[04:18] <SupaYoshi> Hi anyone that knows a good docker-compose service file for systemctl ?
[04:18] <SupaYoshi> I’m wanting to start docker after reboot. But i want to delay its restart till after a specific service has been started
[07:23] <lordievader> Good morning
[11:10] <SupaYoshi> good morning
[11:14] <lordievader> 👋
[11:17] <SupaYoshi> ?
[15:14] <sdeziel> hello, I'm tasked with "vacuuming" a dynamic web site and get a static copy of it for reasons. wget --mirror does a good first pass but doesn't bring the stuff that JS would cause a regular browser to fetch. Anyone got an idea to solved that?
[15:16] <Ussat> Unless you have access to the code and can just copy it, nope
[15:17] <sdeziel> Ussat: I have access to the dynamic copy
[15:17] <Ussat> just copy the code, BUT, it wont just work if thats your goal
[15:18] <sdeziel> I don't see how that help me :/
[15:20] <sdeziel> for example, there is one file with src="/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1" I could grab a copy from the FS but then I'd miss the "v=3.3.1" query string
[15:38] <Ussat> Right, there is no way of getting that because its dynamic
[15:44] <sdeziel> Ussat: OK, I guess I'm then left with two choices: scripted headless browser to save the whole deal or an aggressive caching proxy in front of it
[15:44] <Ussat> SO, whats the ultimage outcome you want ?
[15:44] <Ussat> ultimate
[15:44] <sdeziel> basically survived a planed DDoS
[15:45] <sdeziel> s/survived/survive/
[15:45] <sdeziel> DDoS is a bit of an abuse, this will be a flood of legitimate clients
[15:45] <Ussat> So, thats what backups are for
[15:46] <Ussat> you are approaching this wrong
[15:46] <Ussat> if legit clients take you down, this has nothing to do with that
[15:46] <sdeziel> maybe I described it wrong cause I'm not looking for backup. I want a site that performs well under heavy load
[15:46] <Ussat> beef up your infra
[15:46] <Ussat> so you need a beefer infra then
[15:46] <sdeziel> hence the idea to turn a dynamic monster into a static small site
[15:47] <Ussat> Not gonna happen
[15:47] <Ussat> only way to accomplish what you want is a beefier server
[15:48] <teward> sdeziel: one of the teams at my employer had a similar case to what you wanted.  Without a full copy of the site it was a page-by-page identification and scrape.
[15:48] <teward> to get a static copy.
[15:48] <teward> and that was a heavily MANUAL process because of the JS, etc.
[15:48] <teward> if you have a copy of the code, DB, etc. that's what you'll need.
[15:48] <sdeziel> teward: I'm betting on nginx fronting the dynamic site and doing aggressive caching of everything (HTML included)
[15:49] <teward> as for surviving a planned stress load, you need the beefier server
[15:49] <teward> sdeziel: trust me that won't work very well
[15:49] <teward> dynamic sites, NGINX doesn't really cache dynamic sites well because usually there's underlying headers, tags, etc. that indicate to NOT keep a cached copy
[15:49] <sdeziel> we will have Cloudflare in front of that cache of ours
[15:50] <teward> your process is approaching this wrong
[15:50] <teward> > hence the idea to turn a dynamic monster into a static small site
[15:50] <teward> impossible and not going to happen
[15:50] <teward> you either need:
[15:50] <sdeziel> hmm
[15:50] <teward> (1) larger infra to survive the load
[15:50] <teward> (2) backup copy of the site in its entirety running independent from the stress load
[15:51] <sdeziel> I was maybe too optimistic but I though I could tell nginx to ignore caching hints and just do as told
[15:51] <teward> sdeziel: that may work for static contents but NOT for JS-generated stuff
[15:51] <teward> since JS and such is all client side executed and such
[15:51] <teward> your entire premise and approach is backwards of what it needs to bei
[15:51] <teward> s/bei/be/
[15:51] <teward> sure theres ways to get "cached copies" of data
[15:51] <teward> but that won't be a replacement
[15:52] <teward> because for a cached copy to *work* basically **every single potential URL, request, content piece, query string, argument, parameters, etc. needs to go through the proxy for it to work as a 'static copy'**
[15:52] <Ussat> I would suggest, for what you want, a hot-hot HA setup
[15:52] <sdeziel> OK so two against my (naive) proposal... not feeling confident anymore
[15:52] <teward> and that's not really a thing you can (a) enumerate sanely, and (b) execute in a way that survives the DDoS
[15:52] <teward> i agree with Ussat
[15:53] <teward> hot-hot HA setup with a loadbalancer/failover mechanism to fail over to the alternate HA on overload
[15:53] <Ussat> ^^
[15:53] <teward> but keep in mind if your DDoS is hostname driven and not a single IP target, it will potentially explode there as well
[15:53] <Ussat> I would suggest, two servers behind something like a F5 load balancer, as an example
[15:53] <teward> ^ something like that
[15:54] <Ussat> Its, not trivial
[15:54] <teward> DB HA-HA isn't trivial either
[15:54] <Ussat> Because, youre talking shared FS in order to keep things in sync, and agreed teward
[15:54] <teward> s/HA-HA/HA/
[15:54] <teward> right
[15:55] <sdeziel> OK, should NOT have said DDoS, it's just going to be a flood of legitimate clients
[15:55] <teward> sdeziel: ... which would bypass CF and then hit hard.
