Use CDN for djangoproject.com

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Use CDN for djangoproject.com

Eddy C
Hi,

Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

https://www.djangoproject.com/
 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

https://git-scm.com/
 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/450abcbb-9bf9-487b-8376-74a02eb1a779%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Florian Apolloner
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for <a href="http://djangoproject.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;">djangoproject.com, or at least on <a href="http://docs.djangoproject.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;">docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. <a href="https://developers.cloudflare.com/sponsorships/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;">Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

<a href="https://www.djangoproject.com/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;">https://www.djangoproject.com/
 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

<a href="https://git-scm.com/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;">https://git-scm.com/
 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c1b5a962-a473-4f7f-84e7-fa9fa34c00a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Josh Smeaton
Why do we not want to use Cloudflare?

FWIW I agree that the docs site performance is not great (also from melbourne) - but I'd still suffer the performance hit over going via RTD mirrors for familiarity.


On Tuesday, 12 February 2019 18:34:09 UTC+11, Florian Apolloner wrote:
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for <a href="http://djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;">djangoproject.com, or at least on <a href="http://docs.djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;">docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. <a href="https://developers.cloudflare.com/sponsorships/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;">Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

<a href="https://www.djangoproject.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;">https://www.djangoproject.com/
 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

<a href="https://git-scm.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;">https://git-scm.com/
 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/285bd588-44a7-4152-a270-7f1be0e5de29%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Cristiano Coelho
In reply to this post by Florian Apolloner
Consider AWS's cloudfront then :)

El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for <a href="http://djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;">djangoproject.com, or at least on <a href="http://docs.djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;">docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. <a href="https://developers.cloudflare.com/sponsorships/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;">Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

<a href="https://www.djangoproject.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;">https://www.djangoproject.com/
 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

<a href="https://git-scm.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;">https://git-scm.com/
 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tom Forbes
I would highly recommend cloudflare. It's free, can be set up in 15 minutes and works really, really well.

On Thu, 14 Feb 2019, 00:36 Cristiano Coelho, <[hidden email]> wrote:
Consider AWS's cloudfront then :)

El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJNvAvUxZbsi5TGkHzGw3TuXjstMtac-woB9x_1iNZvdhQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Kye Russell
In reply to this post by Cristiano Coelho
I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront. 

Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind. 

It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing. 

On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
Consider AWS's cloudfront then :)

El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
For me it's the trust factor (allowing someone else to decrypt and re-encrypt all our data). This may be less of an issue for the docs site, *if* we don't have to assign DNS authority for the whole domain to the CDN provider.

Tobias


On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront. 

Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind. 

It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing. 

On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
Consider AWS's cloudfront then :)

El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.

Cheers,
Florian

On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
Hi,

Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects, probably they can provide free service for django as well.

Tested from Melbourne, Australia:

 Average Ping: 245ms
 Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s

 Average Ping: 5ms
 Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms

Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).

Best regards and thanks for all your great work. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Markus Holtermann
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:

> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >>  
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >>  
> >  
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> >  
>  
>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Florian Apolloner
In reply to this post by Josh Smeaton


On Wednesday, February 13, 2019 at 11:25:37 PM UTC+1, Josh Smeaton wrote:
Why do we not want to use Cloudflare?

Last time I checked (if one puts the full site behind cloudflare) you'd have nasty checks that usually triggers captchas for Tor users etc. From what I can tell there was no way to __fully__ turn it off (this might have changed though). Also cloudflare puts cookies on your PC etc, this is not something I need from a CDN.

Cheers,
Florian

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d43a60ca-6281-4238-a023-4fe5c792b0c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tom Forbes
In reply to this post by Markus Holtermann
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Josh Smeaton
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
In reply to this post by Tom Forbes
Fastly could be a good fit. I've reached out to see if they'd be willing to provide a free account. If anyone on this list works at Fastly or knows someone who does, feel free to email/introduce me off list, too. 

