Demystifying cache. Kristian Lyngstøl Product Specialist Varnish Software AS



Similar documents
The Hyper-Text Transfer Protocol (HTTP)

Playing with Web Application Firewalls

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

HTTP Caching & Cache-Busting for Content Publishers

Varnish Tips & Tricks, 2015 edition

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Hypertext for Hyper Techs

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

HTTP/2: Operable and Performant. Mark

Architecture of So-ware Systems HTTP Protocol. Mar8n Rehák

Lecture 8a: WWW Proxy Servers and Cookies

Lecture 8a: WWW Proxy Servers and Cookies

Abusing the Internet of Things. BLACKOUTS. FREAKOUTS. AND

Cache All The Things

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 6: Content Switching (CSW) Revision 0310

Internet Technologies Internet Protocols and Services

Web Application Security

Force.com REST API Developer's Guide

The HTTP protocol (HyperText Transfer Protocol) Short history of HTTP. The HTTP 1.0 protocol. 07/07/2011(dec'09)

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

HTTP Protocol. Bartosz Walter

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Tunneling QuickTime RTSP and RTP over HTTP. Relationship to RTSP/RTP

Vodia PBX RESTful API (v2.0)

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

An Insight into Cookie Security

Security Testing is performed to reveal security flaws in the system in order to protect data and maintain functionality.

Ajax Performance Tuning and Best Practice

Deployment Guide. Caching (Static & Dynamic) Deployment Guide. A Step-by-Step Technical Guide

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

Performance. CSC309 TA: Sukwon Oh

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

CloudOYE CDN USER MANUAL

HTTP Authentication. RFC 2617 obsoletes RFC 2069

By Bardia, Patit, and Rozheh

ATS Test Documentation

HOST EUROPE CLOUD STORAGE REST API DEVELOPER REFERENCE

Varnish the Drupal way

Information Extraction Art of Testing Network Peripheral Devices

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Sticky Session Setup and Troubleshooting

CONTENT of this CHAPTER

O Reilly Ebooks Your bookshelf on your devices!

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

StriderCD Book. Release 1.4. Niall O Higgins

Introducing the Microsoft IIS deployment guide

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

Network Technologies

The HTTP Plug-in. Table of contents

Scalability of web applications. CSCI 470: Web Science Keith Vertanen

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Chapter 27 Hypertext Transfer Protocol

Performance Evaluation of the Apache Traffic Server and Varnish Reverse Proxies. Shahab Bakhtiyari. UNIVERSITY OF OSLO Department of Informatics

International Journal of Engineering & Technology IJET-IJENS Vol:14 No:06 44

World Wide Web. Before WWW

DNS Pinning and Web Proxies

Layer 7 Load Balancing and Content Customization

Using Foundstone CookieDigger to Analyze Web Session Management

Web Based Single Sign-On and Access Control

ivoyeur: permission to parse

Chapter 5 Configuring the Remote Access Web Portal

Session Management in Web Applications

5 Mistakes to Avoid on Your Drupal Website

Crowbar: New generation web application brute force attack tool

Cookies Overview and HTTP Proxies

Cyber Security Workshop Ethical Web Hacking

APPLICATION SECURITY AND ITS IMPORTANCE

Common Server Setups For Your Web Application - Part II

Session Storage in Zend Server Cluster Manager

URLs and HTTP. ICW Lecture 10 Tom Chothia

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

WordPress Optimization

Optimising clients with API gateways

Qualys API Limits. July 10, Overview. API Control Settings. Implementation

Chapter 6 Virtual Private Networking Using SSL Connections

making drupal run fast

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Understanding RAM Caching

Module 45 (More Web Hacking)

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

Arnaud Becart ip- label 11/9/11

79 Tips and Tricks for Magento Performance Improvement. for Magento Performance Improvement

Cache Configuration Reference

New Tricks For Defeating SSL In Practice. Moxie Marlinspike

Load Balancing BEA WebLogic Servers with F5 Networks BIG-IP v9

Ehcache Web Cache User Guide. Version 2.9

Working With Virtual Hosts on Pramati Server

Accelerating Wordpress for Pagerank and Profit

Transcription:

Demystifying cache Kristian Lyngstøl Product Specialist Varnish Software AS Montreal, March 2013

Agenda - The types of caches involved - The benefits of a cache - HTTP - Reverse proxy specifics

Not: L1/L2 cache. Disk cache, etc.

