Opened 7 years ago
Last modified 3 years ago
#1388 new enhancement
Implement TLS Dynamic Record Sizing (CloudFlare patch ready)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.13.x |
| Keywords: | tls | Cc: | |
| uname -a: | Linux 5ed26871fece 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.13.5
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=www-data --group=www-data --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-openssl=/usr/src/openssl-tls1.3-draft-18 --with-openssl-opt='no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-tls1 enable-tls1_1 enable-tls1_2 enable-tls1_3 enable-ec_nistp_64_gcc_128' --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --with-http_spdy_module --add-module=/usr/src/nginx-njs/nginx |
||
Description
Hi,
Instead of iterating everything CloudFlare has already written, their blog post is here:
https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/
And the patch is here:
In short, it enables nginx to, instead of having just a static ssl_buffer_size, have the initial requests fit in the least amount of TCP-segments possible, and size it up to 3x segment size, on to the full ssl_buffer_size later. This can greatly speed up TLS.
Daniël "FinalX" Mostertman
Change History (3)
comment:1 by , 7 years ago
| Milestone: | 1.13 |
|---|
comment:2 by , 3 years ago
We run a service that is seeing traffic from devices all over the world, and TLS handshakes and subsequent traffic can be painful to the end user. Lower ssl_buffer_size (<1400 bytes) help, but are not optimal after the first few packets have been sent.
Consider this a *bump*.
comment:3 by , 3 years ago
Lower ssl_buffer_size (<1400 bytes) help, but are not optimal after the first few packets have been sent.
Consider using intermediate ssl_buffer_size values, such as ssl_buffer_size 4k; as suggested in the directive description. It is expected to be good enough to minimize time to first byte even in networks with high packet loss, yet effective enough for normal operations.
Ticket retargeted after milestone closed