Slide 1
Slide 1 text
Comment utiliser les
meilleures pratiques
d’HTTP pour mettre en
cache votre site web
Thijs Feryn
Slide 2
Slide 2 text
Slow websites suck
Slide 3
Slide 3 text
Web performance is
an essential part of
the user experience
Slide 4
Slide 4 text
Slow ~ Down
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Identify slowest parts
Slide 9
Slide 9 text
Reduce the
impact of the
code on the
server
Slide 10
Slide 10 text
Not just raw speed
Slide 11
Slide 11 text
Scale
Slide 12
Slide 12 text
Optimize
Slide 13
Slide 13 text
After a while you
hit the limits
Slide 14
Slide 14 text
Cache
Slide 15
Slide 15 text
Bonjour tout le monde
Slide 16
Slide 16 text
Hi, I’m Thijs
Slide 17
Slide 17 text
I’m
@ThijsFeryn
on Twitter
Slide 18
Slide 18 text
I’m an
Evangelist
At
Slide 19
Slide 19 text
I’m an
Evangelist
At
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Cache
Slide 23
Slide 23 text
Cacher?
Faire du “caching”?
Mettre en cache?
Slide 24
Slide 24 text
Don’t
recompute
if the data
hasn’t
changed
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
What if we
could design
our software
with HTTP
caching in
mind?
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
Reverse
caching
proxy
Slide 29
Slide 29 text
Normally
User Server
Slide 30
Slide 30 text
With ReCaPro *
User ReCaPro Server
* Reverse Caching Proxy
Slide 31
Slide 31 text
Content Delivery Network
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
HTTP caching mechanisms
Expires: Sat, 09 Sep 2017 14:30:00 GMT
Cache-control: public, max-age=3600,
s-maxage=86400
Cache-control: private, no-cache, no-store
Slide 34
Slide 34 text
Common
problems
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
Time To Live
Slide 38
Slide 38 text
Cache variations
Slide 39
Slide 39 text
Authentication
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
✓Multi-lingual (Accept-Language)
✓Nav
✓Header
✓Footer
✓Main
✓Login page & private content
Slide 42
Slide 42 text
{% block title %}{% endblock %} - Developing cacheable websites
{{ include('header.twig') }}
{{ include('footer.twig') }}
Base
template
{{ include('nav.twig') }}
{% block content %}{% endblock %}
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
The mission
Maximum
Cacheability
Slide 45
Slide 45 text
Cache-control
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
Cache-Control: public, s-maxage=500
Slide 49
Slide 49 text
Purging
Slide 50
Slide 50 text
Conditional
requests
Slide 51
Slide 51 text
Only fetch
payload that has
changed
Slide 52
Slide 52 text
HTTP/1.1 200 OK
Slide 53
Slide 53 text
Otherwise:
HTTP/1.1 304 Not Modified
Slide 54
Slide 54 text
Conditional requests
HTTP/1.1 200 OK
Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
Content-type: text/html; charset=UTF-8
Hello world output
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.48.0
Slide 55
Slide 55 text
Conditional requests
HTTP/1.0 304 Not Modified
Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.48.0
If-None-Match:
7c9d70604c6061da9bb9377d3f00eb27
Slide 56
Slide 56 text
Conditional requests
HTTP/1.1 200 OK
Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
Content-type: text/html; charset=UTF-8
Hello world output
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.48.0
Slide 57
Slide 57 text
Conditional requests
HTTP/1.0 304 Not Modified
Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.48.0
If-Last-Modified: Fri, 22 Jul 2016 10:11:16
GMT
Slide 58
Slide 58 text
Cache-Control: public, max-age=100,
s-maxage=500, stale-while-revalidate=20
Slide 59
Slide 59 text
Cache-Control: private, no-cache, no-store
Slide 60
Slide 60 text
session
cookie
No cache
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
Code
renders
single HTTP
response
Slide 63
Slide 63 text
Lowest
common
denominator:
no cache
Slide 64
Slide 64 text
Block caching
Slide 65
Slide 65 text
Edge Side Includes
✓Placeholder
✓Parsed by Varnish
✓Output is a composition of blocks
✓State per block
✓TTL per block
Slide 66
Slide 66 text
Surrogate-Capability: key="ESI/1.0"
Surrogate-Control: content="ESI/1.0"
Varnish
Backend
Parse ESI placeholders
Varnish
Slide 67
Slide 67 text
ESI
vs
AJAX
Slide 68
Slide 68 text
✓ Server-side
✓ Standardized
✓ Processed on the
“edge”, no in the
browser
✓ Generally faster
Edge-Side Includes
- Sequential
- One fails, all fail
- Limited
implementation in
Varnish
Slide 69
Slide 69 text
✓ Client-side
✓ Common knowledge
✓ Parallel processing
✓ Graceful
degradation
AJAX
- Processed by the
browser
- Extra roundtrips
- Somewhat slower
Slide 70
Slide 70 text
Subrequests
Slide 71
Slide 71 text
{{ include('header.twig') }}
{{ include('footer.twig') }}
{{ include('nav.twig') }}
{% block content %}{% endblock %}
{{ render_esi(url('header')) }}
{{ render_hinclude(url('footer')) }}
{{ render_esi(url('nav')) }}
{% block content %}{% endblock %}
Slide 72
Slide 72 text
