Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Nordic Ruby 2012: We don't know HTTP

Konstantin Haase
June 15, 2012
Technology
5
780

Nordic Ruby 2012: We don't know HTTP

Slides for the talk I gave at Nordic Ruby 2012

Konstantin Haase

June 15, 2012
Tweet

More Decks by Konstantin Haase

See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
rkh
0
170
How We Replaced Salary Negotiations with a Sinatra App
rkh
17
3.7k
HTTP (RubyMonsters Edition)
rkh
5
810
GCRC 2015: Abstract Thoughts on Abstract Things
rkh
1
330
Frozen Rails: Magenta - The Art Of Abstraction
rkh
3
250
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
rkh
0
620
Ancient City Ruby: Hack me, if you can!
rkh
2
370
Boston I/O: Continuous Integration
rkh
3
250
Steel City Ruby: Architecting Chaos
rkh
4
740

Other Decks in Technology

See All in Technology
2023/09/14 Fin-JAWS #32 「SIEM on Amazon OpenSearch Serviceを1年運用してわかったこと」
junjikoide
1
190
Introduction to mcl-wasm
herumi
1
280
サイバーエージェントのGitHub Copilot導入と 開発生産性
kurochan
23
20k
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
0
170
Jetpack Glanceではじめる Material 3のColor
mochico
0
550
JPOUG#7 Oracle Database 23c New Features
nori_shinoda
1
770
Androidアプリの良いユニットテストを考える / Thinking about good unit tests for Android apps
tkmnzm
3
1.4k
バクラクのAI-OCR機能を支えるアノテーションの仕組み
tomoaki25
1
250
Postmanで始めるAI・機械学習プラットフォームHugging Face
nagix
1
170
Web PubSubで創るマイ都市デジタルツイン 〜WebSocketはPostmanでテストするのだよ〜
nagix
0
240
仲間から嫌われがちだった私が、アジャイルに出会い、仲間から慕われるようになるまでの道のり / I was often disliked by my peers, but then I met Agile, How I came to be admired by my peers
pauli
0
400
2023 CSS
nishiharatsubasa
3
2.2k

Featured

See All Featured
YesSQL, Process and Tooling at Scale
rocio
159
13k
Statistics for Hackers
jakevdp
787
210k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Raft: Consensus for Rubyists
vanstee
130
5.9k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
The Mythical Team-Month
searls
212
41k
Six Lessons from altMBA
skipperchong
17
2.6k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
4 Signs Your Business is Dying
shpigford
172
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k

Transcript

  1. we don’t know
    HTTP
    Konstantin Haase

    View Slide

  2. @konstantinhaase
    (I’m sorry about that)
    rkh on github

    View Slide

  3. Sinatra
    Rack, Tilt, Rubinius, ...

    View Slide

  4. View Slide

  5. View Slide

  6. RFC 2616

    View Slide

  7. Performance

    View Slide

  8. Scalability

    View Slide

  9. Security

    View Slide

  10. Interoperability

    View Slide

  11. HTTP has
    been made
    for this

    View Slide

  12. We just don’t know.

    View Slide

  13. Database
    Application
    Server

    View Slide

  14. Database
    Application
    Server
    Application Application

    View Slide

  15. Database
    Application
    Server
    Application Application
    Database
    Database

    View Slide

  16. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache

    View Slide

  17. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache

    View Slide

  18. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache
    Cache

    View Slide

  19. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache
    Cache
    Cache Cache Cache

    View Slide

  20. Database
    Application
    Server
    Application Application
    Database
    Database
    !!! Cache !!!
    !!! Cache !!!
    !!! Cache !!!
    !!! Cache !!! !!! Cache !!! !!! Cache !!!