Tobias

On Thu, Feb 14, 2019, 5:58 AM Tom Forbes <[hidden email] wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKSbc3nGofkHqEneT6Mz8AU%3DHyT4Cci%3DupxfsZeSWGkEFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Adam Johnson-2
In reply to this post by Josh Smeaton
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRu2TwJ%3DEEJZaUWHDr5k%2B1HAT8iWkvNxQEsTfig3BmEQw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Eddy C
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/
Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, <a href="http://python.org" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fpython.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF558DEk4MojQmCDwPIrITw2rjEQA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fpython.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF558DEk4MojQmCDwPIrITw2rjEQA&#39;;return true;">python.org does in fact use Fastly:

$ host <a href="http://www.python.org" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.python.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG74OuMTvzzPIKV7127cEKaZabdUw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.python.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG74OuMTvzzPIKV7127cEKaZabdUw&#39;;return true;">www.python.org
<a href="http://www.python.org" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.python.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG74OuMTvzzPIKV7127cEKaZabdUw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.python.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG74OuMTvzzPIKV7127cEKaZabdUw&#39;;return true;">www.python.org is an alias for <a href="http://dualstack.python.map.fastly.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;">dualstack.python.map.fastly.net.
<a href="http://dualstack.python.map.fastly.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;">dualstack.python.map.fastly.net has address 151.101.248.223
<a href="http://dualstack.python.map.fastly.net" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdualstack.python.map.fastly.net\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG6U-7XC0TFEGsyQQpRnlCZ86Gr4Q&#39;;return true;">dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: <a href="https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com.global.prod.fastly.net%2Fen%2F2.1%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_4sI_lSqwGk2XsEM2DRZmzd_Ijw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com.global.prod.fastly.net%2Fen%2F2.1%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_4sI_lSqwGk2XsEM2DRZmzd_Ijw&#39;;return true;">https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to <a href="https://docs.djangoproject.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHWq9NY9CTxY49qB7_OQJiLUUoOsA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHWq9NY9CTxY49qB7_OQJiLUUoOsA&#39;;return true;">https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">m...@...> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">josh.s...@...> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">t...@...> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is <a href="http://fastly.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Ffastly.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGqPMH_ZYGcWKpd-CCMwOQD6MXqEw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Ffastly.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGqPMH_ZYGcWKpd-CCMwOQD6MXqEw&#39;;return true;">fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <<a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">in...@...> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the <a href="http://djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;">djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <<a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">m...@... wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <<a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">cristia...@...> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for <a href="http://djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdjangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEUzTJD1JYiEvNPHf2Ki4_Tp34BMQ&#39;;return true;">djangoproject.com, or at least on <a href="http://docs.djangoproject.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdocs.djangoproject.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE2WgQ8IZS5NnMit3FRV26Zt9rLqA&#39;;return true;">docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <<a href="https://developers.cloudflare.com/sponsorships/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdevelopers.cloudflare.com%2Fsponsorships%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG0ri7MUumLJdqZk0ZxybT15xMnIQ&#39;;return true;">https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> <a href="https://www.djangoproject.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.djangoproject.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHSU1ZCMW_LBb5E3mdq2QDIAj8M4g&#39;;return true;">https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> <a href="https://git-scm.com/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgit-scm.com%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHwEiXJLFEIUYzJ_50ipYJuiUThKw&#39;;return true;">https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
> >>  To post to this group, send email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
> >>  Visit this group at <a href="https://groups.google.com/group/django-developers" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com&#39;;return true;">https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <<a href="https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
> >  To post to this group, send email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
> >  Visit this group at <a href="https://groups.google.com/group/django-developers" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <<a href="https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
>  To post to this group, send email to
> <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
>  Visit this group at <a href="https://groups.google.com/group/django-developers" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> <a href="https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <<a href="https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com&#39;;return true;">https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit <a href="https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe&#39;;return true;">https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-develop...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="zdByz5SUGgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">django-d...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/django-developers" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/django-developers&#39;;return true;">https://groups.google.com/group/django-developers.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
Thanks for sharing the results.

I did manage to get a domain set up with working SSL, in case you want to use it: https://django-docs.global.ssl.fastly.net/en/2.1/

Tobias

On Thu, Feb 14, 2019, 11:49 PM Cheng C <[hidden email] wrote:
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKSPeSku5iSxWQgJiG9z%3DsPzze-28uo24WkoH0MC%3DWHXVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
Hi all,

An implementation question has come up regarding cache lifetime (see this PR). Right now, the whole site (including docs) has the site-wide Django cache enabled, with a timeout of 5 minutes. A couple docs views (search_suggestions and search_description) views have longer timeouts set (to 1 hour and 1 week, respectively).