An example page Rendered at 2017-05-17 16:57:14
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris consequat orci eget libero sollicitudin,…
Slide 73
Slide 73 text
Problem:
no language
cache
variation
Slide 74
Slide 74 text
Vary: Accept-Language
Slide 75
Slide 75 text
No content
Slide 76
Slide 76 text
No content
Slide 77
Slide 77 text
No content
Slide 78
Slide 78 text
✓Navigation page
✓Private page
Weak spots
Not cached
because of
stateful content
Slide 79
Slide 79 text
Move state client-side
Slide 80
Slide 80 text
Replace PHP session with
JSON Web Tokens
Slide 81
Slide 81 text
JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pb
iIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOnRydWV9.u4Idy-
SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8
✓3 parts
✓Dot separated
✓Base64 encoded JSON
✓Header
✓Payload
✓Signature (HMAC with secret)
Slide 82
Slide 82 text
eyJzdWIiOiJhZG1pbiIsIm
V4cCI6MTQ5NTUyODc1Niwi
bG9naW4iOnRydWV9
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "admin",
"exp": 1495528756,
"login": true
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
eyJhbGciOiJIUzI1NiIsI
nR5cCI6IkpXVCJ9
u4Idy-
SYnrFdnH1h9_sNc4OasOR
BJcrh2fPo1EOTre8
Slide 83
Slide 83 text
JWT
Cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz
dWIiOiJhZG1pbiIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOnRydW
V9.u4Idy-SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8
✓Stored in a cookie
✓Can be validated by Varnish
✓Payload can be processed by any
language (e.g. Javascript)
Slide 84
Slide 84 text
sub jwt {
std.log("Ready to perform some JWT magic");
if(cookie.isset("jwt_cookie")) {
#Extract header data from JWT
var.set("token", cookie.get("jwt_cookie"));
var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));
var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1"));
var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),{"^.*?"alg"\s*:\s*"(\w+)".*?$"},"\1"));
#Don't allow invalid JWT header
if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {
#Extract signature & payload data from JWT
var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));
var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));
var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),var.get("header") + "." + var.get("rawPayload"))));
var.set("payload", digest.base64url_decode(var.get("rawPayload")));
var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));
var.set("jti",regsub(var.get("payload"),{"^.*?"jti"\s*:\s*"([a-z0-9A-Z_\-]+)".*?$"},"\1"));
var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*"([0-9]+)".*?$"},"\1"));
var.set("roles",regsub(var.get("payload"),{"^.*?"roles"\s*:\s*"([a-z0-9A-Z_\-, ]+)".*?$"},"\1"));
#Only allow valid userId
if(var.get("userId") ~ "^\d+$") {
#Don't allow expired JWT
if(std.time(var.get("exp"),now) >= now) {
#SessionId should match JTI value from JWT
if(cookie.get(var.get("sessionCookie")) == var.get("jti")) {
#Don't allow invalid JWT signature
if(var.get("signature") == var.get("currentSignature")) {
#The sweet spot
set req.http.X-login="true";
} else {
std.log("JWT: signature doesn't match. Received: " + var.get("signature") + ", expected: " + var.get("currentSignature"));
}
} else {
std.log("JWT: session cookie doesn't match JTI." + var.get("sessionCookie") + ": " + cookie.get(var.get("sessionCookie")) + ", JTI:" + var.get("jti"));
}
} else {
std.log("JWT: token has expired");
}
} else {
std.log("UserId '"+ var.get("userId") +"', is not numeric");
}
} else {
std.log("JWT: type is not JWT or algorithm is not HS256");
}
std.log("JWT processing finished. UserId: " + var.get("userId") + ". X-Login: " + req.http.X-login);
}
#Look for full private content
if(req.url ~ "/node/2" && req.url !~ "^/user/login") {
if(req.http.X-login != "true") {
return(synth(302,"/user/login?destination=" + req.url));
}
}
}
Insert incomprehensible
Varnish VCL code here …
Slide 85
Slide 85 text
X-Login: true
End result:
X-Login: false
Slide 86
Slide 86 text
Extra cache
variation
required
Slide 87
Slide 87 text
Vary: Accept-Language, X-Login
Content for logged-in
& anonymous differs
Slide 88
Slide 88 text
function getCookie(name) {
var value = "; " + document.cookie;
var parts = value.split("; " + name + "=");
if (parts.length == 2) return parts.pop().split(";").shift();
}
function parseJwt (token) {
var base64Url = token.split('.')[1];
var base64 = base64Url.replace('-', '+').replace('_', '/');
return JSON.parse(window.atob(base64));
};
$(document).ready(function(){
if ($.cookie('token') != null ){
var token = parseJwt($.cookie("token"));
$("#usernameLabel").html(', ' + token.sub);
}
});
Parse JWT
in Javascript
Slide 89
Slide 89 text
Does not require
backend access
Slide 90
Slide 90 text
No content
Slide 91
Slide 91 text
No content
Slide 92
Slide 92 text
https://feryn.eu
https://twitter.com/ThijsFeryn
https://instagram.com/ThijsFeryn