[15:55] <teward> sdeziel: same equal problem
[15:55] <Ussat> So, something like, 2 servers behind a F5 to balance, that both talk to the same DB, but a beefy DB server
[15:55] <teward> that'd do what you're after, yes.
[15:55] <Ussat> maby 2 or 3 webservers to distribute the load
[15:55] <sdeziel> teward: CF will take the bigger part of the hit assuming I'm crafting the right Cache-Control headers
[15:55] <teward> might not hurt to have a RO copy of the DB around either as a failover so when you're under load you can serve a readonly
[15:56] <teward> (like StackOverflow/SE does)
[15:56] <Ussat> ^^
[15:56] <teward> sdeziel: you still have to accomodate for the percentage of traffic that will slip past
[15:56] <teward> sdeziel: in which case you're still looking at the same problem, full on DDoS or not
[15:56] <Ussat> You alos need to realiose, nothing will be 100% bullet proof
[15:56] <teward> if your system can't handle the *load* of the legitimate clients that CF does *not* block, then you need larger resources
[15:56] <teward> and also what Ussat says
[15:56] <teward> no solution we could provide will be 100% bulletproof
[15:57] <teward> there'll be ways to still overload things
[15:57] <Ussat> yup
[15:57] <teward> and that doesn't account for simply flooding the pipe with requests and exhausting the connection/request queues causing 503s or similar unavailability cases
[15:57] <sdeziel> I've been told to expect "24k concurrent users" whatever concurrent means
[15:57] <teward> (or triggering a ton fo 416s)
[15:57] <teward> concurrent means simultaneously connected and accessing
[15:57] <teward> it's basically a loadtest.
[15:57] <teward> on that basis
[15:58] <sdeziel> I know what concurrent means but they are management people
[15:58] <teward> you have to assume you will have 24000 simultaneous requests for information
[15:58] <teward> sdeziel: without more information on the 'attack' you're going to be handling
[15:58] <teward> we're going to speculate
[15:58] <teward> so your options are:
[15:58] <Ussat> sdeziel, I would suggest, if youre putting something together for 24k concurrant users, IRC is NOT the venue for this, I suggest you have a professional or two architect this out
[15:58] <sdeziel> let me describe it better
[15:58] <teward> i also agree with Ussat
[15:58] <teward> you will need a professional network architect involved
[15:58] <Ussat> because thqats not trivial
[15:59] <teward> ^^
[15:59] <sdeziel> the site in question will be announces on public TV so we expect many curious to just look it up
[15:59] <Ussat> ya, get a pro involved, there is no way over IRC this can be worked out
[15:59] <Ussat> also, this will NOT be cheap
[16:00] <teward> ^^
[16:00] <teward> and i'm speaking as a professional network security guy here
[16:00] <teward> not just my Ubuntu hat today ;)
[16:00] <sdeziel> alright, I appreciate the discussion
[16:01] <teward> sdeziel: the SIMPLEST solution is temporarily put the site in RO mode and serve read-only copies of the site
[16:01] <sdeziel> I'll have to evaluate my options quickly
[16:01] <teward> sdeziel: the SIMPLEST solution is temporarily put the site in RO mode and serve read-only copies of the site, let the DB handle things
[16:01] <Ussat> I used to manage an ecomm site that was very high traffic and ya, get some professionals to look this over
[16:01] <teward> but you still won't get the solutoin you're after
[16:01] <Ussat> There is no way to do this quickly
[16:01] <teward> you'll need professionals to design/spec this out
[16:01] <Ussat> not if you want it right
[16:01] <sdeziel> I need a PoC at the EOD
[16:01] <teward> ^^ that
[16:01] <sdeziel> and a prod ready on Dec 7th
[16:02] <teward> sdeziel: your bosses need to [CENSORED CENSORED CENSORED]
[16:02] <teward> sdeziel: Impossible
[16:02] <teward> solution in 6 days is not feasible
[16:02] <Ussat> No chance by the 7th
[16:02] <teward> you need at LEAST 6 days to work with pros to spec out what you need, what your goals are, research options, and get budget approvals to *purchase* any softwrae you need
[16:02] <Ussat> not a chance
[16:02] <teward> 100% guarantee you will NOT get a solution by the 7th
[16:02] <teward> this isn't something you can put together last minute
[16:02] <Ussat> You will need at least 6 days to start to design this
[16:03] <teward> ^ that
[16:03] <Ussat> This is a 6 month project
[16:03] <teward> yup