Browser cache Intermediary caches Reverse proxy

Browser Intermediary cache Outside your direct control The Internet Reverse proxy Within your direct control Origin server

Pro: Reduced server load Con: Increased complexity

Pro: Increased robustness Con: Increased complexity == harder problems

Pro: Easier scaling Con: Complex architecture

Pro: Reduced latency by geographic distribution Con: Increased latency on cache misses

HTTP: Written for cache.

HTTP The original REST interface Addresses browser cache, intermediary caches but NOT reverse proxies.

Vary: Browser: GET /foo, Accept-Encoding: gzip Server: Here's /foo. It's compressed. Vary: Accept-encoding. Vary is a way for a server to signal that there might be different variants of the content depending on a specific header.

Vary: examples - Vary: Accept-Encoding Compression. - Vary: User-Agent Mobile content? - Vary: Cookie - Vary: Accept-Language - All of the above Most common by far: Vary: Accept-Encoding

Vary-challenges Content is provided either in gzip or uncompressed form, yet Accept-Encoding can contain any number of potential algorithms. Content varies depending on a specific cookie, but no way to tell which by using just Vary. (all or nothing).

Accept-Encoding: gzip, deflate Accept-Encoding: deflate, gzip Two different things!

Without a cache, vary has almost no side effects. Thus often ignored.

What we should do: Vary: Cookie, User-Agent

Technique number 0: FAIL SAFE You will fail at some point. Make sure you fail in an acceptable manner. Is it better to disable a cache or artificially inflate the cache than to deliver user-specific content to the wrong user?

Hypothetical example - Site allows students to register for a summer event. - Last minute change. - At launch, the cache is forced to cache content with Set-Cookie headers present. - Students end up taking over each others' sessions - Lawsuit to distribute blame lasts for years.

The by far most common cache mistake is ignoring cookies.

If content has cookies, clean out all but THESE cookies If content still has cookies, either DO NOT cache, or add the entire cookie string to the hash key, then cache.

Never. Ever. Cache. Set-Cookie. (unless, of course, you have a good reason!)

Example: Kenneth (36) Kenneth (36) became famous when his tax returns were incorrectly cached and thousands of users got to see his tax returns instead of their own...

Some would argue that the site going down might have been better.

Cache-Control header

max-age: For browsers, also used by intermediary caches.

s-maxage: For caches, used by both intermediary caches AND reverse proxies. Tip: Use it for reverse proxies, then remove it before exposing it to intermediary caches.

must-revalidate: You can cache, but revalidate before using it. private: Only browser cache. No shared cache. public: Can be cached. no-cache: Similar to must-revalidate.

Emerging: Surrogate-Control, a Cache-Control for surrogate caches (aka: reverse proxies) only.

Conditional requests Give me /pictures/cats, but only if it's newer than X If-Modified-Since:

Conditional requests Give me /pictures/cats, but only if it doesn't match Etag FOO. If-None-Match: Foo

ETags Essentially a Unique ID for an asset/resource/url. Not only useful for caches. UPDATE this resource, but only if the old version matches what I had.

GET /foobar HTTP/1.1 ETag: FOO-version1 (time passes) DELETE /foobar HTTP/1.1 If-Match: FOO-version1

Handling high loads == handling bugs, DoS attacks and more.

Example: Counting comments 20-ish news sites, each with comment section. To display X comments on this article on the frontpage, a resource contained a list of all articles and the counters. This updates constantly, impossible to cache!

What about Expires and Pragma? Pragma: Not defined anywhere. Do not use. Expires: Troublesome at best. Usually set to some developer's birthday or that 1997-date that seems to have originated from an example on php.net.

Common Expires values Expires: Thu, 19 Nov 1981 08:52:00 GMT Expires: Sun, 19 Nov 1978 05:00:00 GMT Expires: Sat, 26 Jul 1997 05:00:00 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT (Mon, 26, Jul 1997 does not exist)

Contact information Kristian Lyngstøl kristian@bohemians.org @kristianlyng http://kly.no

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information