We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How leave SSL faster?
How leave SSL faster?
Hello,
How leave SSL faster?
In webpagetest.org SSL Negotiation is too slow.
/etc/nginx/nginx.conf
Use http2:
/home/user/conf/web/snginx.conf
nginx version: nginx/1.10.1
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
ALPN is not supported.
Thank you so much.
How leave SSL faster?
In webpagetest.org SSL Negotiation is too slow.
/etc/nginx/nginx.conf
Code: Select all
# SSL PCI Compliance
ssl_session_cache shared:SSL:30m;
ssl_buffer_size 8k;
ssl_session_timeout 20m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/dhparams.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
/home/user/conf/web/snginx.conf
Code: Select all
server {
listen 00.00.000.000:443 ssl http2;
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
ALPN is not supported.
Thank you so much.
Re: How leave SSL faster?
And some article about this topic
https://blog.cloudflare.com/how-cloudfl ... -ssl-fast/
https://blog.cloudflare.com/how-cloudfl ... -ssl-fast/
Re: How leave SSL faster?
My server is http2, newer than spdy. I can not really go back to spdy.
In my case, install OpenSSL 1.0.2h could leave faster:
https://www.keycdn.com/support/alpn/
But the problem is to install. :/
Thank you.
In my case, install OpenSSL 1.0.2h could leave faster:
https://www.keycdn.com/support/alpn/
But the problem is to install. :/
Thank you.
Re: How leave SSL faster?
How do you create the certificate chain for the line ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;skurudo wrote:Try this parts:
https://github.com/skurudo/nginx-a-plus-config-parts
-
- Posts: 19
- Joined: Wed May 11, 2016 8:13 pm
Re: How leave SSL faster?
I will give you what I think it's the fast configuration so far, this only works on nginx
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_buffer_size 4k; #This is Very important for a consistent speed bump in latency
add_header X-Cache $upstream_cache_status;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
The last line about header strict-transport is only needed if you want to force SSL.
With this configuration you will alleviate a lot of the performance issues plus this configuration will give you an A+ on SSL Qualy labs, enjoy
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_buffer_size 4k; #This is Very important for a consistent speed bump in latency
add_header X-Cache $upstream_cache_status;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
The last line about header strict-transport is only needed if you want to force SSL.
With this configuration you will alleviate a lot of the performance issues plus this configuration will give you an A+ on SSL Qualy labs, enjoy
Re: How leave SSL faster?
Comodo (PositiveSSL)Felix wrote:How do you create the certificate chain for the line ssl_trusted_certificate /etc/nginx/cert/trustchain.crt;skurudo wrote:Try this parts:
https://github.com/skurudo/nginx-a-plus-config-parts
Code: Select all
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > comodo.pem
Code: Select all
cat www.youdomain.com.p7b www.youdomain.com.ca-bundle > geotrust.pem
...
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/comodo.pem;
...