Leverage HTTP to deliver cacheable websites

Leverage HTTP to deliver
cacheable websites
Thijs Feryn

View Slide

Slow websites suck

View Slide

Web performance is
an essential part of
the user experience

View Slide

Slow ~ Down

View Slide

View Slide

MO' MONEY
MO' SERVERS
MO' PROBLEMS

View Slide

Identify slowest parts

View Slide

Optimize

View Slide

After a while you
hit the limits

View Slide

Cache

View Slide

Hi, I'm Thijs

View Slide

I'm an
Evangelist
at

View Slide

I'm @thijsferyn

View Slide

View Slide

Don’t
recompute
if the data
hasn’t
changed

View Slide

View Slide

Reverse
caching
proxy

View Slide

Normally
User Server

View Slide

With ReCaPro *
User ReCaPro Server
* Reverse Caching Proxy

View Slide

Content Delivery Network

View Slide

View Slide

HTTP caching mechanisms
Expires: Sat, 09 Sep 2017 14:30:00 GMT
Cache-control: public, max-age=3600,
s-maxage=86400
Cache-control: private, no-cache, no-store

View Slide

In an ideal world

View Slide

✓Stateless
✓Well-defined TTL
✓Cache / no-cache per resource
✓Cache variations
✓Conditional requests
✓Placeholders for non-cacheable
content
In an ideal world

View Slide

Reality
sucks

View Slide

View Slide

Time To Live

View Slide

Cache variations

View Slide

Legacy

View Slide

What if we
could design
our software
with HTTP
caching in
mind?

View Slide

✓Portability
✓Developer empowerment
✓Control
✓Consistent caching behavior
Caching state of mind

View Slide

Cache-Control

View Slide

Cache-Control: public, s-maxage=500

View Slide

namespace App\Controller;
use Symfony\Component\HttpFoundation\Request;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class DefaultController extends Controller
{
/**
* @Route("/", name="home")
*/
public function index()
{
return $this
->render('index.twig')
->setSharedMaxAge(500)
->setPublic();
}
}

View Slide

Cache-Control: private, no-store

View Slide

/**
* @Route("/private", name="private")
*/
public function private()
{
$response = $this
->render('private.twig')
->setPrivate();
$response->headers->addCacheControlDirective('no-store');
return $response;
}

View Slide

Conditional
requests

View Slide

Only fetch
payload that has
changed

View Slide

HTTP/1.1 200 OK

View Slide

Otherwise:
HTTP/1.1 304 Not Modified

View Slide

Conditional requests
HTTP/1.1 200 OK
Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
Content-type: text/html; charset=UTF-8
Hello world output
GET / HTTP/1.1
Host: localhost

View Slide

Host: localhost
Etag: 7c9d70604c6061da9bb9377d3f00eb27
GET / HTTP/1.1
Host: localhost
If-None-Match:
7c9d70604c6061da9bb9377d3f00eb27

View Slide

HTTP/1.1 200 OK
Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
Hello world output
GET / HTTP/1.1
Host: localhost

View Slide

Host: localhost
Last-Modified: Fri, 22 Jul 2016 10:11:16 GMT
GET / HTTP/1.1
Host: localhost
If-Last-Modified: Fri, 22 Jul 2016 10:11:16
GMT

View Slide

Cache-Control: public, max-age=100,
s-maxage=500, stale-while-revalidate=20

View Slide

Validate quickly

View Slide

Exit early

View Slide

Store
& retrieve
Etag

View Slide

namespace App\EventListener;
use Symfony\Bridge\Monolog\Logger;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use SymfonyBundles\RedisBundle\Redis\Client as RedisClient;
class ConditionalRequestListener
{
protected $redis;
protected $logger;
public function __construct(RedisClient $redis)
{
$this->redis = $redis;
}
protected function isModified(Request $request, $etag)
{
if ($etags = $request->getETags()) {
return in_array($etag, $etags) || in_array('*', $etags);
}
return true;
}
...
src/EventListener/ConditionalRequestListener.php

View Slide

{
$this->redis = $redis;
$this->logger = $logger;
}
protected function isModified(Request $request, $etag)
{
if ($etags = $request->getETags()) {
return in_array($etag, $etags) || in_array('*', $etags);
}
return true;
}
public function onKernelRequest(GetResponseEvent $event)
{
$request = $event->getRequest();
$etag = $this->redis->get('etag:'.md5($request->getUri()));
if(!$this->isModified($request,$etag)) {
$event->setResponse(Response::create('Not Modified',Response::HTTP_NOT_MODIFIED));
}
}
public function onKernelResponse(FilterResponseEvent $event)
{
$response = $event->getResponse();
$request = $event->getRequest();
$etag = md5($response->getContent());
$response->setEtag($etag);
if($this->isModified($request,$etag)) {
$this->redis->set('etag:'.md5($request->getUri()),$etag);
}
}
}
src/EventListener/ConditionalRequestListener.php

