Apache 304s and mod_deflate

The deflate output filter in Apache breaks Apache’s handling of the HTTP cache validation model. It won’t send an HTTP 304 status if mod_deflate is actively filtering the response, even if the Etag and Last-Modified allow it to. I asked, and apparently this is a known issue. I might have to wait until after exams before making a patch for this one.

In its current state, this introduces a tradeoff for large, uncompressed static files (like CSS and Javascript):

  • gzip stuff, and you improve site performance the first time someone visits, but it never gets any faster.
  • allow Apache to send 304 statuses, let the user have a slow load on their first visit, but celebrate as they hit their cache thereafter

The second option looks more attractive.

Browser wars… 2008-style

So, Firefox 3.0 and Opera 9.50 were released within 5 days of each other (June 12 and June 17 respectively). It’s good to see both browsers being progressive and targetting bragging rights such as Acid3, even if they only score 70 and 83 respectively. I notice neither of them pays due attention to deferred scripts, but I guess everyone is using AJAX nowadays instead?

As for the other browsers… I’ve got no problems with Safari. It’s a competent browser, but doesn’t have Opera’s cache/connection leverage or FF’s dev features. I doubt MSIE will even display this post and I don’t care. So, there’s the state of the art.

The firefox upgrade was weird because the RC3 “Check for Updates…” function assured me that I had the latest version. This was further confused by the lack of any RC markings or build numbers in the “About Mozilla Firefox” dialog. It became apparent that I had silent upgrades on, but I don’t recall ever being informed that FF had patched itself.

One thing I’ve noticed is that the DOM Inspector still doesn’t conform to the LnF of the updated Firefox interface. I’d assumed this was a detail that would get polished before the final.

While we’re in a browser-technologies-mood: here’s my rdb opensearch definition for rolldabeats. For all your DnB discography needs.

Opera have munged the keyboard shortcuts. The change seems to be for the better as it’s unified the Windows/UNIX/Mac sets by using guard conditions like Platform Mac. They’ve also deprecated single-key shortcuts, which is fair enough because if you had a textbox focused then they were useless and confusing.

One thing that tripped me up was the Feature ExtendedShortcuts guard, which is activated by the “Enable single-key shortcuts” checkbox in the preferences. The shift+I shortcut for toggling images between cached, all and none was under this guard—but it’s two keys, right?

xl2tpd woes

I’ve been trying to get an IPsec/L2TP VPN server going on spade. This kind of VPN involves several layers (ipsec, l2tp and ppp) which all seem to fail independently and differently depending on how I test a configuration. So far it’s been a 4-day epic.

I figured I should establish that L2TP worked in a trivial case before trying to glue it together with ipsec. So I installed xl2tpd on scuff and tried to connect over the local network.

Here are some lessons learnt:

  • Bringing LACs up is a bit convoluted (you write “c lacname” to the control file).
  • The xl2tpd.conf file sets PPP and L2TP parameters. These shouldn’t be confused: auth file, hostname and challenge are L2TP things.
  • As a consequence, always use /etc/ppp/chap-secrets, not the l2tp secrets file.
  • xl2tpd has a bug that means refuse authentication in a LAC does the opposite of what you think it should do.

When you write refuse authentication = no in a LAC section, xl2tpd adds refuse-chap and refuse-pap to the PPP options unconditionally. This results in a lot of “peer refused to authenticate” PPP errors. The bug is present in version 1.2.0 and Debian’s dfsg-1 release. I made some noise on their list and a bug report.

I guess hardly anybody manually creates L2TP client connections, because this would be really obvious (at least that there was something wrong, finding the problem took me a day of tcpdumps, source perusal and log file reading).

Update: patch accepted in xl2tpd 1.2.2