Once released, the vast majority of Django docs won't change much, except for the release notes section and any (likely minor) related updates to the docs themselves. To get the most benefit out of a CDN, it would obviously be desirable to set the timeout to something greater than 5 minutes.

At the same time, there are moments when a quick update to the docs is desired, and waiting an hour or more for any cached pages to expire may cause significant confusion, for example, in conjunction with a security release for which stubbed (non-final) release notes may have already been pushed out and cached.

I see two main options at this point (which could even be combined):

1) Invalidate the whole cache (or at least some key release notes URLs) any time there's a docs build that has changes. It would be pretty easy to piggyback off of the existing business logic for avoiding a rebuild if the git checkout hasn't changed (in the update_docs management command).
2) Pick subsections of the docs (e.g., for anything matching '/<lang>/<version>/releases/*' and perhaps the development docs) that would keep a shorter cache timeout of 5-10 minutes. All URLs not specifically requiring this special treatment would get a longer timeout, perhaps somewhere between 1 and 24 hours.

So, some questions for the list:

* Are there sections of the docs besides '/<lang>/<version>/releases/' and '/<lang>/dev/' that might update frequently and merit some combination of invalidation and/or a shorter cache time? And what's a good cache timeout for such pages?
* How long are we comfortable waiting for other (not frequently updated) pages to timeout, in the event they do change?

Tobias

On Fri, Feb 15, 2019 at 7:13 AM Tobias McNulty <[hidden email]> wrote:
Thanks for sharing the results.

I did manage to get a domain set up with working SSL, in case you want to use it: https://django-docs.global.ssl.fastly.net/en/2.1/

Tobias

On Thu, Feb 14, 2019, 11:49 PM Cheng C <[hidden email] wrote:
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRVHxL82tNOuknMm1UhvJ9-fpknpAa%3DwMbsaMghEHhcAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tom Forbes
Which CDN are we going to use? Fastly has awesome sub 100ms global invalidation which we can trigger on every deploy, and cloudflare has something similar.

On Sun, 24 Feb 2019, 00:00 Tobias McNulty, <[hidden email]> wrote:
Hi all,

An implementation question has come up regarding cache lifetime (see this PR). Right now, the whole site (including docs) has the site-wide Django cache enabled, with a timeout of 5 minutes. A couple docs views (search_suggestions and search_description) views have longer timeouts set (to 1 hour and 1 week, respectively).

Once released, the vast majority of Django docs won't change much, except for the release notes section and any (likely minor) related updates to the docs themselves. To get the most benefit out of a CDN, it would obviously be desirable to set the timeout to something greater than 5 minutes.

At the same time, there are moments when a quick update to the docs is desired, and waiting an hour or more for any cached pages to expire may cause significant confusion, for example, in conjunction with a security release for which stubbed (non-final) release notes may have already been pushed out and cached.

I see two main options at this point (which could even be combined):

1) Invalidate the whole cache (or at least some key release notes URLs) any time there's a docs build that has changes. It would be pretty easy to piggyback off of the existing business logic for avoiding a rebuild if the git checkout hasn't changed (in the update_docs management command).
2) Pick subsections of the docs (e.g., for anything matching '/<lang>/<version>/releases/*' and perhaps the development docs) that would keep a shorter cache timeout of 5-10 minutes. All URLs not specifically requiring this special treatment would get a longer timeout, perhaps somewhere between 1 and 24 hours.

So, some questions for the list:

* Are there sections of the docs besides '/<lang>/<version>/releases/' and '/<lang>/dev/' that might update frequently and merit some combination of invalidation and/or a shorter cache time? And what's a good cache timeout for such pages?
* How long are we comfortable waiting for other (not frequently updated) pages to timeout, in the event they do change?

Tobias

On Fri, Feb 15, 2019 at 7:13 AM Tobias McNulty <[hidden email]> wrote:
Thanks for sharing the results.

