$30 off During Our Annual Pro Sale. View Details »

Nordic Ruby 2012: We don't know HTTP

Nordic Ruby 2012: We don't know HTTP

Slides for the talk I gave at Nordic Ruby 2012

Konstantin Haase

June 15, 2012
Tweet

More Decks by Konstantin Haase

Other Decks in Technology

Transcript

  1. we don’t know
    HTTP
    Konstantin Haase

    View Slide

  2. @konstantinhaase
    (I’m sorry about that)
    rkh on github

    View Slide

  3. Sinatra
    Rack, Tilt, Rubinius, ...

    View Slide

  4. View Slide

  5. View Slide

  6. RFC 2616

    View Slide

  7. Performance

    View Slide

  8. Scalability

    View Slide

  9. Security

    View Slide

  10. Interoperability

    View Slide

  11. HTTP has
    been made
    for this

    View Slide

  12. We just don’t know.

    View Slide

  13. Database
    Application
    Server

    View Slide

  14. Database
    Application
    Server
    Application Application

    View Slide

  15. Database
    Application
    Server
    Application Application
    Database
    Database

    View Slide

  16. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache

    View Slide

  17. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache

    View Slide

  18. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache
    Cache

    View Slide

  19. Database
    Application
    Server
    Application Application
    Database
    Database
    Cache
    Cache
    Cache
    Cache Cache Cache

    View Slide

  20. Database
    Application
    Server
    Application Application
    Database
    Database
    !!! Cache !!!
    !!! Cache !!!
    !!! Cache !!!
    !!! Cache !!! !!! Cache !!! !!! Cache !!!

    View Slide

  21. How to scale
    further?

    View Slide

  22. Requests
    Resources
    Representation

    View Slide

  23. GET / HTTP/1.1
    Accept: text/html

    View Slide

  24. Optimizing
    Requests

    View Slide

  25. Persistent Connections

    View Slide

  26. Pipelining

    View Slide

  27. SPDY

    View Slide

  28. HTTP 2.0

    View Slide

  29. Optimizing
    Resources

    View Slide

  30. aka
    RFC 2616 - The
    Good Parts

    View Slide

  31. GET, HEAD,
    OPTIONS, TRACE
    PUT, DELETE
    POST, PATCH

    View Slide

  32. 1
    GET /
    Repeatable! :)
    No state change! :)
    Deterministic! :)

    View Slide

  33. 1 2
    PUT /
    2
    PUT /
    2
    Repeatable! :)
    State change! :(
    Deterministic! :)

    View Slide

  34. 1
    DELETE /
    DELETE /
    Repeatable! :)
    State change! :(
    Deterministic! :)

    View Slide

  35. 1 2
    PATCH /
    +1
    3
    PATCH /
    +1
    Not repeatable! :(
    State change! :(
    Deterministic! :)

    View Slide

  36. Not repeatable! :(
    State change! :(
    Non-deterministic! :(
    1 ?
    POST /
    ...

    View Slide

  37. Safe:
    Idempotent:
    PATCH:
    POST:
    :) :) :)
    :) :( :)
    :( :( :)
    :( :( :(

    View Slide

  38. worst case
    PATCH = Lock on
    document + PUT

    View Slide

  39. worst case
    POST = Lock on
    system + PUT

    View Slide

  40. Resources
    Renderer
    Business Logic
    Business Data
    optional

    View Slide

  41. Before
    Request + Business Logic +
    DB Access + Rendering
    After
    Request + DB Access +
    Rendering

    View Slide

  42. Performance

    View Slide

  43. Resources
    Renderer
    Business Logic
    Business Data
    Renderer

    View Slide

  44. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic

    View Slide

  45. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic
    Resources

    View Slide

  46. Resources
    Renderer
    Business Logic
    Business Data
    Renderer
    Business Logic
    Resources
    Business Data

    View Slide

  47. Server
    Box A
    Box B
    GET
    GET

    View Slide

  48. Server
    Box A
    Box B
    PUT
    PUT
    PUT

    View Slide

  49. Server
    Box A
    Box B
    PATCH
    PATCH
    PUT + Lock

    View Slide

  50. Server
    POST ?
    :(

    View Slide

  51. Browser support? :(


    View Slide

  52. Locking? HTTP?

    View Slide

  53. Locking :(

    View Slide

  54. Optimistic Locking :)

    View Slide

  55. PATCH /
    If-Match: “XYZ”

    View Slide

  56. PUT /
    If-Non-Match: *

    View Slide

  57. DELETE /
    If-Match: *

    View Slide

  58. PATCH /
    If-Unmodified-
    Since: ...

    View Slide

  59. Browser support? :(


    View Slide

  60. Scalability

    View Slide

  61. Example Attack
    JSON CSRF

    View Slide

  62. // https://foo/secrets.json
    [“chunky”, “bacon”]

    View Slide

  63. ! src=”https://foo/secrets.json”
    ! type=”text/javascript” />

    View Slide

  64. Browser support? :(
    ! src=”https://foo/secrets.json”
    ! type=”text/javascript” />
    GET /secrets.json
    Accept: */*

    View Slide

  65. var captured = [];
    var oldArray = Array;
    function Array() {
    var obj = this, id = 0, capture = function(value) {
    obj.__defineSetter__(id++, capture);
    if (value)
    captured.push(value);
    };
    capture();
    }

    View Slide

  66. Old Architecture
    Rerun Request Without Session
    Side-effects? Server load? :(

    View Slide

  67. New Architecture
    Don’t Authenticate with Session
    Yay!

    View Slide

  68. Security

    View Slide

  69. Also, Hypermedia! ;)

    View Slide

  70. Interoperability

    View Slide

  71. hej och tack för kaffet
    jag är glad att vara här
    sätt på en kanna till
    för jag stannar ett tag
    hej och tack för kaffet
    jag är glad att vara här
    sätt på en kanna till
    för jag stannar ett tag

    View Slide