for the affected client, its delay should rise to multiple seconds.

Results

First we start the Rails application using the default server, which used to be WEBrick but is now the more production suitable Puma web server, like so:

./bin/rails s

Introduction of the slow client did not only result in an increased delay in that client but also in all of its peers. This means that it is vulnerable to the slow client problem, and as such is not suitable for exposing WebSockets directly to the internet without a protective reverse proxy. Unfortunately the most recommended reverse proxy, Nginx, does not offer this protection, as explained under “The special problem of traditional slow client mitigation in combination with WebSockets".

Starting the Rails application using Passenger and introducing a slow client does not result in a situation where all clients are affected by that slow client. This means that exposing a Passenger web server to the internet is safe in this regard, even without a buffering reverse proxy.

How Passenger deals with slow clients

To deal with slow clients Passenger puts a buffer between the application and the network. The buffer accepts data from the application immediately, storing it in memory or on the disk if the client can not receive the data fast enough. This enables the application to function as if it has a super fast client.

Because Passenger has an internal evented I/O architecture it does not have to dedicate threads or processes to the data streams filling these buffers. That means there's little overhead per connection allowing it to deal with many slow clients without a problem. Additionally while Passenger buffers it also sends the data to the client immediately so there is no delay perceived by the client.

Conclusion

We conducted an experiment by building a small demo application; and by using network traffic shaping, simulated the effects of slow clients the reliability of an ActionCable server. As a result of this experiment we concluded that an ActionCable application served by Puma is at risk of denial-of-service by slow clients that take up costly worker processes and threads.

The same application served by Passenger is not affected by slow clients as Passenger buffers outgoing data. Using Nginx as a reverse proxy in front of Puma does not solve this problem as Nginx’s buffering system is not compatible with WebSockets.

The issue was reported to the Puma and Rails teams, who responded by building a response buffer into Rails. This patch was merged and was recently released with Rails 5.0.1.

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

Union Station is Phusion's brand new take on Passenger application monitoring and analytics. Union Station aims to help you easily find performance bottlenecks and errors in your application and to help you fix them. Sign up for a free trial today!

UPDATE: This position is filled and no longer available.

We are looking for an energetic, passionate and fun Customer Success Manager (full-time) to create and maintain stellar relationships with our customers. You will be mainly responsible for new Premium Support customer on-boarding, creating measurable retention and supporting our Enterprise customers. The ideal candidate will work remotely from Canada. In short, you’ll be the voice on behalf of Phusion to all of our clients around the globe!

Your main tasks will be as follows:

• Maintain high levels of customer engagement and satisfaction with a focus on measurable retention
• Maintain current and accurate account information and contact information within assigned customer database
• Drive customer references, testimonial and case study completion
• Follow up on surveys, compile responses, analyze results and draw conclusions to be presented to the team
• Respond to customer’s account questions within agreed timeframe (either by phone, email, or support tickets)
• Identify common customer challenges and proactively suggest better solutions.
• Relay / escalate problems to engineering team in a joint effort to keep customers happy.
• Execute and maintain Client Referral programs
• Execute and maintain Client Affiliate programs
• Effectively renew and maintain all assigned accounts with favorable terms and conditions
• Travel to client offices across North America to meet and assess risks and evaluate opportunities to upsell.

Required qualifications & skills:

• Bachelor’s degree or equivalent experience. 1-3 years experience providing Customer Success or equivalent history of increasing customer satisfaction and retention.
• Excellent written and verbal business communication skills in English. Native, or near-native, proficiency is a must.
• Detail-oriented and analytical.
• Demonstrated ability to communicate and present, as well as to credibly and effectively influence all levels of the organization, including the executive and C-level.
• Ability and willingness to travel throughout North-America.

The following aspects are highly appreciated:

• Thriving in a multitasking environment and ability to adjust priorities on-the-fly.
• A willingness to work on a flexible schedule (as most of our clients are based in the United States).
• Work experience within the SaaS industry.
• We are located in Amsterdam but embrace remote working and are seeking someone, ideally, located within Canada.

About Phusion

Phusion is a software company dedicated to making awesome Unix server tools to power the modern web. Click here for more info.

What does Phusion have to offer you?

