Nordic Ruby 2012: We don't know HTTP

Transcript

1. we don’t know HTTP Konstantin Haase

2. @konstantinhaase (I’m sorry about that) rkh on github

3. Sinatra Rack, Tilt, Rubinius, ...

4. None
5. None

6. RFC 2616

7. Performance

8. Scalability

9. Security

10. Interoperability

11. HTTP has been made for this

12. We just don’t know.

13. Database Application Server

14. Database Application Server Application Application

15. Database Application Server Application Application Database Database

16. Database Application Server Application Application Database Database Cache

17. Database Application Server Application Application Database Database Cache Cache

18. Database Application Server Application Application Database Database Cache Cache Cache

19. Database Application Server Application Application Database Database Cache Cache Cache

    Cache Cache Cache

20. Database Application Server Application Application Database Database !!! Cache !!!

    !!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!!

21. How to scale further?

22. Requests Resources Representation

23. GET / HTTP/1.1 Accept: text/html

24. Optimizing Requests

25. Persistent Connections

26. Pipelining

27. SPDY

28. HTTP 2.0

29. Optimizing Resources

30. aka RFC 2616 - The Good Parts

31. GET, HEAD, OPTIONS, TRACE PUT, DELETE POST, PATCH

32. 1 GET / Repeatable! :) No state change! :) Deterministic!

    :)

33. 1 2 PUT / 2 PUT / 2 Repeatable! :)

    State change! :( Deterministic! :)

34. 1 DELETE / DELETE / Repeatable! :) State change! :(

    Deterministic! :)

35. 1 2 PATCH / +1 3 PATCH / +1 Not

    repeatable! :( State change! :( Deterministic! :)

36. Not repeatable! :( State change! :( Non-deterministic! :( 1 ?

    POST / ...

37. Safe: Idempotent: PATCH: POST: :) :) :) :) :( :)

    :( :( :) :( :( :(

38. worst case PATCH = Lock on document + PUT

39. worst case POST = Lock on system + PUT

40. Resources Renderer Business Logic Business Data optional

41. Before Request + Business Logic + DB Access + Rendering

    After Request + DB Access + Rendering

42. Performance

43. Resources Renderer Business Logic Business Data Renderer

44. Resources Renderer Business Logic Business Data Renderer Business Logic

45. Resources Renderer Business Logic Business Data Renderer Business Logic Resources

46. Resources Renderer Business Logic Business Data Renderer Business Logic Resources

    Business Data

47. Server Box A Box B GET GET

48. Server Box A Box B PUT PUT PUT

49. Server Box A Box B PATCH PATCH PUT + Lock

50. Server POST ? :(

51. Browser support? :( <a href=”/” method=”delete”> <form method=”patch”>

52. Locking? HTTP?

53. Locking :(

54. Optimistic Locking :)

55. PATCH / If-Match: “XYZ”

56. PUT / If-Non-Match: *

57. DELETE / If-Match: *

58. PATCH / If-Unmodified- Since: ...

59. Browser support? :( <form if-match=”...”> <form if-unmodified-since=”...”>

60. Scalability

61. Example Attack JSON CSRF

62. // https://foo/secrets.json [“chunky”, “bacon”]

63. <script ! src=”https://foo/secrets.json” ! type=”text/javascript” />

64. Browser support? :( <script ! src=”https://foo/secrets.json” ! type=”text/javascript” /> GET

    /secrets.json Accept: */*

65. var captured = []; var oldArray = Array; function Array()

    { var obj = this, id = 0, capture = function(value) { obj.__defineSetter__(id++, capture); if (value) captured.push(value); }; capture(); }

66. Old Architecture Rerun Request Without Session Side-effects? Server load? :(

67. New Architecture Don’t Authenticate with Session Yay!

68. Security

69. Also, Hypermedia! ;)

70. Interoperability

71. hej och tack för kaffet jag är glad att vara

    här sätt på en kanna till för jag stannar ett tag hej och tack för kaffet jag är glad att vara här sätt på en kanna till för jag stannar ett tag