From e6dd2f8cfe008fe946ec22d6b94a2f1d4af0e9aa Mon Sep 17 00:00:00 2001 From: David Furey Date: Mon, 13 Feb 2023 10:11:17 +0000 Subject: [PATCH 1/3] Initial draft of recommendations on CDNs --- README.md | 1 + cdn.md | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 cdn.md diff --git a/README.md b/README.md index 30a16b5..def4e0b 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ provides simpler scalability and greater robustness - [Client Side](client-side.md) - [Coding with empathy](coding-with-empathy.md) - [Config](config.md) +- [Content Delivery Network (CDN)](cdn.md) - [Continuous Deployment](continuous-deployment.md) - [Continuous Integration](continuous-integration.md) - [Elasticsearch](elasticsearch.md) diff --git a/cdn.md b/cdn.md new file mode 100644 index 0000000..4636c8e --- /dev/null +++ b/cdn.md @@ -0,0 +1,21 @@ +# Content Delivery Network (CDN) + +Reader facing services should have a CDN in front of them, and our preferred CDN is Fastly. Consistently using Fastly makes it easier for us to maintain up to date termination of HTTP connections. For example we have been able to add support for HTTP2 and IPv6, and drop support for insecure TLS versions across our entire estate with little or no effort from product teams. + +Internal facing services may also benefit from a CDN, especially if they are regularly used by staff in Australia or the USA. AWS Cloudfront is a reasonable choice. + +## Security + +You should default to using secure protocols (i.e. HTTPS) for both the connection from user to CDN and from CDN to origin. + +When serving content from an S3 bucket, you should still have Fastly in front, and ideally the S3 bucket would be private. Fastly have [a guide](https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket) on how to add the required authentication headers. + +## Configuration + +Fastly is a highly programmable CDN, but we advise making use of the smallest subset of the features necessary to achieve your goal. + +A lot can be achieved with minimal Fastly configuration, and careful use of cache-control, surrogate-control and surrogate-key headers served by your application. This has the advantage that most of the caching logic is co-located with the rest of your application. + +If this is insufficient, the next step is making use of VCL snippets, which can be easily edited in the Fastly console and provide a useful way of providing a little extra functionality. + +If you find that your VCL snippets are becoming quite large, you should consider switching to custom VCL, which should be versioned in Github and deployed using riff-raff. From 8b170a1ef1c80e5c0fd2a93c57b7aa7ba5943fa9 Mon Sep 17 00:00:00 2001 From: Philip McMahon Date: Mon, 13 Feb 2023 12:22:10 +0000 Subject: [PATCH 2/3] Add sections on logging and shielding --- cdn.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cdn.md b/cdn.md index 4636c8e..dd86cc7 100644 --- a/cdn.md +++ b/cdn.md @@ -19,3 +19,13 @@ A lot can be achieved with minimal Fastly configuration, and careful use of cach If this is insufficient, the next step is making use of VCL snippets, which can be easily edited in the Fastly console and provide a useful way of providing a little extra functionality. If you find that your VCL snippets are becoming quite large, you should consider switching to custom VCL, which should be versioned in Github and deployed using riff-raff. + +## Shielding +When using Fastly it is recommended that you enable [shielding](https://docs.fastly.com/en/guides/shielding#caveats-of-shielding) as it will improve cache performance. Bear in mind that when using shielding any VCL may be executed more than once - see [caveats of shielding](https://docs.fastly.com/en/guides/shielding#caveats-of-shielding). + +We suggest using the London-LCY point of presence as your shield. + +## Logging +Fastly has extensive logging capabilities. This can be useful for debugging and data analysis. We advise [streaming logs to Amazon S3](https://docs.fastly.com/en/guides/log-streaming-amazon-s3). + +Reader facing services will generate a high volume of logs so you should only enable logging where it is needed. You may consider [logging a sample of requests](https://docs.fastly.com/en/guides/useful-conditions-for-logging#logging-samples). From 3e24fbce90b5f462ce005d02d339e1f2c2e79746 Mon Sep 17 00:00:00 2001 From: David Furey Date: Mon, 13 Feb 2023 14:33:50 +0000 Subject: [PATCH 3/3] Add note about IAM role --- cdn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdn.md b/cdn.md index dd86cc7..a42f3c2 100644 --- a/cdn.md +++ b/cdn.md @@ -26,6 +26,6 @@ When using Fastly it is recommended that you enable [shielding](https://docs.fas We suggest using the London-LCY point of presence as your shield. ## Logging -Fastly has extensive logging capabilities. This can be useful for debugging and data analysis. We advise [streaming logs to Amazon S3](https://docs.fastly.com/en/guides/log-streaming-amazon-s3). +Fastly has extensive logging capabilities. This can be useful for debugging and data analysis. We advise [streaming logs to Amazon S3](https://docs.fastly.com/en/guides/log-streaming-amazon-s3). When logging to S3 you should [create an IAM role for Fastly](https://docs.fastly.com/en/guides/creating-an-aws-iam-role-for-fastly-logging) using Fastly's AWS account as the principal rather than creating static credentials. Reader facing services will generate a high volume of logs so you should only enable logging where it is needed. You may consider [logging a sample of requests](https://docs.fastly.com/en/guides/useful-conditions-for-logging#logging-samples).