Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/

To: debian-admin@lists.debian.org
Cc: debian-security-tracker@lists.debian.org
Subject: Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 18 Mar 2014 10:35:18 +0100
Message-id: <[🔎] 87a9cnc0ix.fsf@mid.deneb.enyo.de>
In-reply-to: <20140317212901.GA13313@varinia.lobefin.net> (Stephen Gran's message of "Mon, 17 Mar 2014 21:29:01 +0000")
References: <877g7tj6yg.fsf@mid.deneb.enyo.de> <20140317212901.GA13313@varinia.lobefin.net>

* Stephen Gran:

> This one time, at band camp, Florian Weimer said:
>> Hi,
>> 
>> I plan to switch the debsecan data source to URLs below:
>> 
>>   <https://security-tracker.debian.org/tracker/debsecan/release/1/>
>> 
>> I don't know how much traffic this will generate eventually.  Would it
>> be possible to tweak the mod_proxy settings so that the local Apache
>> server caches generated pages for a short period time (say, five
>> minutes), but only for URLs which start with
>> "https://security-tracker.debian.org/tracker/debsecan/release/1/";, e.g.
>> <https://security-tracker.debian.org/tracker/debsecan/release/1/sid>?
>
> mod_cache is a mildly complicated (and potentially dangerous) beast.
> Please have a look over
> http://httpd.apache.org/docs/2.2/mod/mod_cache.html and linked pages
> (especially the caching guide).

Sure, those are the perils of caching.

> Let us know what content (if any, including headers) should be excluded
> from caches.  Assume that we know nothing about your application,
> and ask advice if you're unsure if something should be cached or not.
> As I said, caching can be dangerous if misused - you can present one
> user's content to another user very easily.  I don't think debsecan has
> that sort of problem, but you should consider if headers change the way
> your application responds and work with that idea in mind.

Everything below

  https://security-tracker.debian.org/tracker/debsecan/release/

is public and not client-dependent at all, so caching that will not
cause any trouble.

> We can tune it to only cache things at the mentioned path.  Is
> there any reason we should be hard coding the expiry time of cache
> objects?  Can you not set cache headers in the application?

debsecan doesn't set any caching headers, and the server side is not
very cache-friendly, either, because it does not supply Last-Modified
headers etc.  We should change that eventually, but it's not a
priority right now.

I've uploaded a new version of debsecan with the
security-tracker.debian.org URL to unstable.  Let's see how it goes
and apply the caching if needed.

Reply to:

Follow-Ups:
- Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: External check
Next by Date: Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/
Previous by thread: Bug#727534: marked as done (security-tracker: Add tabular view listing all CVEs and version table for a source package)
Next by thread: Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/
Index(es):
- Date
- Thread