We all know that a static site provides the optimal server-side performance (others write about it too and take some of the same steps). Performance and scalability are non-issues for static sites -- even the oldest hardware is sufficient. As the Internet grows in complexity, it also expands the tools available to strip away the complexity.
What Can Static Sites Do?
There are many competing options, but here are a few examples of how various advanced dynamic features can be implemented without any server-side code at all:
- User Login: Facebook Connect via JavaScript SDK
- Comments: Disqus - this site implements using the drupal module
- Search: Google Custom Search
- Contact Form: Google Docs Forms
- E-Commerce: Google Checkout or Paypal
Implementing on Drupal for Witti
The first step was to minimize the server-side logic. Although Disqus integrates with various social networks for user login, the vast majority of the site is effectively anonymous traffic that is consistent for all visitors. Once that was done, cookies were no longer relevant and caching could be very aggressive.
I minimized hits to my web server by restricting URLs to prefixes that I utilize. For example, hits to admin/* never make it to my web server. This adds security, but it also reduces the potential load. The extra details are very specific to this site, but I've detailed some considerations that differentiate solutions. Origin Push is the fastest and most scalable (due in part to the limited functionality), but Origin Pull CDN is a better balance for me. CloudFlare is very intriguing to me, but I had already started using CloudFront for another project that could not use CloudFlare due to the HTML-only note in their terms.
Comparison of Solutions
| Consideration |
Basic (PHP Application) |
Reverse Proxy (Varnish) |
Origin Pull CDN (Amazon CloudFront) |
CDN with Firewall (CloudFlare) |
Origin Push CDN (Amazon Cloudfront + Amazon S3) |
|---|---|---|---|---|---|
| DOS Attack - 404 (non-legit requests) | Vulnerable | Vulnerable (Filters some malformed requests) | Vulnerable (Filters some malformed requests) | Moderately vulnerable (Provides a web application firewall) | Safe |
|
Spike in real traffic DOS Attack - 200 (legit requests) |
Vulnerable | Negligible vulnerability as long as the cache is sufficiently large | Safe | Safe | Safe |
| Supports Per-User Customization | Yes | Yes | Yes, with limitations | Yes | Limited to JS and third-party services |
| Support for POST requests (best to enforce with LimitExcept) | Yes | Yes | No | Yes | No |
| Flush cache entries | Yes or N/A | Yes, purge all or by regex | Yes, per-URL | Yes, purge all | Yes |
| Complete automatic removal of old data | Yes | Yes, with cache timeout | Yes, with cache timeout | Yes, with cache timeout | Yes, using object expiration |
| Path controls | Complete | Complete (VCL generally uses regex before passing to PHP) | Wildcards limited to ? (1 char) and * (0+ chars) | Unknown | N/A - all paths must be compiled |
| Clean pagination when content is added | Yes | No - pages cache at different times, which staggers when new items in a view appear | No - pages cache at different times, which staggers when new items in a view appear | No - pages cache at different times, which staggers when new items in a view appear | Yes |