Use case appropriateness - news publisher with security concerns

[jjensenlcn]

Greetings and a shoutout to Johan,

I have a local news site with approximately 80,000 articles running on J! 3.10.4, I'm not a dazzling web developer though I manage.

We'd like to continue to use Joomla as our news publishing tool, due to familiarity, but eliminate the public facing database to improve load times and reduce vulnerability, particularly from the DB. Is this the right tool for my use case?

To be clear, decoupling the database is something we are exploring as a solution to database vulnerability out of need as we've suffered catastrophic, sustained ddos attacks in the past. We view this as a priority, while any speed boosts are a bonus.

We get that this means compromise.

Our dynamic "needs" include ads, search, login and potentially the public calendar which I'm thinking we can handle with JS and third party apps.

[johanjanssens]

Happy to help you and sorry for the late reply, was out on a holiday.

I would not try to go all static, you then need to deal with solving the dynamic parts and that brings you back to the same problem but that other way around. Instead your problem is best solved by implementing CDN caching. If implemented properly it would would prevent your server from getting hit and reduce the strain by 99%, not only making your site faster, but reducing hosting and bandwidth costs significantly.

While you can certainly benefit from adding Pages to your site, you don't need it to get started, it could be used to further optimise in a second step. A proper caching setup would be your first thing to do.

Note. For my reply I"m assuming you use CloudFlare, the same works with other CDN's you will just need to configure them slightly different.

1. Context

By default Joomla sends following cache header: "Cache-Control: no-store, private, must-revalidate". This basically means never cache the page. It's this header that makes sure that each request goes to your server and results in Joomla generating the page and your database being hit. This produces massive overhead.

In its most simple form what you want is something like this: "Cache-Control: public, max-age=86400" which means this page can be cached public-ally (by both CDN proxies and browsers) for a max time of 86400 seconds or 1day.

More reading: https://web.dev/http-cache/

2. Solution

1. Making Joomla output proper cache headers

The easiest way to do this is to add a rewrite rules for Apache or Nginx depending on your server config, without this you cannot make CloudFlare cache your html. The rule can be as simple as "Cache-Control: public, max-age=86400" , you also need to make sure the Expires header is removed (which Joomla adds by default) to prevent CDN caches from getting confused.

Another way to do it using a little bit of code overriding the default headers that Joomla spits out. This is where Pages can help. It can do this with just a few lines of code.

The result will be that browser will now cache the page for 1day, means that if the page is re-requested it's served from browser cache. This already helps a lot.

2. Turn on Cache Everything in CloudFlare

To make CloudFlare cache your page also, you need to tell it explicitly to do so. You do that by adding "Cache Everything" page rule. See: https://developers.cloudflare.com/cache/how-to/create-page-rules

The result will be that CloudFlare now also stores your page in cache for 1day, only after the cache has expired it will re-request it from your server.

The CloudFlare network has about 185 pops spread over the globe, the average response time of their network is 60 msec. So not only will you lower your server load by 99% but you will also gain incredible performance. The result is that a single url can receive max 185 requests per day, one from each pop on the CloudFlare network.

To further optimise you can enable Tiered caching and routing optimisations in CloudFlare: https://blog.cloudflare.com/orpheus/ This further reduces the amount of requests even further, if a page is in cache in a higher network Tier it will be served from there, so your max amount of requests per day will be somewhere around max 50'ish, one for each Tier.

The great part is that the above setup is 100% free, you can do it free CloudFlare account.

More reading: https://developers.cloudflare.com/cache/about/cache-control

3. Further fine-tuning

You probably do not want your whole site to be cached in the same way. You might have parts of your site that are fully dynamic and other parts that are pseudo dynamic. Three ways you can handle this:

1. Through your webserver: You can add more specifc rewrite rules for specific paths, for example only set the headers for /articles/*
2. Through Pages: You can write a little bit of PHP code to send out the headers
3. Through CloudFlare: You can add additional Page rules to overwrite the default Cache TTL when doing Cache-Everything, the free account has 3 rules max.

If price matters, i would use following setup:

1. Add rewrite rules to your server, or use Pages to set them
2. Add a single Cache-Everything page rule + Set Browser Cache TTL config to Respect Existing Headers (default)

Thats it. Hope it helps.

[johanjanssens]

Further note.

If you don't want to setup cache headers using Apache or Nginx, you could use Pages for this. For your setup you can use the Decorator to force cache headers for other Joomla menu items: https://github.com/joomlatools/joomlatools-pages/wiki/Decoration, allowing you to define what parts of your site you want to cache by decorating it, and what parts you want to continue to run fully uncached.

I haven't tested this kind of setup yet, but everything is there to make this work. I might just need a bit of fine-tuning, happy to assist with that.

[JoeJoomla]

Excellent information Johan. Thank you for sharing this with everyone.