View Slide

Content
composition
& placeholders

View Slide

View Slide

Shopping
cart or account
information

View Slide

session
cookie
No cache

View Slide

Code
renders
single HTTP
response

View Slide

Lowest
common
denominator:
no cache

View Slide

Placeholders

View Slide

AJAX

View Slide

Non-cached
AJAX call

View Slide

Edge Side
Includes

View Slide

Edge Side Includes
✓Placeholder
✓W3C standard
✓Parsed by Varnish
✓Output is a composition of blocks
✓State per block
✓TTL per block

View Slide

Surrogate-Capability: key="ESI/1.0"
Surrogate-Control: content="ESI/1.0"
Varnish
Backend

Parse ESI placeholders
Varnish

View Slide

Non-cached ESI
placeholder

View Slide

ESI
vs
AJAX

View Slide

✓ Server-side
✓ Standardized
✓ Processed on the
“edge”, no in the
browser
✓ Generally faster
Edge-Side Includes
- Sequential
- One fails, all fail
- Limited
implementation in
Varnish

View Slide

✓ Client-side
✓ Common knowledge
✓ Parallel processing
✓ Graceful
degradation
AJAX
- Processed by the
browser
- Extra roundtrips
- Somewhat slower

View Slide

Composition
at the view
layer

View Slide

/**
* @Route("/", name="home")
*/
public function index()
{
return $this
->render('index.twig')
->setPublic()
->setSharedMaxAge(500);
}
/**
* @Route("/header", name="header")
*/
public function header()
{
$response = $this
->render('header.twig')
->setPrivate();
$response->headers->addCacheControlDirective('no-store');
return $response;
}
/**
* @Route("/footer", name="footer")
*/
public function footer()
{
$response = $this->render('footer.twig');
$response
->setPublic();
return $response;
}
/**
* @Route("/nav", name="nav")
*/
public function nav()
{
$response = $this->render('nav.twig');
$response
->setVary('X-Login',false)
->setPublic();
return $response;
}
Controller
action per
fragment

View Slide

Subrequests

View Slide

 
{{ include('header.twig') }} 
 
 
{{ include('nav.twig') }} 
 
 
{% block content %}{% endblock %} 
 
 
{{ include('footer.twig') }} 

 
{{ render_esi(url('header')) }} 
 
 
{{ render_esi(url('nav')) }} 
 
 
{% block content %}{% endblock %} 
 
 
{{ render_esi(url('footer')) }} 

View Slide

An example page Rendered at 2017-05-17 16:57:14

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris consequat orci eget libero
sollicitudin,…

View Slide

Cache
variations

View Slide

How do you identify
an object in cache?

View Slide

The URL identifies
objects in cache

View Slide

What if the content
of a URL varies
based on the value
of a request
header?

View Slide

Cache variations
HTTP/1.1 200 OK
Host: localhost
Content-Language: en
Hello world output
GET / HTTP/1.1
Host: localhost
Accept-Language: en, nl, de

View Slide

Vary: Accept-Language
Request
header
value
Response
header

View Slide

Content
invalidation

View Slide

There's only one
thing worse than
not caching
enough

View Slide

It's caching too
much or too long

View Slide

Purging

View Slide

sub vcl_recv {
if (req.method == "PURGE") {
if (!client.ip ~ purge) {
return (synth(405, "This IP is not allowed to send PURGE."));
}
if (req.http.X-Purge-Pattern) {
ban("obj.http.X-Req-URL ~ " + req.url + " && obj.http.X-Req-Host == " + req.http.host);
return (synth(200, "Purged"));
} else {
ban("obj.http.x-url == " + req.url + " && obj.http.x-host == " + req.http.host);
return (synth(200, "Purged"));
}
}
}
sub vcl_backend_response {
set beresp.http.x-url = bereq.url;
set beresp.http.x-host = bereq.http.host;
}

View Slide

curl -XPURGE -H"X-Purge-Pattern:/products/(.*)" http://localhost

View Slide

High TTL +
purging

View Slide

Low TTL +
conditional
requests

View Slide

View Slide

https://feryn.eu
https://twitter.com/ThijsFeryn
https://instagram.com/ThijsFeryn

View Slide

✓Navigation page
✓Private page
Weak spots
Not cached
because of
stateful content

View Slide

Move state client-side

View Slide

Replace PHP session with
JSON Web Tokens

View Slide

JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pb
iIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOnRydWV9.u4Idy-
SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8
✓3 parts
✓Dot separated
✓Base64 encoded JSON
✓Header
✓Payload
✓Signature (HMAC with secret)

