Maintainers:Fastly: Difference between revisions

Line 68:

There are some known deficiencies with the beta, listed below:

* '''Overly-conservative URL blocking'''. The current implementation will only allow you to download <code>.narinfo</code>, <code>.ls</code>, and <code>.nar.xz</code> files -- this is to eliminate spurious/invalid requests to S3 for objects which could never possibly exist. If you see a 403 error returned from the server, then this is why. This should mean "recent" (few year old) evaluations should work fine -- ever since we've been using LZMA. This will be rectified in the future, but should only be noticeable to users on old channels.

* '''Any user can purge cache objects with no authentication'''. Use <code>curl -v -X PURGE https://<SOME URL></code> in order to do so. This is useful for debugging user issues, but during final deployment, we'll want to turn this off.

* '''Overly-conservative URL blocking'''. <s>The current implementation will only allow you to download <code>.narinfo</code>, <code>.ls</code>, and <code>.nar.xz</code> files -- this is to eliminate spurious/invalid requests to S3 for objects which could never possibly exist. If you see a 403 error returned from the server, then this is why. This should mean "recent" (few year old) evaluations should work fine -- ever since we've been using LZMA. This will be rectified in the future, but should only be noticeable to users on old channels.</s> <span style="color:#009000">'''FIXED'''</span>: This is now taken care of, and several other paths were fixed as well.

** We'll be sure to check the S3 metadata so that all filetypes in the cache can be downloaded properly, before final deployment.

* '''Any user can purge cache objects with no authentication'''. Use <code>curl -v -X PURGE https://<SOME URL></code> in order to do so. This is useful for debugging user issues, but during final deployment, we'll want to turn this off.

* '''Origin connections do not use TLS'''. When connecting to a Fastly POP, you use TLS. When Fastly POPs talk to each other, they also use TLS. When a POP talks to S3, '''the beta service does not use TLS''' -- it talks to S3 over HTTP. This is due to a limitation in a feature we use called '''[https://docs.fastly.com/guides/performance-tuning/streaming-miss Streaming Miss]''', which is vital in reducing <abbr title="Time To First Byte">TTFB</abbr> for large, uncached objects. (Without it, a POP must download an entire, possibly multi-hundred-MB NAR file before it can begin serving you. Streaming miss allows your download to start instantly.) Support for streaming miss with TLS origins is currently deployed in "Limited Availability" for Fastly customers. <s>We'll be applying to the LA program for TLS Origin support before deploying to production, and testing it carefully.</s> <span style="color:#009000">'''FIXED'''</span>: This is now taken care of -- the final, live deployment will use TLS Origins! The beta currently does not.

@@ Line 68: / Line 68: @@
 There are some known deficiencies with the beta, listed below:
-* '''Overly-conservative URL blocking'''. The current implementation will only allow you to download <code>.narinfo</code>, <code>.ls</code>, and <code>.nar.xz</code> files -- this is to eliminate spurious/invalid requests to S3 for objects which could never possibly exist. If you see a 403 error returned from the server, then this is why. This should mean "recent" (few year old) evaluations should work fine -- ever since we've been using LZMA. This will be rectified in the future, but should only be noticeable to users on old channels.
+* '''Any user can purge cache objects with no authentication'''. Use <code>curl -v -X PURGE https://<SOME URL></code> in order to do so. This is useful for debugging user issues, but during final deployment, we'll want to turn this off.
+* '''Overly-conservative URL blocking'''. <s>The current implementation will only allow you to download <code>.narinfo</code>, <code>.ls</code>, and <code>.nar.xz</code> files -- this is to eliminate spurious/invalid requests to S3 for objects which could never possibly exist. If you see a 403 error returned from the server, then this is why. This should mean "recent" (few year old) evaluations should work fine -- ever since we've been using LZMA. This will be rectified in the future, but should only be noticeable to users on old channels.</s> <span style="color:#009000">'''FIXED'''</span>: This is now taken care of, and several other paths were fixed as well.
 ** We'll be sure to check the S3 metadata so that all filetypes in the cache can be downloaded properly, before final deployment.
-* '''Any user can purge cache objects with no authentication'''. Use <code>curl -v -X PURGE https://<SOME URL></code> in order to do so. This is useful for debugging user issues, but during final deployment, we'll want to turn this off.
 * '''Origin connections do not use TLS'''. When connecting to a Fastly POP, you use TLS. When Fastly POPs talk to each other, they also use TLS. When a POP talks to S3, '''the beta service does not use TLS''' -- it talks to S3 over HTTP. This is due to a limitation in a feature we use called '''[https://docs.fastly.com/guides/performance-tuning/streaming-miss Streaming Miss]''', which is vital in reducing <abbr title="Time To First Byte">TTFB</abbr> for large, uncached objects. (Without it, a POP must download an entire, possibly multi-hundred-MB NAR file before it can begin serving you. Streaming miss allows your download to start instantly.) Support for streaming miss with TLS origins is currently deployed in "Limited Availability" for Fastly customers. <s>We'll be applying to the LA program for TLS Origin support before deploying to production, and testing it carefully.</s> <span style="color:#009000">'''FIXED'''</span>: This is now taken care of -- the final, live deployment will use TLS Origins! The beta currently does not.