Tuning nginx for https?

You should pay attention to when setting up https with nginx?
The problem is the speed of server response.
Measured total_time using curl, encryption, 0,209-0,241 c and with encryption already 0,593-0,861.
The server is the test - VPS to DO on 2gb, prod is more powerful, but it's the normal ratio? Two to three times slower?
June 10th 19 at 15:56
3 answers
June 10th 19 at 15:58
Solution
do not chase stuff

p.s. if you really're looking for speed can update to 1.13.7 nginx version and openssl to 1.0.1 g or above and cut in TLS 1.3 it go faster data than TLS 1.2.


1. TLS v1.3 in a state of draft, by default, it does not work in openssl nor in nginx, we need to rebuild both and even in this case does not work because not all browsers support it. Do not advise that you do not know.

"ssl_session_cache" shared:SSL:10m; and that so little?


2. But why more? You have 10,000 unique visitors a day?
1 MB cache can hold about 4000 sessions, you have really so much?

nginx use epoll method for handling connections


3. And are You sure it is linux? maybe he freebsd And then you need to use kqueue

use all cores of your server/VPS for the nginx process worker_processes - Colville core.


4. And you know that it is enough to set worker_processes auto; and not to suffer? nginx itself will determine how many cores in the system and how much you need to start workerb.

5. About ALPN is not advertising's sake, read my article
https://blog.programs74.ru/how-to-enable-alpn-on-nginx/
there all is intelligibly painted, no guesses

About basic configuration of Nginx I also have an articleI recommend reading.
And on the subject matter? Why may be the difference, at least theoretically? - Michaela.Schiller commented on June 10th 19 at 16:01
given that was not given neither the configuration nor the VPS configs with nginx, then it is possible to guess only.

HTTPS connection with the server, in principle, can take 10-20% more time due to the SSL overhead. It may not take less time, but after you have set the Keep-Alive connection and started to transfer data, we get an increase in performance. HTTPS in General is not designed to make sites faster, its main function in the other.

From the above, curl and ab (apache benchmark) are not the utilities that it is reasonable to test https for comparison with http.
If you focus on output %{time_total} u curl, it will increase to 1/4 at the transition from http to https (for example, to 0.281 0.366) - this is logical, I do not believe - check for yourself on their super-duper servers with Xeon processors and will receive a surprise.

Test:

curl -s <a href="http://mysite.ru">http://mysite.ru</a> -w '%{time_total}\n' -o /dev/null
and
curl -s <a href="https://mysite.ru">https://mysite.ru</a> -w '%{time_total}\n' -o /dev/null


or to check with gzip:

curl -H "Accept-Encoding: gzip,deflate" -s <a href="https://mysite.ru">https://mysite.ru</a> -w '%{time_total}\n' -o /dev/null


or to check time_total with HTTP/2 starting with curl 7.43.0:

curl -H "Accept-Encoding: gzip,deflate" --http2 -s <a href="https://mysite.ru">https://mysite.ru</a> -w '%{time_total}\n' -o /dev/null


and how would You see what the difference is, even sites in the TOP100

Certainly worth watching as %{time_total} do curl increases, the fact that he can increase - that's for sure, you will not achieve approximately the same performance when the http and https connection, I wrote above why.

If %{time_total} do curl increased by 2 times, then it is worth paying attention and there is need to look comprehensively:
1. If we run in CPU or Memory when processing SSL/TLS (HTTPS) connections.
2. Correctly configured https on nginx whether to use gzip compression
3. Correctly configured tcp/ip stack in the linux kernel, it is likely we may Balk at some of the limits of the nucleus. - nikita.Schoen45 commented on June 10th 19 at 16:04
2. But why more? You have 10,000 unique visitors a day?
1 MB cache can hold about 4000 sessions, you have really so much?

in fact, 80 000 on average. is 100-120K but what?
1. TLS v1.3 in a state of draft, by default, it does not work in openssl nor in nginx, we need to rebuild both and even in this case does not work because not all browsers support it. Do not advise that you do not know.

well, I wrote on yours? And if he's even in old browsers does not work the TLS minor version are not forced to shut down.
3. Are You sure that pygame is linux? maybe he freebsd And then you need to use kqueue

Yes I am sure. At least only because more than 90% of hosting companies from VPS box does not collect on Fri.
4. And you know that it is enough to set worker_processes auto; and not to suffer? nginx itself will determine how many cores in the system and how much you need to start workerb.

Know what? Then what smart guy?
So I would ask on the contrary I don't drool. - douglas_Wehner commented on June 10th 19 at 16:07
,

in fact, 80 000 on average. is 100-120K but what?


That you can be more, but not all of this state of Affairs, so why recommend to increase the "ssl_session_cache" Directive to prohibitive values if there are no statistics on the number of ssl/tls connections?

well, I wrote on yours? And if he's even in old browsers does not work the TLS minor version are not forced to shut down.


and You wrote, and I quote:

and above and cut in TLS 1.3 it data go faster than TLS


This is nonsense, cut in the fact that in the draft state and requires recompiling nginx.

Yes I am sure. At least only because more than 90% of hosting companies from VPS box does not collect on Fri.


Really? I have for example several FreeBSD VPS is the recommendation to make use epoll; will lead to [emerg], and if our author of the question will not do nginx -t then restart nginx will cause him to stop, of course on the test stand this stuff, but in production it will be uncomfortable.

Why is that to recommend if You don't know what a person is? In my opinion it's unprofessional.

Know what? Then what smart guy?


Yes, that's actually all I wanted to say. And Yes, I'm smart, though, because not talking nonsense and I do not recommend unreasonable things. - nikita.Schoen45 commented on June 10th 19 at 16:10
That you can be more, but not all of this state of Affairs, so why recommend to increase the "ssl_session_cache" Directive to prohibitive values if there are no statistics on the number of ssl/tls connections?

