Opened 6 years ago

Last modified 3 years ago

#1388 new enhancement

Implement TLS Dynamic Record Sizing (CloudFlare patch ready)

Reported by: Eihrister@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.13.x
Keywords: tls Cc:
uname -a: Linux 5ed26871fece 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.5
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=www-data --group=www-data --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-openssl=/usr/src/openssl-tls1.3-draft-18 --with-openssl-opt='no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-tls1 enable-tls1_1 enable-tls1_2 enable-tls1_3 enable-ec_nistp_64_gcc_128' --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --with-http_spdy_module --add-module=/usr/src/nginx-njs/nginx

Description

Hi,

Instead of iterating everything CloudFlare has already written, their blog post is here:

https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/

And the patch is here:

https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/nginx__1.11.5_dynamic_tls_records.patch

In short, it enables nginx to, instead of having just a static ssl_buffer_size, have the initial requests fit in the least amount of TCP-segments possible, and size it up to 3x segment size, on to the full ssl_buffer_size later. This can greatly speed up TLS.

Daniël "FinalX" Mostertman

Change History (3)

comment:1 by maxim, 6 years ago

Milestone: 1.13

Ticket retargeted after milestone closed

comment:2 by ltning@…, 3 years ago

We run a service that is seeing traffic from devices all over the world, and TLS handshakes and subsequent traffic can be painful to the end user. Lower ssl_buffer_size (<1400 bytes) help, but are not optimal after the first few packets have been sent.

Consider this a *bump*.

comment:3 by Maxim Dounin, 3 years ago

Lower ssl_buffer_size (<1400 bytes) help, but are not optimal after the first few packets have been sent.

Consider using intermediate ssl_buffer_size values, such as ssl_buffer_size 4k; as suggested in the directive description. It is expected to be good enough to minimize time to first byte even in networks with high packet loss, yet effective enough for normal operations.

Note: See TracTickets for help on using tickets.