Op di 6 aug. 2019 om 09:10 schreef <
mark...@gmail.com>:
>
> Thanks Devon!
You're welcome!
> So just to clarify our request flow is:
>
> Client > CDN > Go Reverse Proxy > Origin
>
> Our Go Reverse Proxy has historically been responsible for adding caching headers (e.g. Cache-Control and Surrogate-Control) when the origins have failed to do so (as a way to ensure things are cached appropriately).
>
>> It's unclear to me why you should be setting an etag header if you're a proxy.
>
> That's why when it came to looking at setting serve stale defaults for our origins (e.g. stale-while-revalidate and stale-if-error) I realized that somewhere along the chain an appropriate ETag/Last-Modified should be set and that's why I started wondering if our proxy should be responsible for setting them.
>
> Even then I felt like setting Last-Modified was way outside the responsibility of our proxy, but that maybe setting of ETag would have sufficed.
Ah, I see. So you're still the content owner; you're just further
offloading work from between your origin and the CDN. Assuming you're
not still multi-tenant behind your proxy (i.e. your proxy only serves
_your_ assets), then I think it's probably reasonable for you to make
that determination at your proxy. And from that perspective, I agree
that you'd be more interested in ETag/INM than LM/IMS on your proxy.
>> Unless you're serving from the filesystem handler (which does
>> implement IMS/INM), you'll need to implement these yourself.
>
> I think your other related answers might explain to me why the go reverse proxy doesn't support conditional requests, in that it's NOT a 'caching proxy' and so being able to handle that revalidation logic wouldn't make sense.
Right -- it boils down to whether a proxy is transparent or not. A
transparent proxy observes traffic and makes no changes to the
protocol or the discussion over it. The only impact it can really have
is if it stops servicing requests. A transparent proxy assumes that
both sides of the connection are speaking the same protocol, and so it
doesn't really have to know about protocol semantics.
A caching proxy isn't transparent. It looks like it because it ends up
having very good knowledge of the protocol it's proxying, but every
request isn't passed through unmodified, so it's by definition opaque.
>> Note that you _could_ simply proxy this to the origin and let it
>> handle the validation. This is often overkill for what people actually
>> need, but it is guaranteed to work.
>
> OK, so as we are indeed just proxying the request pretty much 'as is' to the origin, i.e. the CDN is making the revalidation conditional request when our stale-while-revalidate TTL expires, I'm guessing (I appreciate this is the 'basics' of how a proxy works, but I want to talk it through in case I'm mistaken in any way!) the go proxy will transparently keep that information for the origin to respond with the appropriate ETag/Last-Modified, and the go proxy again will transparently pass back their response through to the CDN to then update its cache if it indeed got a `200 OK` from origin or to continue serving stale if the origin returned a `304 Not Modified` (and in either case I expect the origin should send ETag/Last-Modified headers regardless of 200/304 status').
It's been a while since I was working at a CDN (Fastly) so I may be a
bit fuzzy here; what you've written sounds like a correct
understanding. Again, as the proxy is transparent, its knowledge of
the protocol is really not meaningful; as long as your CDN and origin
both implement the protocol correctly, your transparent proxy will
also be by definition correct. (Though I'd note that one could argue
that X-Forwarded-For makes most HTTP proxies not strictly transparent;
it's also not super meaningful anyway except for logging to make sure
you understand your topology when things go wrong.)
As you've already got a CDN in the picture, it seems to me (especially
if you're using origin shielding) that it won't be super helpful for
you to implement LM/IMS or ETag/INM in your proxy. Lack of explicit
support for this in Go is therefore hopefully not an issue for you
because a CDN supporting stale-while-revalidate and stale-if-error
will already be shielding your origins from heaps of revalidation
traffic.
However, it sounds like your origin isn't setting ETag or other cache
control headers everywhere it could. Adding strong ETags at your proxy
should be reasonably cheap since the CDN is shielding you from
revalidation storms, and it can also save you on your CDN's bandwidth
bill as it will allow your CDN to respond with 304s rather than 200s
for more objects.
>> A hash function over the body of the response would constitute strong
>> validation. I'm not sure why you'd need to mix in the path; there's
>> nothing wrong with serving the exact same content between two
>> endpoints, and the ETag is tied to a response object.
>
> Ah ok, so I was thinking along these lines, but was getting confused between content that is cached vs content that is rendered at 'runtime' (e.g. I was getting confused with the response containing a <script> tag that might dynamically change the adverts on the page depending on the client and wondering if that meant it wasn't "strong" validation just hashing the server response body, but I guess it's redundant thinking like that because the actual cached content is what's compared as far as the hash is concerned and not what the client-side scripting is modifying.
Yeah, this is more to do with counters, timestamps, and ad links that
are inserted at page construction (e.g. an iframe that might contain
different URLs for an ad) than it is to do with scripts that modify
the DOM to pick a different ad service or a "proxy URL" that is
capable of serving ads from different vendors. It's really more to do
with whether the semantics of the ETag are purely based on content, or
whether they're based on something more abstract like a version. (And
then why you'd pick one over another has to do with those previously
mentioned points.)
--dho
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
golang-nuts...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/a8da59d3-c905-4e13-8d15-3792a36c2f61%40googlegroups.com.