Adam, is there another provider you would recommend instead, that does not require changing DNS providers? FWIW, python.org does in fact use Fastly:
$ host www.python.org www.python.org is an alias for dualstack.python.map.fastly.net. dualstack.python.map.fastly.net has address 151.101.248.223 dualstack.python.map.fastly.net has IPv6 address 2a04:4e42:2f::223 Fastly did write back to say they're happy to help, though there's a contract which I guess the DSF would need to review and sign, if it's acceptable. In the meantime, feel free to give this a try and let me know if you see any issues: https://docs.djangoproject.com.global.prod.fastly.net/en/2.1/ (Not for permanent use, obviously; you'll get a cert warning, and some pages will redirect you back to https://docs.djangoproject.com.) To keep this thread from getting too noisy, you can find me (tobias1) in #django-dev on FreeNode. Cheers, Tobias On Thu, Feb 14, 2019 at 8:26 AM Adam Johnson <m...@adamj.eu> wrote: > I have not had great experience with Fastly in the past and would avoid > them. They run an old fork of Varnish which is not fun to configure. > > On Thu, 14 Feb 2019 at 11:16, Josh Smeaton <josh.smea...@gmail.com> wrote: > >> Cloudflare have many SSL options, including fully encrypted and >> authenticated comms all the way through (terminate and reconnect). >> Typically done by having a “hidden” origin domain that also hosts a >> certificate. I’m unsure if it’s possible to have both origin and front >> hosting the same name so that DNS alone can decide to hit cdn or origin. >> >> Anyway, it seems weird to me to dismiss a CDN offhand “because security”. >> Especially considering the size of the providers and the expertise their >> teams have. >> >> Cloudflare (fastly, cloudfront, whatever) aren’t some “random TLS” >> providers. I would probably go as far to say that putting a CDN in front of >> both the docs and the release packages would likely be a net improvement in >> security for users. >> >> On Thu, 14 Feb 2019 at 21:58, Tom Forbes <t...@tomforb.es> wrote: >> >>> That makes sense, but in this case we are only talking about potentially >>> yielding control of the docs subdomain which is not used to serve sensitive >>> build artefacts? >>> >>> Another option is fastly.com, who support other large open source >>> projects for free. They essentially give you geographically distributed >>> HAProxy instances and you have a lot more control over them. I believe >>> several large Linux distributions use them to serve cached apt packages. >>> >>> Regarding TLS termination, unfortunately any CDN we use will likely need >>> to do this for the whole domain to get any benefit. The Django docs are >>> text/html heavy with very few, if any, images. So the real speed benefit >>> will have to come from serving that, which requires TLS termination (and >>> therefore interception) at their end. >>> >>> On Thu, 14 Feb 2019, 06:32 Markus Holtermann, <i...@markusholtermann.eu> >>> wrote: >>> >>>> Hi all >>>> >>>> to elaborate on what Tobias said: we deliberately have the >>>> infrastructure spread across multiple service providers: DNS registry, >>>> nameservers, hosting, TLS certificate authority, … None of them have access >>>> to everything. The reason is that we offer the download of the release >>>> artifacts from the djangoproject.com website. And we would like to >>>> ensure that the TLS termination happens by us and not some random service >>>> provider. After all, Django is used by enterprises that do have some >>>> restrictions on where you're allowed to download software from. >>>> >>>> By handing over DNS to some CDN provider, we loose the ability to >>>> ensure that happens. >>>> >>>> That said, if there's a CDN that works as a reverse proxy and doesn't >>>> require us to hand over control of DNS, I guess we could be interested in >>>> moving the docs behind that. >>>> >>>> /Markus >>>> >>>> On Thu, Feb 14, 2019, at 2:22 AM, Tobias McNulty wrote: >>>> > For me it's the trust factor (allowing someone else to decrypt and >>>> > re-encrypt all our data). This may be less of an issue for the docs >>>> > site, *if* we don't have to assign DNS authority for the whole domain >>>> > to the CDN provider. >>>> > >>>> > Tobias >>>> > >>>> > >>>> > On Wed, Feb 13, 2019, 7:47 PM Kye Russell <m...@kye.id.au wrote: >>>> > > I’ve been hearing that there are other CDN providers that offer a >>>> very comparable service for a fraction of the cost of CloudFront. >>>> > > >>>> > > Anyways, at this stage let’s not get bogged down on provider >>>> decisions. I’m curious if anyone has any general objections to a CDN of any >>>> kind. >>>> > > >>>> > > It shouldn’t be that big a deal to automatically invalidate when >>>> the docs are updated. But I’m sure there’s something I’m missing. >>>> > > >>>> > > On Thu, 14 Feb 2019 at 8:36 am, Cristiano Coelho < >>>> cristianocc...