I did manage to get a domain set up with working SSL, in case you want to use it: https://django-docs.global.ssl.fastly.net/en/2.1/

Tobias

On Thu, Feb 14, 2019, 11:49 PM Cheng C <[hidden email] wrote:
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRVHxL82tNOuknMm1UhvJ9-fpknpAa%3DwMbsaMghEHhcAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJNbPN9SuBvoqV6v%3DK9WvMkjn9Mdpo07wb1gkyT%2BHAbfSQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tom Forbes
Sorry, I did not completely grok your message. I would be in favour of just invalidating the whole cache if needed, it seems the simplest solution. Invalidating most of the cache on every non-dev deploy would also be OK I think.

On Sun, 24 Feb 2019, 00:10 Tom Forbes, <[hidden email]> wrote:
Which CDN are we going to use? Fastly has awesome sub 100ms global invalidation which we can trigger on every deploy, and cloudflare has something similar.

On Sun, 24 Feb 2019, 00:00 Tobias McNulty, <[hidden email]> wrote:
Hi all,

An implementation question has come up regarding cache lifetime (see this PR). Right now, the whole site (including docs) has the site-wide Django cache enabled, with a timeout of 5 minutes. A couple docs views (search_suggestions and search_description) views have longer timeouts set (to 1 hour and 1 week, respectively).

Once released, the vast majority of Django docs won't change much, except for the release notes section and any (likely minor) related updates to the docs themselves. To get the most benefit out of a CDN, it would obviously be desirable to set the timeout to something greater than 5 minutes.

At the same time, there are moments when a quick update to the docs is desired, and waiting an hour or more for any cached pages to expire may cause significant confusion, for example, in conjunction with a security release for which stubbed (non-final) release notes may have already been pushed out and cached.

I see two main options at this point (which could even be combined):

1) Invalidate the whole cache (or at least some key release notes URLs) any time there's a docs build that has changes. It would be pretty easy to piggyback off of the existing business logic for avoiding a rebuild if the git checkout hasn't changed (in the update_docs management command).
2) Pick subsections of the docs (e.g., for anything matching '/<lang>/<version>/releases/*' and perhaps the development docs) that would keep a shorter cache timeout of 5-10 minutes. All URLs not specifically requiring this special treatment would get a longer timeout, perhaps somewhere between 1 and 24 hours.

So, some questions for the list:

* Are there sections of the docs besides '/<lang>/<version>/releases/' and '/<lang>/dev/' that might update frequently and merit some combination of invalidation and/or a shorter cache time? And what's a good cache timeout for such pages?
* How long are we comfortable waiting for other (not frequently updated) pages to timeout, in the event they do change?

Tobias

On Fri, Feb 15, 2019 at 7:13 AM Tobias McNulty <[hidden email]> wrote:
Thanks for sharing the results.

I did manage to get a domain set up with working SSL, in case you want to use it: https://django-docs.global.ssl.fastly.net/en/2.1/

Tobias

On Thu, Feb 14, 2019, 11:49 PM Cheng C <[hidden email] wrote:
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRVHxL82tNOuknMm1UhvJ9-fpknpAa%3DwMbsaMghEHhcAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJM4AppwiAMdbHkaJ7d%3Dbc02j%3D5zPZ6RMs4p81FGaO2D4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Use CDN for djangoproject.com

Tobias McNulty
Hi Tom,

Thanks for your message. I think we'll end up with Fastly since it would be free, but I'm waiting to see their sponsorship contract. CloudFront would work too but I don't know of any such open source sponsorship options with AWS.

I will say wildcard purging looks a bit simpler in CloudFront, but your idea purging the whole cache only for non-dev builds could work (provided we have a lower cache timeout or a single wildcard purge condition set up for the dev builds, I guess).

Feel free to test and post any feedback about Fastly prior to the potential transition here: https://django-docs.global.ssl.fastly.net/en/2.1/ (this is set up on a free dev account, so no custom SSL)

For the sake of comparison I'm working on getting a distribution set up for CloudFront too, but it won't be so simple to test (without a DNS or server configuration change) since I don't think CloudFront supports passing a custom Host header to the origin like Fastly does (i.e., you'll probably need to edit /etc/hosts).

Cheers,
Tobias


On Sat, Feb 23, 2019, 7:15 PM Tom Forbes <[hidden email]> wrote:
Sorry, I did not completely grok your message. I would be in favour of just invalidating the whole cache if needed, it seems the simplest solution. Invalidating most of the cache on every non-dev deploy would also be OK I think.