View Slide

eyJzdWIiOiJhZG1pbiIsIm
V4cCI6MTQ5NTUyODc1Niwi
bG9naW4iOnRydWV9
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "admin",
"exp": 1495528756,
"login": true
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
eyJhbGciOiJIUzI1NiIsI
nR5cCI6IkpXVCJ9
u4Idy-
SYnrFdnH1h9_sNc4OasOR
BJcrh2fPo1EOTre8

View Slide

JWT
Cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz
dWIiOiJhZG1pbiIsImV4cCI6MTQ5NTUyODc1NiwibG9naW4iOnRydW
V9.u4Idy-SYnrFdnH1h9_sNc4OasORBJcrh2fPo1EOTre8
✓Stored in a cookie
✓Can be validated by Varnish
✓Payload can be processed by any
language (e.g. Javascript)

View Slide

sub jwt {
std.log("Ready to perform some JWT magic");
if(cookie.isset("jwt_cookie")) {
#Extract header data from JWT
var.set("token", cookie.get("jwt_cookie"));
var.set("header", regsub(var.get("token"),"([^\.]+)\.[^\.]+\.[^\.]+","\1"));
var.set("type", regsub(digest.base64url_decode(var.get("header")),{"^.*?"typ"\s*:\s*"(\w+)".*?$"},"\1"));
var.set("algorithm", regsub(digest.base64url_decode(var.get("header")),{"^.*?"alg"\s*:\s*"(\w+)".*?$"},"\1"));
#Don't allow invalid JWT header
if(var.get("type") == "JWT" && var.get("algorithm") == "HS256") {
#Extract signature & payload data from JWT
var.set("rawPayload",regsub(var.get("token"),"[^\.]+\.([^\.]+)\.[^\.]+$","\1"));
var.set("signature",regsub(var.get("token"),"^[^\.]+\.[^\.]+\.([^\.]+)$","\1"));
var.set("currentSignature",digest.base64url_nopad_hex(digest.hmac_sha256(var.get("key"),var.get("header") + "." + var.get("rawPayload"))));
var.set("payload", digest.base64url_decode(var.get("rawPayload")));
var.set("exp",regsub(var.get("payload"),{"^.*?"exp"\s*:\s*([0-9]+).*?$"},"\1"));
var.set("jti",regsub(var.get("payload"),{"^.*?"jti"\s*:\s*"([a-z0-9A-Z_\-]+)".*?$"},"\1"));
var.set("userId",regsub(var.get("payload"),{"^.*?"uid"\s*:\s*"([0-9]+)".*?$"},"\1"));
var.set("roles",regsub(var.get("payload"),{"^.*?"roles"\s*:\s*"([a-z0-9A-Z_\-, ]+)".*?$"},"\1"));
#Only allow valid userId
if(var.get("userId") ~ "^\d+$") {
#Don't allow expired JWT
if(std.time(var.get("exp"),now) >= now) {
#SessionId should match JTI value from JWT
if(cookie.get(var.get("sessionCookie")) == var.get("jti")) {
#Don't allow invalid JWT signature
if(var.get("signature") == var.get("currentSignature")) {
#The sweet spot
set req.http.X-login="true";
} else {
std.log("JWT: signature doesn't match. Received: " + var.get("signature") + ", expected: " + var.get("currentSignature"));
}
} else {
std.log("JWT: session cookie doesn't match JTI." + var.get("sessionCookie") + ": " + cookie.get(var.get("sessionCookie")) + ", JTI:" + var.get("jti"));
}
} else {
std.log("JWT: token has expired");
}
} else {
std.log("UserId '"+ var.get("userId") +"', is not numeric");
}
} else {
std.log("JWT: type is not JWT or algorithm is not HS256");
}
std.log("JWT processing finished. UserId: " + var.get("userId") + ". X-Login: " + req.http.X-login);
}
#Look for full private content
if(req.url ~ "/node/2" && req.url !~ "^/user/login") {
if(req.http.X-login != "true") {
return(synth(302,"/user/login?destination=" + req.url));
}
}
}
Insert incomprehensible
Varnish VCL code here …

View Slide

X-Login: true
End result:
X-Login: false

View Slide

Extra cache
variation
required

View Slide

Vary: Accept-Language, X-Login
Content for logged-in
& anonymous differs

View Slide

Does not require
backend access

View Slide

View Slide

https://feryn.eu
https://twitter.com/ThijsFeryn
https://instagram.com/ThijsFeryn

View Slide

Leverage HTTP to deliver cacheable websites

Leverage HTTP to deliver cacheable websites

Thijs Feryn

More Decks by Thijs Feryn

Other Decks in Technology

Featured

Transcript