tickets #155002
closedWebserver customization for security.opensuse.org
0%
Description
Hi,
thanks for setting up security.opensuse.org in ticket #152482, it is very helpful.
We were tinkering a bit with the page and we found two small issues that could be probably addressed by custom config options on the webserver side:
1) HTTP Caching
Currently new html content is not auto updated on the client side since the content is cached. Currently the Cache-Control header is set to max-age=86400
.
Would it be possible to reduce the max-age of Cache-Control for html to: Cache-Control: max-age=3600;
or even Cache-Control: max-age=no-cache,no-store;
on the webserver?
2) 404 page
Currently the 404 page is set to the default nginx 404 page. I think there is an option in nginx to direct it to the jekyll 404 page: https://security.opensuse.org/404.html
Would it be possible to add this 404 page to the webserver config?
I can also try to fiddle something into the opensuse heroes salt, but since i don't have a testing deployment, i thought it would be probably quicker to ask here :D
Thanks a lot :)
Updated by crameleon 6 months ago
- Status changed from New to Workable
Hi Cathy,
the suggested changes sound good to me.
I'm not sure where max-age=86400
is coming from. I can reproduce it when querying security.opensuse.org from the internet, but internally all the nginx backends return 3600:
$ for i in $(seq 5 8); do curl -sIH 'Host: security.opensuse.org' narwal$i | grep ^Cache; done
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Same result with GET instead of HEAD. The HAProxy configuration does not have Cache-Control defined anywhere. It seems something en route adds or increases the max-age value? Maybe someone else knows more.
For the error page, it seems like the Jekyll guide https://jekyllrb.com/tutorials/custom-404-page/#hosting-on-nginx-server pretty much matches the example from the nginx documentation, so it should be simple to implement. But I wonder if we want this for all our Jekyll pages or only security.o.o. It would be nice if our other static pages also provided a /404.html, currently it seems to not be the case.
Updated by cboltz 6 months ago
You tested the wrong servers - security.o.o lives on jekyll.i.o.o (not narwal*) which indeed has that long TTL.
IMHO we should reduce the TTL for all jekyll pages (at least for text/html, not sure about other file/mime types) - it doesn't make sense to generate the pages hourly if we tell everybody that they are valid for a day ;-)
Updated by crameleon 6 months ago
Right, I then realized this comes from the Jekyll and not from the static pages backend:
$ curl -sIH 'Host: security.opensuse.org' jekyll|grep ^Cache
Cache-Control: max-age=86400
Now, what makes this nginx server behave differently? They are equally managed by Salt as far as I can tell, both without the header being set explicitly.
But I agree, good to do it for all of them.
Updated by crameleon 6 months ago
- Status changed from Workable to In Progress
- Assignee set to crameleon
Cache-Control patch: https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1425
Error page patch: https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/1426
Updated by crameleon 6 months ago
- Status changed from In Progress to Resolved
Hi,
these are now deployed:
https://code.opensuse.org/heroes/salt/c/8a368b3c63f5d5cb6a5f67518615605b34fc0667
https://code.opensuse.org/heroes/salt/c/802c615dedd0d70449c7d81f593cb2aee7a7201b
https://security.opensuse.org/asdf returns a pretty 404 page and this shows 3600:
~> curl -Is https://security.opensuse.org|grep ^cache
cache-control: max-age=3600
Let me know if there's anything else.
Georg