Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Nordic Ruby 2012: We don't know HTTP
Search
Konstantin Haase
June 15, 2012
Technology
5
790
Nordic Ruby 2012: We don't know HTTP
Slides for the talk I gave at Nordic Ruby 2012
Konstantin Haase
June 15, 2012
Tweet
Share
More Decks by Konstantin Haase
See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
rkh
0
180
How We Replaced Salary Negotiations with a Sinatra App
rkh
17
3.9k
HTTP (RubyMonsters Edition)
rkh
5
950
GCRC 2015: Abstract Thoughts on Abstract Things
rkh
1
330
Frozen Rails: Magenta - The Art Of Abstraction
rkh
3
260
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
rkh
0
740
Ancient City Ruby: Hack me, if you can!
rkh
2
390
Boston I/O: Continuous Integration
rkh
3
280
Steel City Ruby: Architecting Chaos
rkh
4
830
Other Decks in Technology
See All in Technology
GoとアクターモデルでES+CQRSを実践! / proto_actor_es_cqrs
ytake
1
160
Github Actions 로 Android 팀의 효율성 극대화
hadonghyun
0
160
サービスの持続的な成長と技術負債について
siva_official
PRO
10
4.4k
Luupの開発組織におけるインシデントマネジメントの変遷 ver.RoadtoSRENEXT2024
grimoh
1
270
技術負債による事業の失敗はなぜ起こるのか / Why do business failures due to technical debt occur?
i35_267
0
190
Datadog Cloud SIEMを使ってAWS環境の脅威を可視化した話/lifeistech-datadog-cloud-siem
gidajun
0
480
プレイドにおけるDatadog APMの活用方法
plaidtech
PRO
2
120
[NIKKEI Tech Talk] KDDI/KAG Scrum & Community for Engineering Training
curanosuke
2
220
Matterport を使ってクラスメソッド各拠点のバーチャルオフィスツアーを作成してみた
wakatsuki
0
160
楽しくGoを学び合う、LayerXの勉強会文化 / LayerX's study culture of having fun and learning Go together
ar_tama
2
350
AWSで”最小権限の原則”を実現するための考え方 /20240722-ssmjp-aws-least-privilege
opelab
10
4.4k
OSSコミットしてZennの課題を解決した話
dyoshikawa1993
0
150
Featured
See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
121
18k
KATA
mclloyd
20
13k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
662
120k
The Invisible Side of Design
smashingmag
294
50k
Bootstrapping a Software Product
garrettdimon
PRO
304
110k
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
Mobile First: as difficult as doing things right
swwweet
219
8.8k
Embracing the Ebb and Flow
colly
81
4.3k
Automating Front-end Workflow
addyosmani
1362
200k
Designing Experiences People Love
moore
136
23k
The Invisible Customer
myddelton
117
13k
Become a Pro
speakerdeck
PRO
15
4.8k
Transcript
we don’t know HTTP Konstantin Haase
@konstantinhaase (I’m sorry about that) rkh on github
Sinatra Rack, Tilt, Rubinius, ...
None
None
RFC 2616
Performance
Scalability
Security
Interoperability
HTTP has been made for this
We just don’t know.
Database Application Server
Database Application Server Application Application
Database Application Server Application Application Database Database
Database Application Server Application Application Database Database Cache
Database Application Server Application Application Database Database Cache Cache
Database Application Server Application Application Database Database Cache Cache Cache
Database Application Server Application Application Database Database Cache Cache Cache
Cache Cache Cache
Database Application Server Application Application Database Database !!! Cache !!!
!!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!!
How to scale further?
Requests Resources Representation
GET / HTTP/1.1 Accept: text/html
Optimizing Requests
Persistent Connections
Pipelining
SPDY
HTTP 2.0
Optimizing Resources
aka RFC 2616 - The Good Parts
GET, HEAD, OPTIONS, TRACE PUT, DELETE POST, PATCH
1 GET / Repeatable! :) No state change! :) Deterministic!
:)
1 2 PUT / 2 PUT / 2 Repeatable! :)
State change! :( Deterministic! :)
1 DELETE / DELETE / Repeatable! :) State change! :(
Deterministic! :)
1 2 PATCH / +1 3 PATCH / +1 Not
repeatable! :( State change! :( Deterministic! :)
Not repeatable! :( State change! :( Non-deterministic! :( 1 ?
POST / ...
Safe: Idempotent: PATCH: POST: :) :) :) :) :( :)
:( :( :) :( :( :(
worst case PATCH = Lock on document + PUT
worst case POST = Lock on system + PUT
Resources Renderer Business Logic Business Data optional
Before Request + Business Logic + DB Access + Rendering
After Request + DB Access + Rendering
Performance
Resources Renderer Business Logic Business Data Renderer
Resources Renderer Business Logic Business Data Renderer Business Logic
Resources Renderer Business Logic Business Data Renderer Business Logic Resources
Resources Renderer Business Logic Business Data Renderer Business Logic Resources
Business Data
Server Box A Box B GET GET
Server Box A Box B PUT PUT PUT
Server Box A Box B PATCH PATCH PUT + Lock
Server POST ? :(
Browser support? :( <a href=”/” method=”delete”> <form method=”patch”>
Locking? HTTP?
Locking :(
Optimistic Locking :)
PATCH / If-Match: “XYZ”
PUT / If-Non-Match: *
DELETE / If-Match: *
PATCH / If-Unmodified- Since: ...
Browser support? :( <form if-match=”...”> <form if-unmodified-since=”...”>
Scalability
Example Attack JSON CSRF
// https://foo/secrets.json [“chunky”, “bacon”]
<script ! src=”https://foo/secrets.json” ! type=”text/javascript” />
Browser support? :( <script ! src=”https://foo/secrets.json” ! type=”text/javascript” /> GET
/secrets.json Accept: */*
var captured = []; var oldArray = Array; function Array()
{ var obj = this, id = 0, capture = function(value) { obj.__defineSetter__(id++, capture); if (value) captured.push(value); }; capture(); }
Old Architecture Rerun Request Without Session Side-effects? Server load? :(
New Architecture Don’t Authenticate with Session Yay!
Security
Also, Hypermedia! ;)
Interoperability
hej och tack för kaffet jag är glad att vara
här sätt på en kanna till för jag stannar ett tag hej och tack för kaffet jag är glad att vara här sätt på en kanna till för jag stannar ett tag