• A welcoming horizontal work environment with opportunities to grow both as a person and professionally
  • Want to go to an IT networking conference like TNW? We’ll send you!
  • Want to take a particular training course to become even better at your job? We’d like to support you here as well.
• An opportunity to work directly with some of the most amazing Fortune 500 companies we are fortunate enough to call our customers.
• Flexible office hours at our homebase within walking distance to Amsterdam Centraal.

Do you fit the profile and are you extremely self-motivated, fun to work with, and generally just a pretty awesome individual? WE WANT YOU! So, please send your resume along with a cover letter to jobs@phusion.nl and we will get back to you shortly.

UPDATE: This position is no longer available.

We’re looking for a passionate and creative Web Designer to assist us in designing marketing websites for our products, as well as assist us in designing UIs for the products themselves. More specifically, the job position requires you to translate business requirements and targets into enticing pieces of art that not only look good, but are a joy to work with as well. To that end, deep knowledge of aesthetics, web technologies and user experience are paramount. The ideal candidate has enough experience, knowledge and skills to hit the ground running and enough of a funnybone to enjoy Friday drinks with us.

Your main tasks will be as follows:

• Tell a product story using design.
• Translate our business requirements and targets to gorgeous marketing page designs.
• Create UIs for our products in such a way that they end up being a joy to use.
• Improve visitor-to-customer conversion with enticing web designs.
• Conduct usability tests on our products and suggest / implement improvements.

Required qualifications, skills & traits:

• A “can do” mentality, and works in a proactive manner: rather than waiting to be told what to do, you actively pursue telling us how things can be improved by providing mockups & reasoning.
• Autonomous, but also comfortable working in multidisciplinary team environment.
• Photoshop, Illustrator and Sketch are all second nature to you.
• Able to cope with sprints, and as such, able to work in an effective and efficient manner.
• Explores multiple concepts prior to settling on 1.
• Familiar with current design paradigms and pride yourself in pushing the envelope when it comes to pursuing usability and aesthetics.
• Take pride in your work, but are able to put business requirements above all else, even if it comes at the expense of throwing away something you’ve worked on for a while based on user feedback to “get it right”.
• Believe that form follows function; you believe that usability should never lose out on “prettiness”.
• A drive to keep learning new skills in an effort to expand their skillset.
• Experience working on responsive designs for mobile and desktop (examples required).
• Able to conduct usability testing via paper prototypes, mockups, clickthroughs etc...
• Able to immerse themselves in domain specific knowledge; you believe that in order to be effective at designing a marketing page or UI for a product, you must first understand the product and its audience.
• Strong understanding of designing with accessibility in mind, typography, color theory and composition.

The following aspects are highly appreciated:

• Knowledge of HTML/CSS/JS and the ability to implement designs with the aforementioned technologies.
• Ability to create and provide prototypes in Framer.js, Origami or equivalent software.
• Knowledge of functional animation techniques to support UX.
• Ability to conducting and evaluating A/B split testing.
• Experience with writing copy.
• Experience designing for print.

About Phusion

Phusion is a software company dedicated to making awesome Unix server tools to power the modern web. Click here for more info.

What does Phusion have to offer you?

• A welcoming horizontal work environment with opportunities to grow both as a person and professionally
  • Want to go to an IT networking conference like TNW? We’ll send you!
  • Want to take a particular training course to become even better at your job? We’d like to support you here as well.
• An opportunity to work directly with some of the most amazing Fortune 500 companies we are fortunate enough to call our customers.
• Flexible office hours at our homebase within walking distance to Amsterdam Centraal.
• Some of the best work hardware to allow you to perform your tasks quickly and efficiently; love Apple and want to work on a Macbook? Done deal. Prefer to work with Windows instead? We’ve got you too!

Do you think you’ve got the chops for this position? Are you also extremely self-motivated, fun to work with, and generally a pretty awesome individual? Then WE WANT YOU! Please send your résumé, cover letter, and portfolio to jobs@phusion.nl and we’ll get back to you shortly.

UPDATE: This position is no longer available.

We are looking for a passionate and energetic candidate to fulfill the duties of Sales Manager at Phusion B.V. in Amsterdam. The ideal candidate has enough experience, knowledge and skills to hit the ground running and enough of a funny-bone to enjoy Friday drinks with us. The focus on this position will be on acquiring new customers, smashing targets, managing the sales flow and creating growth for the company.

