On this page:
At a glance
Overview
SDP’s challenge
needed to provide a great digital government experience for Victorian citizens while managing unpredictable traffic spikes and protecting against potential cyber attacks.
SDP’s transformation
Salsa used , a static hosting solution, to provide a disaster recovery, static failover option for important Victorian Government websites. Work is progressing to a fully integrated SDP static-serve hosting solution based on QuantCDN. QuantCDN has also been used in hotpath for SDP sites during severe security incidents.
The outcomes
- Improved security and resilience
- Reduced hosting costs
Full case study
Below we’ve got more detailed information on the challenge, transformation and outcomes.
SDP’s challenge — managing traffic spikes and cyber attacks
is a large, whole-of-government platform with many high-traffic and critical Victorian Government websites. During the Covid pandemic announcements, traffic to SDP sites rose significantly. In addition, we’ve seen a trend over the past few years of rising cyber attacks, especially on government websites.
SDP was interested in different ways to protect the platform from both malicious attacks and naturally generated traffic spikes.
SDP’s transformation — phased QuantCDN rollout
Salsa is working with SDP to implement ’s static web content hosting solution.
Quant is a suite of static web generation tools and global edge CDN technology that aims to lower the barrier and improve on the popular movement. Quant allows the easy creation and maintenance of an entirely static version of a website.
By having public content served from an entirely static offload, major benefits can be achieved in security, performance, scalability, resilience and cost.
Only serving static content to site visitors significantly reduces the cyber attack surface of Victorian Government websites by separating the content management system (CMS) editing domain from the publicly available web content being served at the CDN layer.
Static websites provide an excellent additional layer of security over dynamic CMSs like Drupal, by removing attack vectors native to dynamic CMSs. With static websites:
There is no database housing potentially sensitive information that can be accessed
Application code cannot be exploited by traditional means (e.g. SQLi etc.)
Webserver configuration is optimised as it just needs to deliver files that exist on a file system (no complicated application runtimes to manage)
There is no change to how the CMS is managed and operates and publishers update content as usual. Then, only content that is changed is pushed to the static web server to update the content served to public site visitors.
has also been used in hotpath for SDP sites during severe security incidents.
How does Quant work?
QuantCDN can be used in a number of ways:
Quant Pull — crawls a website by visiting and collecting the publicly available markup, which is stored and made available to be served directly. Content is only updated during a crawl, which is scheduled for specific frequencies (e.g. daily, weekly, etc.).
Quant Push — installs a Drupal module into the backend that monitors for content changes flagging them for update. Whenever a content publisher makes an editing change only the changed content is pushed to the CDN edge, not the entire site. This allows site owners to build deployment workflows and can support dynamic seeds from a CMS or static site builds from any number of static site generators.
To support SDP and provide static failover capabilities, QuantCDN has been implemented in pull mode. Each eligible website is crawled on a schedule to ensure the latest content is available in the event a failover scenario needs to occur. Salsa has also worked with SDP to implement routing rules that can control the flow of traffic. This enables an agent to enable static serve in the event of a website outage or high traffic event.
Other dynamic content such as search and webforms needs to be decoupled and served via QuantCDN to further harden a website. For SDP, which uses decoupled search, the search works out of the box for Quant static sites. For webforms, SDP uses Drupal forms, and when/if SDP needs to cut over to static serve, the SDP site uses Quant forms.
The initial rollout has focused on Quant Pull. However, Salsa is also working on updating the SDP application architecture to implement QuantCDN Push. Salsa and SDP are working towards a mature and considered rollout strategy. This phased approach should allow for confidence and knowledge to be built before mass adoption or advanced functionality is introduced. It’s based on three main phases:
1. Crawl
To gain confidence in the technology, the QuantPull crawler can be configured for key sites and run on a daily/weekly basis to keep content refreshed. A manual failover is implemented, so that a site (or multiple sites) may be served from the static offload if the need arises.
The main disadvantage of pull is the frequency of crawling to update the content. Too infrequent, means any content made in the editing domain is not reflected until the crawl is run. Daily crawl schedules mean the crawl is running almost continuously which increases the server compute costs.
QuantCDN can also initiate crawls for individual pages on demand, negating the need for full site crawls.
2. Walk
The Pull crawler can be extended to all SDP sites. Automations can create and configure new sites when they are added to the platform. A small extension to SDP via custom modules can trigger a crawl event for individual pages when content is edited in Drupal to ensure content in Quant is immediately refreshed.
Varnish or another intermediary layer can be configured to automatically failover if origin outages are detected. Manual failover levers at various levels (application, platform) can be introduced for flexibility in failover.
3. Run
In the Run phase we see the application re-factored to optionally support a full static export, and public traffic served statically. Sites can also be moved across to the static service one-by-one during this transition period.
Search will continue to use the current Elasticsearch solution, which is already decoupled from the Drupal CMS.
The outcomes — on the path to QuantCDN SDP hotpath
In 2021, Salsa won the bid to host Victoria's Single Digital Presence (SDP). Our bid included Quant DR Failover, Quant Static Serve and Quant Archive as key components of the overall solution. The contract commenced in November 2021.
The key benefits of a static content solution like QuantCDN for SDP include:
Improved cyber security measures — by moving public interfaces to the static offload it removes all risk associated with having public PHP endpoints running on public networks.
Reduced serving complexity — static offload vastly reduces complexity and minimises the number of systems required to serve end users.
Reduced cost — by reducing the dependency on serving components, costs are reduced as databases and other serving infrastructure becomes less critical to serve content.
Resilience and scale — ability to serve at incredibly high rates and scale practically infinitely, resulting from no constraints of shared services (e.g. database) and available capacity (e.g. number of nodes available in the pool).
Once QuantCDN Push has been enabled SDP will be able to provide a static hotpath for site content availability while delivering the benefits of static content hosting to both the SDP program and Victorian citizens.
To date, we’ve had to cut over to static during a DDoS attack on one site, for a platform outage on another SDP site, and for a Budget embargo. We envisage these use-cases will continue!
About SDP
Victoria’s Single Digital is the whole-of-government digital platform run by Victoria's Department of Premier and (DPC). DPC is responsible for several elements of Victoria’s digital engagement, including SDP, , and .