On Sun, 24 Feb 2019, 00:10 Tom Forbes, <[hidden email]> wrote:
Which CDN are we going to use? Fastly has awesome sub 100ms global invalidation which we can trigger on every deploy, and cloudflare has something similar.

On Sun, 24 Feb 2019, 00:00 Tobias McNulty, <[hidden email]> wrote:
Hi all,

An implementation question has come up regarding cache lifetime (see this PR). Right now, the whole site (including docs) has the site-wide Django cache enabled, with a timeout of 5 minutes. A couple docs views (search_suggestions and search_description) views have longer timeouts set (to 1 hour and 1 week, respectively).

Once released, the vast majority of Django docs won't change much, except for the release notes section and any (likely minor) related updates to the docs themselves. To get the most benefit out of a CDN, it would obviously be desirable to set the timeout to something greater than 5 minutes.

At the same time, there are moments when a quick update to the docs is desired, and waiting an hour or more for any cached pages to expire may cause significant confusion, for example, in conjunction with a security release for which stubbed (non-final) release notes may have already been pushed out and cached.

I see two main options at this point (which could even be combined):

1) Invalidate the whole cache (or at least some key release notes URLs) any time there's a docs build that has changes. It would be pretty easy to piggyback off of the existing business logic for avoiding a rebuild if the git checkout hasn't changed (in the update_docs management command).
2) Pick subsections of the docs (e.g., for anything matching '/<lang>/<version>/releases/*' and perhaps the development docs) that would keep a shorter cache timeout of 5-10 minutes. All URLs not specifically requiring this special treatment would get a longer timeout, perhaps somewhere between 1 and 24 hours.

So, some questions for the list:

* Are there sections of the docs besides '/<lang>/<version>/releases/' and '/<lang>/dev/' that might update frequently and merit some combination of invalidation and/or a shorter cache time? And what's a good cache timeout for such pages?
* How long are we comfortable waiting for other (not frequently updated) pages to timeout, in the event they do change?

Tobias

On Fri, Feb 15, 2019 at 7:13 AM Tobias McNulty <[hidden email]> wrote:
Thanks for sharing the results.

I did manage to get a domain set up with working SSL, in case you want to use it: https://django-docs.global.ssl.fastly.net/en/2.1/

Tobias

On Thu, Feb 14, 2019, 11:49 PM Cheng C <[hidden email] wrote:
Thanks for the test site, Tobias. 

Tested from Melbourne, Australia: 

https://docs.djangoproject.com/en/2.1/
Average Ping: 268ms
 Browser: 22 requests, 238KB transferred, Finish: 2.72s, DOMContentLoaded: 1.37s, Load: 1.68s

Average Ping: 28ms
 Browser: 22 requests, 240KB transferred, Finish: 947ms, DOMContentLoaded: 627ms, Load: 910ms

Tested on Chrome with "Disable cache" checked, and no render issue was found.

On Friday, February 15, 2019 at 2:09:09 PM UTC+11, Tobias McNulty wrote:
Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:

dualstack.python.map.fastly.net has address 151.101.248.223
dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223

Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable.

In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.)

To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode.

Cheers,
Tobias

On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <[hidden email]> wrote:
I have not had great experience with Fastly in the past and would avoid them. They run an old fork of Varnish which is not fun to configure.

On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <[hidden email]> wrote:
Cloudflare have many SSL options, including fully encrypted and authenticated comms all the way through (terminate and reconnect). Typically done by having a “hidden” origin domain that also hosts a certificate. I’m unsure if it’s possible to have both origin and front hosting the same name so that DNS alone can decide to hit cdn or origin. 

Anyway, it seems weird to me to dismiss a CDN offhand “because security”. Especially considering the size of the providers and the expertise their teams have. 

Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” providers. I would probably go as far to say that putting a CDN in front of both the docs and the release packages would likely be a net improvement in security for users. 

On Thu, 14 Feb 2019 at 21:58, Tom Forbes <[hidden email]> wrote:
That makes sense, but in this case we are only talking about potentially yielding control of the docs subdomain which is not used to serve sensitive build artefacts?

Another option is fastly.com, who support other large open source projects for free. They essentially give you geographically distributed HAProxy instances and you have a lot more control over them. I believe several large Linux distributions use them to serve cached apt packages.

