On Sat, Nov 9, 2013 at 6:20 AM, Grant Edwards <invalid@invalid.invalid> wrote: > On 2013-11-08, Chris Angelico <ros...@gmail.com> wrote: >> Are you using HTTP 1.1 with connection reuse? > > Yes. And several years ago when I first enabled that feature in the > server, I verified that some browsers were sending multiple requests > per connection (though they still often attempted to open multiple > connections). More recent browsers seem much more impatient and are > determined to open as many simultaneous connections as possible.
Yeah, but at least it's cut down from one connection per object to some fixed number. But you've already done that. >> Alternatively, since fixing it at the browser seems to be hard, can >> you do something ridiculously stupid like... tunnelling insecure HTTP >> over SSH? > > Writing code to implement tunnelling via the ssh protocol is probably > out of the question (resource-wise). > > If it were possible, how is that supported by browsers? You just set your hosts file to point the server's name to localhost (or simply tell your browser to go to http://localhost/ if that's easier), and have an SSH tunnel like: ssh -L 80:localhost:80 u...@some.server.whatever.it.is Browser and server both think they're working with unencrypted HTTP on loopback, but in between there's an encrypted link. Alternatively, if you can point your browser to http://localhost:8000/ you can work with a non-privileged port locally, which may be of value. The user at that host needn't have much of interest as its shell - just something that says "Press Enter to disconnect" and waits for a newline - as long as it's configured to permit tunnelling (which is the default AFAIK). So effectively, no browser support is needed. The downside is that you need to consciously establish the secure link. If you don't mind having the traffic travel the "last mile" unencrypted, you could have a single long-term SSH tunnel set up, and everyone connects via that; similarly, if your embedded server has a trusted link to another box with a bit more grunt, you could end the SSH tunnel there and run unencrypted for the last little bit. Anything can be done, it's just a question of what'd be useful. But like I said, it's a ridiculously stupid suggestion. Feel free to discard it as such. :) ChrisA -- https://mail.python.org/mailman/listinfo/python-list