The main task categories of this position are:

• Acquisition - Seeking out and gaining new customers on a constant and consistent basis to accelerate existing growth.
• Sales - Monitoring and maintaining automatic sales flow channels from the customer's first point of contact with our company through to payment. Includes writing copy for websites, sales flyers, blogs, etc.
• Targets - Ability and drive to meet and challenge predetermined targets set for new customers and revenue.
• Analysis - Data collection, analysis and interpretation for the purpose of presentation, opportunity cost decision, and backing up any decisions.
• Business Development - Identifying and capturing opportunities for business growth and forecasting timelines for growth.

Qualities the ideal candidate possesses:

• Strong analytical ability. You share the mentality “If you can’t measure it, you can’t improve it.”
• Native (or nearly native) English proficiency. You must be able to speak and write at a business/professional level. Any additional language proficiency is a plus.
• High curiosity and desire to learn more. You make it a top priority to be an expert in your field, keeping up-to-date on the product, company and the ecosystem in which we operate.
• Goal oriented and can-do attitude. You can collect all information yourself to create a solution or plan before going to someone with a problem or question.
• 3+ years proven relevant experience with international markets, specifically the North American market. You’re an expert presenter, pitcher and negotiator.
• A college or university degree in a related field. You also hold some necessary background knowledge in the fields of business administration, economics, statistics, business models and business optimization.
• You’re located in or around Amsterdam and would love to be in our beautiful office at least 3 days a week (while the remaining 2 days you are encouraged to be in the office however that is optional).
• Willingness to work during US times for conference calls with customers and leads.
• Willing to travel and meet up with our customers to understand their business needs and relay this information into actionable items to our engineers. Our customers are primarily located in the US.
• Finally, if you’re up for the challenge of this position, you’re able to bring in new customers within the first three months of employment that otherwise wouldn’t have found their way into our sales flow.

The following knowledge and skills are highly appreciated:

• Ability to thrive in a multitasking environment, adjust priorities on-the-fly and work in sprints.
• A willingness to work on a flexible schedule due to US-NL timezone differences of our customers.
• Work experience within the SaaS and/or enterprise IT industry.
• You are an initiator, if you see a problem or something that can be improved upon you create solutions and improvements without being explicitly instructed.
• Experience with conducting and evaluating A/B tests.

About Phusion

Phusion is a software company dedicated to making awesome Unix server tools to power the modern web. Click here for more info.

What does Phusion have to offer you?

• A welcoming, horizontal work environment with opportunities to grow both personally and professionally. Want to go to an IT networking conference like the TNW? We’ll send you! Want to take a particular training course to really master and keep up to date on an aspect of your position? We fully support it!
• An opportunity to work directly, and bring in more, of the most amazing Fortune 500 companies that we are fortunate enough to call our customers.
• We have a beautiful office in walking distance from Amsterdam Central Station. While we offer some remote working days, if you are in the office, you’ll have lunch included.
• Some of the best hardware to allow you to perform your tasks quickly and efficiently. Love Apple and want to work on a Macbook? Done deal. Prefer to work with Windows instead? We’ve got you too!

Do you think you’ve got the chops for this position? Are you also extremely self-motivated, fun to work with, and generally a pretty awesome individual? Then WE WANT YOU!

Please send your résumé and cover letter to jobs@phusion.nl and we’ll get back to you shortly.

"Every office needs a Donna, but not as much as an Anna." Anna will be joining Phusion to make everyone's life a little easier. She was found at the University of Amsterdam with a Bachelors of Media & Culture, a minor in Programming and wrapping up a Masters of Game Studies, excited to explore more practical matters.

As the new Office Manager Anna will be working behind the scenes to ensure that all members of the team can keep their focus on what they do best: putting their unique talents to good use. With her broad skill set she will be taking care of all the little things so Phusion can make the big things happen.

Welcome to the team Anna!

The Phusion team just got a little nicer! Tara will be joining as the second hire from the Great White North. She is a new graduate from Dalhousie University with a Bachelors of Business Administration. Eager to get out of rural Canada she took to finding a job in Amsterdam.

Tara has joined Phusion as a Customer Success Manager to build stellar relationships with customers. Her background in communications and customer relationship management lends well to becoming the customers new best friend. She will be playing a key role in creating value for the customer and the company.

Welcome to the team Tara!