I therefore asked the person why so few? Can'T you see this? go to the eye doctor.
This is nonsense, cut in the fact that in the draft state and requires recompiling nginx.

If the hands of ass that nonsense can be called all.
And Yes, I'm smart

And the conversation started as there is. Immediately obvious is not a serious person. - douglas_Wehner commented on June 10th 19 at 16:13
@VELIK505

I therefore asked the person why so few? Can'T you see this? go to the eye doctor.


Logically, we must ask how much You have ssl/tls connections in the system, and then that so few of the "ssl_session_cache" Directive. Isn't that right?

P. S. To the optometrist I go to regularly, everything is normal, thanks for caring about my health.

If the hands of ass that nonsense can be called all.
And the conversation started as there is. Immediately obvious is not a serious person.


And You a proctologist by profession, for giving such opinions, from whom, and whence hands grow? - nikita.Schoen45 commented on June 10th 19 at 16:16
you remind me of a teacher from the University that's all the books says but then Poitou all need to adjust and rethink.
And You a proctologist by profession, for giving such opinions, from whom, and whence hands grow?

No I'm not a proctologist I used tested 1.3 and everything is fine in recent ff khromakh and he is well supported. and when those not supported by 1.2. And in the end peracetic my answer
p.s. if you really chase the speed

You understand logic at all? If I wrote what you need and there is logically you know what I mean? and then the author has the right to choose what he wants. But not you!
And you again from the book examples. Although am 100% sure that you didn't even tested and they say whether what you read! IMHO. So pure the teacher
And for many who use 1.3 from major projects such as cloudflare have already been using.
Write to tell them that they are not doing everything correctly teach them. - douglas_Wehner commented on June 10th 19 at 16:19
,

I used tested 1.3 and everything is fine in recent ff khromakh and he is well supported. and when those not supported by 1.2. And in the end peracetic my answer


That's only in Chrome TLSv1.3 is disabled by default and is enabled only 65 release, see the chart
Therefore, the fact that You have tested it, now it is completely useless to 99.99% of Chrome users, because TLSv1.3 by default they are disabled. Why recommend something that is disabled and not working yet? Well, God bless him. Passed.

Although am 100% sure that you didn't even tested and they say whether what you read! IMHO. So pure the teacher


Let no dirty innuendo, in the end you have to respect the interlocutor and not to say what You do not know personally. Tested it was tested for example, and for a long time, 3-4 months ago, not even a note from yourself written just not submitted it in the blog itself. Need openssl-1.1.1-tls1.3-draft-18, to gather nginx with --with-openssl-opt='enable-tls1_3 -fPIC' , ssl_ciphers directives to add TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256 in ssl_ecdh_curve to add a curve X25519 in add ssl_protocols TLSv1.3, all known for a long time, not one then You are a genius. - nikita.Schoen45 commented on June 10th 19 at 16:22
In chrome it is possible to cut 1.3 flags.
And the fact that somewhere someone is not working what is the difference that it somewhere that it is not supported if the data on 1.2 going? To this question you can't answer. Because they do not understand that there is nothing wrong if 1.3 isn't working.
And I repeat that the Board wasn't there it was written can. If you do not distinguish between elementary logic alas.
All the conversation is over. - douglas_Wehner commented on June 10th 19 at 16:25
,

All the conversation is over.


We have the nerve.

P. S. by the Way, your server profitcentr.com sends extra root certificate, I recommend to correct. - nikita.Schoen45 commented on June 10th 19 at 16:28
June 10th 19 at 16:00
Solution
if everything is configured normally and the normal server then https will be even faster for http/2. Rebuild nginx with alpn and enable http/2. Make Keshi ssl sessions. do oscp etc.and etc.
Yes, in http2 faster.
But a good fifth of the clients do not support it.

"ssl_session_cache" shared:SSL:10m;
and
ssl_stapling on;
ssl_stapling_verify on;

included. - Michaela.Schiller commented on June 10th 19 at 16:03
how does not support? a fifth of this 20% is obtained. I do not know. Not really correct data some. On the project where I work does not support a maximum of 3% of the old fart.
ssl_stapling on

well, certificate that .pem generate? to be addressed and not to the certification authority for verification of authenticity
"ssl_session_cache" shared:SSL:10m;

why so little?
ssl_session_timeout 6h;
p.s. if you really're looking for speed can update to 1.13.7 nginx version and openssl to 1.0.1 g or above and cut in TLS 1.3 it go faster data than TLS 1.2.
nginx use epoll method for handling connections
use all cores of your server/VPS for the nginx process worker_processes - Colville core.
Hard to say about the vps on the server normally you will see very different data of course. - nikita.Schoen45 commented on June 10th 19 at 16:06
Yes , did not to clarify. letsencrypt certbot machine created fullchain.pem with the entire chain of certificates.
A lot of customers on android4.0, and if for api, you can use a custom client, webview android conver haven't found the option. - douglas_Wehner commented on June 10th 19 at 16:09
slightly podeseni the above answer. Well, one not supported in http/2 it will work with http 1.1's nothing. http/2 should be switched on in any case.
A lot of customers on android4.0

it's weird where you are. I don't really see such. 5-6 but still there. A large part of 7. Well 4 quite minuscule. - nikita.Schoen45 commented on June 10th 19 at 16:12
June 10th 19 at 16:02
No it's not normal - something is configured wrong, or something not so measured. If you measured a single query and you have the CPU usage did not go in the regiment, that should not make a difference.
Well, in a situation of resource scarcity, ssl of course, less profitable, but for this test, and don't need anything...

Well, I hope you measured the series, and averaged the results?

Find more questions by tags NginxHTTPS