OT: How to tell an HTTP client to limit parallel connections?
Chris Angelico
rosuav at gmail.com
Fri Nov 8 14:39:44 EST 2013
On Sat, Nov 9, 2013 at 6:20 AM, Grant Edwards <invalid at invalid.invalid> wrote:
> On 2013-11-08, Chris Angelico <rosuav at gmail.com> wrote:
>> Are you using HTTP 1.1 with connection reuse?
>
> Yes. And several years ago when I first enabled that feature in the
> server, I verified that some browsers were sending multiple requests
> per connection (though they still often attempted to open multiple
> connections). More recent browsers seem much more impatient and are
> determined to open as many simultaneous connections as possible.
Yeah, but at least it's cut down from one connection per object to
some fixed number. But you've already done that.
>> Alternatively, since fixing it at the browser seems to be hard, can
>> you do something ridiculously stupid like... tunnelling insecure HTTP
>> over SSH?
>
> Writing code to implement tunnelling via the ssh protocol is probably
> out of the question (resource-wise).
>
> If it were possible, how is that supported by browsers?
You just set your hosts file to point the server's name to localhost
(or simply tell your browser to go to http://localhost/ if that's
easier), and have an SSH tunnel like:
ssh -L 80:localhost:80 user at some.server.whatever.it.is
Browser and server both think they're working with unencrypted HTTP on
loopback, but in between there's an encrypted link. Alternatively, if
you can point your browser to http://localhost:8000/ you can work with
a non-privileged port locally, which may be of value. The user at that
host needn't have much of interest as its shell - just something that
says "Press Enter to disconnect" and waits for a newline - as long as
it's configured to permit tunnelling (which is the default AFAIK). So
effectively, no browser support is needed.
The downside is that you need to consciously establish the secure
link. If you don't mind having the traffic travel the "last mile"
unencrypted, you could have a single long-term SSH tunnel set up, and
everyone connects via that; similarly, if your embedded server has a
trusted link to another box with a bit more grunt, you could end the
SSH tunnel there and run unencrypted for the last little bit. Anything
can be done, it's just a question of what'd be useful.
But like I said, it's a ridiculously stupid suggestion. Feel free to
discard it as such. :)
ChrisA
More information about the Python-list
mailing list