[16:03]  * sdeziel is on the phone with said boss
[16:03] <teward> sdeziel: orly?  Put me on the line, I'll give your boss a few dozen words.  *shot*
[16:03] <Ussat> Plus you need testing, LOTS of load testing
[16:03] <teward> (no seriously it's bosses like this that send me off on "I Want To Smack Someone" mode)
[16:04] <Ussat> Having done something similar....ya this is at least 6 months
[16:05] <Ussat> also, this is not going to be cheap
[16:07] <sdeziel> I didn't explain the dynamic nature of the site, it's basically just an information page. There is no session or custom content served by users
[16:07] <sdeziel> same content for everyone
[16:08] <Ussat> That doesnt change things really
[16:10] <sdeziel> Ussat: in my view, that means it is really cache friendly
[16:11] <sdeziel> and my (naive) idea is to move all the clients to hit CF instead of my backend
[16:11] <Ussat> sure its cache friendly, but you still will need something beefy to 1) server that and 2) handle all the connections, and at a minimum a HA solution to handle system failures
[16:12] <Ussat> I have minimum experiance with CF, so I can not speak to that
[17:14] <teward> sdeziel: if the page is NOT a static content page, then it's not cache friendly
[17:15] <sdeziel>  teward: it's a Drupal page so it has the usual clutter but I still aim to cache it as aggressively as possible
[17:15] <sdeziel> testing will confirm if I'm deluded
[17:16] <teward> we're going to go in a cyclical argument again
[17:16] <sdeziel> but I don't have any other options I can think of with the time I am allocated
[17:16] <teward> sdeziel: you basically HAVE no options with the time you've been allocated
[17:16] <teward> just saying
[17:16] <sdeziel> Dec 7th is soon enough
[17:16] <teward> the previous stuff we stated remains the same.
[17:16] <teward> any solution you do now is a 'bandaid' and '42000 concurrent connections' aren't going to happen at the same exact moment
[17:16] <sdeziel> understood, I just need to compose with the reality I'm facing...
[17:17] <teward> sdeziel: i can acquaint you with the reality instantly.  give me your target domain/etc. and we can loadtest it *now* :P
[17:17] <sdeziel> oh the page content is still being worked on...
[17:17] <sdeziel> reality is brutal like that sometimes
[17:54] <teward> sdeziel: content or not, you can just throw a plain page up :p
[17:54] <teward> and then loadtest it yourself via k6.io or one of the things I gave you
[17:54] <teward> show you a small 50-concurrent-user load test :p
[17:55] <teward> that not withstanding, you can indicate to your boss if you wish that multiple individuals who have had to deal with this request (including an IT Security professional) have all advised that you're going to be limited in your capabilities with sucha  short deadline - protecting against DdoS / load is something done over many months NOT six days
[17:55] <teward> but i rest my case on that
[18:17] <tomreyn> sdeziel: i guess you could try to produce static content, which makes it scalable. and then host it in the cloud to scale.
[18:18] <sdeziel> tomreyn: I went that way first only then to realize that it's not super trivial to turn a site into a static version. wget --mirror is only good for stuff pulled from HTML, nothing fetched async by JS...
[18:20] <sdeziel> tomreyn: for now, I'm taking the reverse proxy+aggressive caching of everything (HTML included) in order to leverage CF "distributed cache"
[18:20] <sdeziel> my goal is to only serve the first page load to warm Cloudflare's cache
[18:20] <tomreyn> sdeziel: the stuff that's fetched async by JS would need to continue to be fetched async by JS. that's only client side dynamics, not server side.
[18:20] <sarnold> sdeziel: to the extent I've read about this, it really helps to have designed the site to have clearly separates dynamic vs static portions, so fully static stuff can be served from cache as-is with very little overhead, and the dynamic things are fairly restricted to a small portion of the site, and you can try to cache fragments of rendered pages for assembly by the servers before delivery to
[18:20] <sarnold> clients
[18:21] <sarnold> sdeziel: could you make more aggressive use of fragment caching in your application for those dynamic portions? could you strip some of the dynamic bits from pages that are 99.9% static and get them all the way to 100% static?
