Routing authenticated traffic to another domain

aidanlis's picture
Posted by aidanlis on August 8, 2012 at 8:18pm

I'm running an online store, at the moment I've been hosting on Pantheon but it's not as fast as I'd hoped especially given my main customer base is in Australia.

I've been experimenting with a bunch of high performance setups, but once you throw whole site SSL into the mix things get really messy ...

I was thinking about an architecture like this:

  1. CloudFlare sits on top providing our SSL layer (end to end mode). This gives us SPDY support which means our static assets load nice and fast.
  2. Static images sit on static.example.com (via cdn module), so they don't receive any cookie headers, ensuring CloudFlare is caching them at the edge. Served up by nginx.
  3. All traffic to the naked domain and www is assumed to be anonymous and cached, via PageRules at CloudFlare's end.
  4. All authenticated traffic, or shopping cart activity, is bounced to secure.example.com (via securepages module [a]), which is then served up with nginx. We don't need Varnish (because all traffic here is authenticated) or Apache (because nginx is just passing to index.php via fastcgi).

[a] would that even work? the form would have to be submitted to the secure domain, not to the naked domain and then redirected because our cookie_domain will be secure.example.com

Has anyone tried something like this before? I can't find many people talking about CloudFlare and Drupal. Is there anything I'm missing? What are other people out there doing to get <300ms load times?

Login or register to post comments

Comments

I think this is part of what

Posted by greggles on August 8, 2012 at 9:02pm
greggles's picture

I think this is part of what http://drupal.org/project/auth_ssl_redirect is meant to do.

certifiedtorock.com/u/36762/ | Druplicon debit card

Cloudflare rocks

Posted by Eidolon Night on August 8, 2012 at 11:31pm
Eidolon Night's picture

I use Cloudflare for all my clients. They rock.

That said, if you have SPDY then you must have a pro Cloudflare account which has SSL support.

Most my clients only use the free accounts, and if they need SSL I use http://drupal.org/project/securepages and use a subdomain (with Cloudflare features disabled). I don't secure the entire site though. I only secure the cart pages, checkout, etc. You do need to watch your cookies, but if you follow the readme in secure pages then you should be fine (you need to set the cookie domain to '.yourdomain.com' in settings.php).

All said and done, <300ms is wicked fast. What metric is that? For a full-featured site, a page execution of <300ms is pretty darn good. I can't imagine load times like that.

WebOzy: the web services company
liveBatavia: connecting local people to local business

High performance

Group events

Add to calendar

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: