I’m writing this article to express how I’m currently using these technologies. So that later on I can laugh at how naive I was.
I been building Mythist (Storytelling Site) for a long time but the last 5 months I have had to actually think about server architecture. But before I dive to far into this I would like to talk about the site. The site is separated into two section, web and api. The web is all static files no server side rendering at all. Since my web is all static files than this leaves me some awesome options. Such as CDN. At first I had been using ec2 box with nginx. But I knew I could do better. I had read a post by Dan Esparza about S3. I really wanted to give this a shot. I knew I needed SSL for the web otherwise the browser wouldn’t send the ajax requests. Since the api request contain sensitive data I need it to be encrypted. Luckily the smart guys at amazon had already had a solution for ssl of s3 and it was Cloudfront SNI. I was really happy about this. I got everything setup and started doing some tests and bam. The mobile browsers on my phone and a few others posted up the we cant authenticate the root cert or whatever. So I had to find another solution. Thank fully I saw something on hacker news about Cloudflare. I thought hmmm I wonder if I could use this instead of Cloudfront. At first I was a bit confused on how Cloudflare works. I didn’t upload any files or really do anything for that matter. It was very magical. But I had to make changes to files and couldn’t figure out how to upload a file to Cloudflare. Well duh that is not how Cloudflare works it didn’t download the source it’s just doing a redirect. So I started to get a better grasp of what this redirect means. My current understanding of how this works is the user connects to Cloudflare grabs whatever cached resources they have and grabs the ones not cached this is all via ssl. Now if Cloudflare is missing a file it will go out and grab it from Cloudfront. which in turn grabs it from S3. The way I have Cloudfront setup there is only https. Now if I could find a way to force Cloudflare to force https I think I could get rid of Cloudfront. There is really no reason for the source to be grabbed via ssl. I use headers for my authorization but it is only to the api and is injected the web code via js so grabbing the web shouldn’t contain any sensitive data. So if your using cookie auth this won’t work out very well as your sensitive data will be sent out when grabbing source via Cloudflare. Unless Cloudflare has a way to remove cookies from the request. This is a bit of assumption that Cloudflare passes the cookie data with the request.
The points – tl;dr;
Cloudfront invalidation is painful and time consuming. Invalidation of files is not agile if you make a mistake you have 15 to 30 mins of suffering till the mistake is fixed. (build your web with versioning in mind)
Cloudfront sni ssl doesn’t work for some mobile browsers
Cloudflare is magical and their ssl so far works for everything I have tested with.
Versioning – I haven’t really figured out the best approach to this but next time I would like to change my index html to point to a certain version. Something like below.
/index.html <- some logic to take from query or cookie to point to different versions. Again no sensitive data in cookies.
/gitHash/source/index.js <- body inject the index html view.
This form of versioning could allow for soft deploys but at the end of the day your still going to have 15 to 30 min suffering period because of cloudfront.