Embed Size (px)
Citation preview
Application ServerWhat’s New in Version 10
Deployment
Topics
What’s New in Version 10
Deployment
What’s New in Version 10
PerformanceSecurityFunctionality/Configuration
What’s New in Version 10Performance
A Peek at What the Server Spends Time Doing
What’s New in Version 10Performance
What is the Server Overhead?
Read and Parse incoming requestDetermine action required to fulfill requestRetrieve/Instantiate sessionSet up A5W execution environmentPrepare and send response back to client
What’s New in Version 10Performance
Request Parsing
More efficient socket readingTotally new parserOrders of magnitude fasterTightens up potential attack vectors Paves way for future functionality
What’s New in Version 10Performance
Set up A5W execution environment
Cache the Application RootCache a5_application.a5i
What’s New in Version 10Performance
Prepare and Send Response
Cache gzipped output for static resourcesOptimized output sending
What’s New in Version 10Performance
The Results?
Vary with type of request, hardware, etc.On average, server overhead is about ½ of what it is in V9Large gzipped static resources have the most significant improvement
What’s New in Version 10
PerformanceSecurityFunctionality/Configuration
What’s New in Version 10Security
Security is implemented at many levels. Most significant in core server are:
Connection handlingRequest parsingSession management
What’s New in Version 10Security
Connection Handling
Intentionally malformed socket communications have potential to crash serverLargely the operating system’s responsibilityApplication Server adds additional protection
What’s New in Version 10Security
Request parsing is dangerous business
Depends on input from an untrusted sourceUses untrusted input to create variables, take actions, etc.Most common area of exploit across web servers
The new request parser has further protection against attacks via request parsing.
What’s New in Version 10Security
Session Management
Cookie lifetime matches session lifetimeCookie is an Http-Only cookieIf using SSL, cookie is a “Secure” cookieServer prevents recycling of session IDs
What’s New in Version 10
PerformanceSecurityFunctionality/Configuration
What’s New in Version 10Functionality
Logging Options
Thread transition loggingXbasic error stack logging
What’s New in Version 10Functionality
Session.BrowserId
Similar to V9 session IdDoes not change across sessionsCan be used to uniquely identify browser across sessions
What’s New in Version 10Functionality
New Response Methods
AddCookie() supports Http-Only and Secure cookiesAddHeader() supports additional header syntaxExpire() directs client on how long to cache the resourceNoCache() directs client to not cache resourceRedirect() supports Permanent (301) redirectsSendFile() easily send a file back to clients
What’s New in Version 10Functionality
Error Pages
Custom error pages can now execute A5W codeWrite your own error handlers that email administrator, attempt to fix mistyped URL, or take just about any other action you can code in Xbasic
What’s New in Version 10Functionality
IP Address Binding
Server can now run on just one of a machine’s addressesAllows for multiple servers on same system using same port to serve different applications
What’s New in Version 10Functionality
Enable/Disable Built-in Functionality
Alpha faviconAlpha logo used in a5w_info() output.a5ajax processing.a5image processingAlpha JavaScript libraryAutomatic sample pages deployment
What’s New in Version 10Functionality
Configuration Options
Timeout for header readingTimeout for full request readingTimeout for Keep-Alive connectionsMaximum Keep-Alive requests per connectionMaximum URI length
What’s New in Version 10Functionality
Version 9 Compatibility Server
Runs the old Version 9 serverRemoves all new Version 10 functionalityProvided for debugging purposes only
Topics
What’s New in Version 10
Deployment
Deployment
Web application or browser-based application?
Web browser is used for UI, but app does not need to be on the InternetRecommended approach for new development work
Deployment
The primary deployment issue is where to host your application. But other questions must be answered first.
Who needs access to the application?Is this a hybrid app or browser-based only?Internal resources
Deployment
Who needs access to the application?
Internal users on local networkInternal users at remote location(s)External users at specific remote location(s)General public Internet
Deployment
Browser-based only or hybrid app?
A desktop app with DBF suggests hosting locallyA desktop app with no DBF is more flexiblePurely browser-based provides more options
Deployment
Internal Resources
Once installed, little ongoing maintenance is neededGreater availability tends to be difficult for smaller companies
Deployment
Given these considerations, should you host it internally or use a hosting provider?
Internal typically gives you greater control, makes broader access more difficult, and has a greater initial cost.Hosting providers can provision quickly, specialize in keeping your server running 24x7, can limit or open access as desired, may be slower for internal users.
Deployment
Regardless of internal or outsourced hosting, consider the hardware configuration
Memory is inexpensive and greatly improves performanceDisk drives often create a bottleneckMany database tasks are CPU intensive
For a detailed discussion, see Kurt’s articles on blog.alphasoftware.com
Questions/Discussion