[18:21] <sdeziel> sarnold: yes unfortunately, the content people wanted a Drupal with zillion plugins
[18:22] <sdeziel> sarnold: I intend to have a reverse proxy adding Cache-Control to everything that pass by it and ignore what the backend thinks should be cached or not
[18:22] <sdeziel> this is essentially building a static copy that's populated 'live', on the first load
[18:23] <sdeziel> and then only refresh it every few minutes
[18:23] <sdeziel> in my test, this really leverages CF as I see no requests spilling to my reverse proxy ... I'm a bit more encouraged than earlier ;)
[18:25] <sarnold> sdeziel: does it matter if you wind up serving pages meant for me to your boss?
[18:25] <tomreyn> about this     src="/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1"     this is really just a parameter passed to the javascript code that's evaluated by javascript running on the client. it doesn't involve additional work on the server if you allow all asset/... urls to be cached.
[18:25] <tomreyn> but if there's a single .php script in this url path then you break things
[18:26] <sdeziel> sarnold: that's the point I was probably not clear, the page is identical for every visitor, no cookie nor custom user stuff, just always the same
[18:26] <sdeziel> tomreyn: the ?v=3.3.1 is meant for cache busting purposes so I outta keep it
[18:27] <sdeziel> or that's how I understand it
[18:27] <sarnold> orrrrrrr strip it off and not bust the cache
[18:27] <sarnold> use last week's version of hypercard.js
[18:28] <sarnold> or whatever they published six seconds ago
[18:28] <sdeziel> sarnold: the client wants to be able to push live modifications inside 15 minutes...
[18:28] <sdeziel> so that's the minimum Cache-Control max-age I'll set
[18:29] <sdeziel> the query string doesn't bother CF, it can cope with it, it's cache will simply grow bigger
[18:29] <tomreyn> maybe look into https://tome.fyi/ for a drupal static site generator
[18:29] <sdeziel> or CF can be told to ignore the query string altogether as you proposed
[18:30] <sdeziel> tomreyn: interesting, thx for that!
[18:34] <tomreyn> you should really train dev's to develop websites which produce static code whereever possible, though, and to serve dynamic content from a different (sub)domain.
[18:35] <sdeziel> I just discovered they backed a search engine in the site ... to search among the possible 3 results....
[18:38] <tomreyn> yet another option for .js with query parameters is to use remotely (CDN) hosted scripts, making scalability someone elses' problem. you can use https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#Browser_compatibility to prevent script injection there.
[18:39] <tomreyn> it's a way to solve a problem by adding twenty patches on top instead of solving it at the source, though
[18:41] <sdeziel> tomreyn: my goal is to leverage Cloudflare for that and they are so far doing an amazing job at shielding me
[18:42] <sdeziel> it's just a matter of serving the first page load when a client happen to go through a cold CF endpoint
[18:42] <Ussat> This still ?
[18:43] <sdeziel> Ussat: yes, sorry for the noise today
[18:43] <Ussat> Not noise, not at all, but I dont think you are understanding, fundamentally, you have alm,ost zero chance of doing what you want in that time frame
[18:44] <Ussat> I have managed projects of that scope.....and its about a 6 month project, if all goes well
[18:44] <sdeziel> Ussat: I may be set to fail but I've been told I have to try
[18:50] <Ussat> Well, best of luck, and yes, I honestly mean that
[18:51] <sdeziel> I appreciate it and I'll be sure to report back post Dec 7th ;)
[18:52] <sdeziel> will be fun either way it goes
[18:55] <sarnold> yes, good luck sdeziel :) one way or another december 8 will arrive :)
[19:12] <sdeziel> yeah and we'll have served a huge bunch of web pages, some 200 and some 50X. The ratio will be interesting ;)
[19:14] <sarnold> hehehehe
[21:38] <teward> sdeziel: i would still STRONGLY suggest you test this yourself with load testers like I sent you
[21:38] <teward> because you will *need* to test this LONG before it's prod-ready
[21:38] <teward> with only 6 days that means "start testing today" (once a day)
[21:39] <teward> ... or have someone else strike you hard with it (I have a k6 instance I can toss at you if needed :P)
[21:39] <teward> point still stands, JS is client side stuff so
[21:40] <teward> if it does any type of query to the server for data your attempt to cache will go into the hell that we warned you about
[21:41] <sdeziel> teward: I just learned that the official domain will be communicated to us at the latest 3 hours before the official launch
[21:41] <teward> well... then you're SOL :P
[21:42] <sdeziel> :)
[21:44] <Ussat> 3 hours
[21:47] <sarnold> three hours
[21:47] <sarnold> it'll be fun to hear their reactions when the domain name they intended to buy has been bought because the whois site they used front-run the domain purchase :)
[21:49] <teward> lol
[21:50] <teward> sdeziel: if you know the IP you can still throw salt at it.  OR run k6 locally, i've got a script you can use you just have to adjust the path(s) internally