@gmail.com> wrote: >>>> > >> Consider AWS's cloudfront then :) >>>> > >> >>>> > >> El martes, 12 de febrero de 2019, 2:34:09 (UTC-5), Florian >>>> Apolloner escribió: >>>> > >>> Especially cloudflare is a service we do not want to use. as for >>>> the docs only, does the mirror on rtd work better for you? They are >>>> probably behind a CDN. >>>> > >>> >>>> > >>> Cheers, >>>> > >>> Florian >>>> > >>> >>>> > >>> On Tuesday, February 12, 2019 at 6:43:41 AM UTC+1, Cheng C wrote: >>>> > >>>> Hi, >>>> > >>>> >>>> > >>>> Is it possible to utilize a CDN service for djangoproject.com, >>>> or at least on docs.djangoproject.com? The site is actually quite fast >>>> for me but I think there is still room for improvement. Cloudflare >>>> sponsored dozens of open source projects < >>>> https://developers.cloudflare.com/sponsorships/>, probably they can >>>> provide free service for django as well. >>>> > >>>> >>>> > >>>> Tested from Melbourne, Australia: >>>> > >>>> >>>> > >>>> https://www.djangoproject.com/ >>>> > >>>> Average Ping: 245ms >>>> > >>>> Browser: 21 requests, 211KB transferred, Finish: 2.52s, >>>> DOMContentLoaded: 1.16s, Load: 1.48s >>>> > >>>> >>>> > >>>> https://git-scm.com/ >>>> > >>>> Average Ping: 5ms >>>> > >>>> Browser: 42 requests, 351KB transferred, Finish: 717ms, >>>> DOMContentLoaded: 564ms, Load: 699ms >>>> > >>>> >>>> > >>>> Tested on Chrome with "Disable cache" checked (but not the first >>>> time visit, so DNS query time might not be included). >>>> > >>>> >>>> > >>>> Best regards and thanks for all your great work. >>>> > >> >>>> > >>>> > >>>> > >> -- >>>> > >> You received this message because you are subscribed to the >>>> Google Groups "Django developers (Contributions to Django itself)" group. >>>> > >> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to django-developers+unsubscr...@googlegroups.com. >>>> > >> To post to this group, send email to >>>> django-developers@googlegroups.com. >>>> > >> Visit this group at >>>> https://groups.google.com/group/django-developers. >>>> > >> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com >>>> < >>>> https://groups.google.com/d/msgid/django-developers/548db807-647f-4d0b-99c2-f9f229f7175e%40googlegroups.com?utm_medium=email&utm_source=footer >>>> >. >>>> > >> For more options, visit https://groups.google.com/d/optout. >>>> > >> >>>> > > >>>> > >>>> > >>>> > > -- >>>> > > You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> > > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to django-developers+unsubscr...@googlegroups.com. >>>> > > To post to this group, send email to >>>> django-developers@googlegroups.com. >>>> > > Visit this group at >>>> https://groups.google.com/group/django-developers. >>>> > > To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com >>>> < >>>> https://groups.google.com/d/msgid/django-developers/CANK-yknQ1Auf6CFD-%2B94qoATQ2K%2By0poLw%3DaxyJYjO3PaHOQWA%40mail.gmail.com?utm_medium=email&utm_source=footer >>>> >. >>>> > > For more options, visit https://groups.google.com/d/optout. >>>> > > >>>> > >>>> > >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> > Groups "Django developers (Contributions to Django itself)" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send >>>> > an email to django-developers+unsubscr...@googlegroups.com. >>>> > To post to this group, send email to >>>> > django-developers@googlegroups.com. >>>> > Visit this group at >>>> https://groups.google.com/group/django-developers. >>>> > To view this discussion on the web visit >>>> > >>>> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com >>>> < >>>> https://groups.google.com/d/msgid/django-developers/CAMGFDKTAVv_3HJCTHqd-vSOFt9-WUvUDEGR8sYuawyVT7MAotQ%40mail.gmail.com?utm_medium=email&utm_source=footer >>>> >. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> > >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-developers+unsubscr...@googlegroups.com. >>>> To post to this group, send email to django-developers@googlegroups.com >>>> . >>>> Visit this group at https://groups.google.com/group/django-developers. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/django-developers/fbb5c67a-8803-43ce-8fe3-ee6f42251d8a%40www.fastmail.com >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/django-developers/UovZxrUPWLU/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> django-developers+unsubscr...@googlegroups.com. >>> To post to this group, send email to django-developers@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-developers. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/django-developers/CAFNZOJOpXjJEgq4iEEaiZqYzQDc9XwZ8Jba4-RP2-Lahr7jOgQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-developers+unsubscr...@googlegroups.com. >> To post to this group, send email to django-developers@googlegroups.com. >> Visit this group at https://groups.google.com/group/django-developers. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com >> <https://groups.google.com/d/msgid/django-developers/CAPbDM0dBnO4_yko9qQVjgR25T758bT8%3DThUMszA3eOb30tuYYA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > Adam > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAMyDDM3vZJ6V%2BTvavmDS-rU1JkQcMnWy0FfPpq-%3DY52kepeYjA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKRu2TwJ%3DEEJZaUWHDr5k%2B1HAT8iWkvNxQEsTfig3BmEQw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
