07 October 2012

We all know that a static site provides the optimal server-side performance (others write about it too and take some of the same steps). Performance and scalability are non-issues for static sites -- even the oldest hardware is sufficient. As the Internet grows in complexity, it also expands the tools available to strip away the complexity.

What Can Static Sites Do?

There are many competing options, but here are a few examples of how various advanced dynamic features can be implemented without any server-side code at all:

  1. User Login: Facebook Connect via JavaScript SDK
  2. Comments: Disqus - this site implements using the drupal module
  3. Search: Google Custom Search
  4. Contact Form: Google Docs Forms
  5. E-Commerce: Google Checkout or Paypal

Implementing on Drupal for Witti

The first step was to minimize the server-side logic. Although Disqus integrates with various social networks for user login, the vast majority of the site is effectively anonymous traffic that is consistent for all visitors. Once that was done, cookies were no longer relevant and caching could be very aggressive.

I minimized hits to my web server by restricting URLs to prefixes that I utilize. For example, hits to admin/* never make it to my web server. This adds security, but it also reduces the potential load. The extra details are very specific to this site, but I've detailed some considerations that differentiate solutions. Origin Push is the fastest and most scalable (due in part to the limited functionality), but Origin Pull CDN is a better balance for me. CloudFlare is very intriguing to me, but I had already started using CloudFront for another project that could not use CloudFlare due to the HTML-only note in their terms.

Comparison of Solutions

Consideration Basic
(PHP Application)
Reverse Proxy
(Varnish)
Origin Pull CDN
(Amazon CloudFront)
CDN with Firewall
(CloudFlare)
Origin Push CDN
(Amazon Cloudfront + Amazon S3)
DOS Attack - 404 (non-legit requests) Vulnerable Vulnerable (Filters some malformed requests) Vulnerable (Filters some malformed requests) Moderately vulnerable (Provides a web application firewall) Safe
Spike in real traffic
DOS Attack - 200 (legit requests)
Vulnerable Negligible vulnerability as long as the cache is sufficiently large Safe Safe Safe
Supports Per-User Customization Yes Yes Yes, with limitations Yes Limited to JS and third-party services
Support for POST requests (best to enforce with LimitExcept) Yes Yes No Yes No
Flush cache entries Yes or N/A Yes, purge all or by regex Yes, per-URL Yes, purge all Yes
Complete automatic removal of old data Yes Yes, with cache timeout Yes, with cache timeout Yes, with cache timeout Yes, using object expiration
Path controls Complete Complete (VCL generally uses regex before passing to PHP) Wildcards limited to ? (1 char) and * (0+ chars) Unknown N/A - all paths must be compiled
Clean pagination when content is added Yes No - pages cache at different times, which staggers when new items in a view appear No - pages cache at different times, which staggers when new items in a view appear No - pages cache at different times, which staggers when new items in a view appear Yes

 



blog comments powered by Disqus