    View Slide

  21. How to scale
    further?

    View Slide

  22. Requests
    Resources
    Representation

    View Slide

  23. GET / HTTP/1.1
    Accept: text/html

    View Slide

  24. Optimizing
    Requests

    View Slide

  25. Persistent Connections

    View Slide

  26. Pipelining

    View Slide

  27. SPDY

    View Slide

  28. HTTP 2.0

    View Slide

  29. Optimizing
    Resources

    View Slide

  30. aka
    RFC 2616 - The
    Good Parts

    View Slide

  31. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE
    POST, PATCH

    View Slide

  32. 1
    GET /
    Repeatable! :)
    No state change! :)
    Deterministic! :)

    View Slide

  33. 1 2
    PUT /
    2
    PUT /
    2
    Repeatable! :)
    State change! :(
    Deterministic! :)

    View Slide

  34. 1
    DELETE /
    DELETE /
    Repeatable! :)
    State change! :(
    Deterministic! :)

    View Slide

  35. 1 2
    PATCH /
    +1
    3
    PATCH /
    +1
    Not repeatable! :(
    State change! :(
    Deterministic! :)

    View Slide

  36. Not repeatable! :(
    State change! :(
    Non-deterministic! :(
    1 ?
    POST /
    ...

    View Slide

  37. Safe:
    Idempotent:
    PATCH:
    POST:
    :) :) :)
    :) :( :)
    :( :( :)
    :( :( :(

    View Slide

  38. worst case
    PATCH = Lock on
    document + PUT

    View Slide

  39. worst case
    POST = Lock on
    system + PUT

    View Slide

  40. Resources
    Renderer
    Business Logic
    Business Data
    optional

    View Slide

  41. Before
    Request + Business Logic +
    DB Access + Rendering
    After
    Request + DB Access +
    Rendering

    View Slide

  42. Performance

    View Slide

  43. Resources
    Renderer
    Business Logic
    Business Data
    Renderer

    View Slide

  44. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic

    View Slide

  45. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic
    Resources

    View Slide

  46. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic
    Resources
    Business Data

    View Slide

  47. Server
    Box A
    Box B
    GET
    GET

    View Slide

  48. Server
    Box A
    Box B
    PUT
    PUT
    PUT

    View Slide

  49. Server
    Box A
    Box B
    PATCH
    PATCH
    PUT + Lock

    View Slide

  50. Server
    POST ?
    :(

    View Slide

  51. Browser support? :(


    View Slide

  52. Locking? HTTP?

    View Slide

  53. Locking :(

    View Slide

  54. Optimistic Locking :)

    View Slide

  55. PATCH /
    If-Match: “XYZ”

    View Slide

  56. PUT /
    If-Non-Match: *

    View Slide

  57. DELETE /
    If-Match: *

    View Slide

  58. PATCH /
    If-Unmodified-
    Since: ...

    View Slide

  59. Browser support? :(


    View Slide

  60. Scalability

    View Slide

  61. Example Attack
    JSON CSRF

    View Slide

  62. // https://foo/secrets.json
    [“chunky”, “bacon”]

    View Slide

  63. ! src=”https://foo/secrets.json”
    ! type=”text/javascript” />

    View Slide

  64. Browser support? :(
    ! src=”https://foo/secrets.json”
    ! type=”text/javascript” />
    GET /secrets.json
    Accept: */*

    View Slide

  65. var captured = [];
    var oldArray = Array;
    function Array() {
    var obj = this, id = 0, capture = function(value) {
    obj.__defineSetter__(id++, capture);
    if (value)
    captured.push(value);
    };
    capture();
    }

    View Slide

  66. Old Architecture
    Rerun Request Without Session
    Side-effects? Server load? :(

    View Slide

  67. New Architecture
    Don’t Authenticate with Session
    Yay!

    View Slide

  68. Security

    View Slide

  69. Also, Hypermedia! ;)

    View Slide

  70. Interoperability

    View Slide

  71. hej och tack för kaffet
    jag är glad att vara här
    sätt på en kanna till
    för jag stannar ett tag
    hej och tack för kaffet
    jag är glad att vara här
    sätt på en kanna till
    för jag stannar ett tag

    View Slide