Regarding TLS termination, unfortunately any CDN we use will likely need to do this for the whole domain to get any benefit. The Django docs are text/html heavy with very few, if any, images. So the real speed benefit will have to come from serving that, which requires TLS termination (and therefore interception) at their end.

On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <[hidden email]> wrote:
Hi all

to elaborate on what Tobias said: we deliberately have the infrastructure spread across multiple service providers: DNS registry, nameservers, hosting, TLS certificate authority, … None of them have access to everything. The reason is that we offer the download of the release artifacts from the djangoproject.com website. And we would like to ensure that the TLS termination happens by us and not some random service provider. After all, Django is used by enterprises that do have some restrictions on where you're allowed to download software from.

By handing over DNS to some CDN provider, we loose the ability to ensure that happens.

That said, if there's a CDN that works as a reverse proxy and doesn't require us to hand over control of DNS, I guess we could be interested in moving the docs behind that.

/Markus

On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote:
> For me it's the trust factor (allowing someone else to decrypt and
> re-encrypt all our data). This may be less of an issue for the docs
> site, *if* we don't have to assign DNS authority for the whole domain
> to the CDN provider.
>
> Tobias
>
>
> On Wed, Feb 13, 2019, 7:47 PM Kye Russell <[hidden email] wrote:
> > I’ve been hearing that there are other CDN providers that offer a very comparable service for a fraction of the cost of CloudFront.
> >
> > Anyways, at this stage let’s not get bogged down on provider decisions. I’m curious if anyone has any general objections to a CDN of any kind.
> >
> > It shouldn’t be that big a deal to automatically invalidate when the docs are updated. But I’m sure there’s something I’m missing.
> >
> > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho <[hidden email]> wrote:
> >> Consider AWS's cloudfront then :)
> >>
> >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian Apolloner escribió:
> >>> Especially cloudflare is a service we do not want to use. as for the docs only, does the mirror on rtd work better for you? They are probably behind a CDN.
> >>>
> >>> Cheers,
> >>> Florian
> >>>
> >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote:
> >>>> Hi,
> >>>>
> >>>> Is it possible to utilize a CDN service for djangoproject.com, or at least on docs.djangoproject.com? The site is actually quite fast for me but I think there is still room for improvement. Cloudflare sponsored dozens of open source projects <https://developers.cloudflare.com/sponsorships/>, probably they can provide free service for django as well.
> >>>>
> >>>> Tested from Melbourne, Australia:
> >>>>
> >>>> https://www.djangoproject.com/
> >>>>  Average Ping: 245ms
> >>>>  Browser: 21 requests, 211KB transferred, Finish: 2.52s, DOMContentLoaded: 1.16s, Load: 1.48s
> >>>>
> >>>> https://git-scm.com/
> >>>>  Average Ping: 5ms
> >>>>  Browser: 42 requests, 351KB transferred, Finish: 717ms, DOMContentLoaded: 564ms, Load: 699ms
> >>>>
> >>>> Tested on Chrome with "Disable cache" checked (but not the first time visit, so DNS query time might not be included).
> >>>>
> >>>> Best regards and thanks for all your great work.
> >> 
>
>
> >>  --
> >>  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >>  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >>  To post to this group, send email to [hidden email].
> >>  Visit this group at https://groups.google.com/group/django-developers.
> >>  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> >>  For more options, visit https://groups.google.com/d/optout.
> >> 
> > 
>
>
> >  --
> >  You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> >  To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> >  To post to this group, send email to [hidden email].
> >  Visit this group at https://groups.google.com/group/django-developers.
> >  To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >  For more options, visit https://groups.google.com/d/optout.
> > 

>
>
>  --
>  You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
>  To post to this group, send email to
> [hidden email].
>  Visit this group at https://groups.google.com/group/django-developers.
>  To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>  For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.

--
You received this message because you are subscribed to a topic in the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--
Adam

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/aa3e7806-f896-4125-afcb-4f886b70ace0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRVHxL82tNOuknMm1UhvJ9-fpknpAa%3DwMbsaMghEHhcAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJM4AppwiAMdbHkaJ7d%3Dbc02j%3D5zPZ6RMs4p81FGaO2D4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKT8G6BvBANW-_weObNrX1faPV_QE-gjK2gn9qSbbsRdFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
12