• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Optimizing Nginx HTTP/2 TLS : Basic Principles

By Abhishek Ghosh August 24, 2016 12:51 am Updated on August 24, 2016

Optimizing Nginx HTTP/2 TLS : Basic Principles

Advertisement

We hope that most of the readers are using latest version of deb GNU/Linux (like Ubuntu 16.04 LTS) or latest CentOS which fully supports HTTP/2. In case you are using Ubuntu 14.04 or older Ubuntu, please read our old guide to upgrade your server to make compatible with HTTP/2. This Article on Optimizing Nginx HTTP/2 TLS is Basic Principles Will Also Help the Relatively New Users Who May Not Understand Various Phrases on Other Websites.

 

Previously Published Articles Related To Understanding of Basic Principles on Optimizing Nginx HTTP/2 TLS

 

We know that it is boring to see a list of hyperlinks. None loves to see a site-links like chart. But for easy, somewhat detailed instruction, information and cross checking, you probably at least read the sentences/phrases of the hyperlinks and click if unknown.

  1. HTTP/2 (Article)
  2. TLS (Article)
  3. TCP (Article)
  4. OSI Models (Article)
  5. HTTPS Everywhere list (HTTP/2 compatible guide)
  6. EV SSL Certificate (Article)
  7. OCSP Stapling (HTTP/2 compatible guide)
  8. OCSP Stapling Error Fix (HTTP/2 compatible guide)
  9. Public Key Pinning (HTTP/2 compatible guide)
  10. Content Security Policy (HTTP/2 compatible guide)
  11. Installing Let’s Encrypt Free SSL Certificate (HTTP/2 compatible guide)
  12. Nginx Configuration For TLS (non-HTTP/2  compatible guide)
  13. Nginx Configuration For HSTS (non-HTTP/2  compatible guide)
  14. Installing Nginx WordPress Percona MySQL on Ubuntu 16.04 LTS (HTTP/2  compatible guide)

The support for HTTP/2 was released with Nginx 1.9.5 except Server Push. It is not easy to answer whether HTTPS is slower than HTTP.

Advertisement

---

Optimizing Nginx HTTP/2 TLS : Goals

 

Latency is more big issue particularly on Cloud Servers than CPU load. So commonly the tips are about decreasing latency as well as avoiding call to remote server to check TLS certificate. Modern software based TLS implementation with ordinary server CPUs are enough to handle high HTTPS traffic load. Not perfectly setup HTTPS, as well as HTTP/2 TLS can really fry a dedicated server. Such bad, slow old settings are common to face as user when backend are of various social networks and payment gateways. What exactly we suggest is to use a GNU/Linux with the latest kernel, use the latest openssl, use the latest web server software, which is Nginx community edition in our case.

 

Optimizing Nginx HTTP/2 TLS : Phrases and Keywords

 

Get listed on HTTPS Everywhere – Deploy HSTS and get listed on HTTPS Everywhere list. As your domain will be listed on common browser’s source, chance of failure from client browser possibly will be lesser.

Try to Use Let’s Encrypt or Well Known CA – At this moment, Let’s Encrypt is more than enough for even small commercial websites over DV SSL certificate. Being F/OSS project, security, backdoors are regularly checked. If you are using GeoTrust’s DV SSL with longer expiration before Let’s Encrypt actually became usable, you can definitely trust. We want to point that – for paid option, EV SSL/TLS certificate is better.

RSA, Diffie-Hellman and Forward Secrecy – We already have written about Diffie-Hellman key. Diffie-Hellman key exchange and ephemeral sessions keys enables the perfect forward secrecy (PFS).

Switch to Application Layer Protocol Negotiation (ALPN) – Next Protocol Negotiation (NPN) is a TLS extension, which was developed as part of the SPDY. ALPN is a revised and IETF approved version of the NPN extension. ALPN is a successor to NPN.

Server Name Indication (SNI) – If you need to provide faster TLS+SNI workflow to all browsers and devices, then you need a dedicated IP address for domain and reverse DNS against the IP. A TLS tunnel can be established between two TCP peers where the client only needs to know the IP address of the other peer to make the connection and perform the TLS handshake. What will happen if the server hosts multiple domains with their own TLS certificate with the same IP address? It frankly does not work. Is not it obvious? Server Name Indication (SNI) extension in TLS protocol address this problem. This is what allows the client to indicate the hostname the client is attempting to connect as a part of TLS handshake.

TLS Session Resumption – TLS Session Resumption reduces the extra latency and computational costs of the full TLS handshake. It has two phased components – Session Identifiers (RFC 5246) and Session Ticket (RFC 5077).

Chain of Trust and Certificate Authorities – All browsers allow to click and inspect the chain of trust of connection, which actually based on the Site/Domain certificate, Intermediate certificate and Root CA certificate. You can click the lock icon of this webpage to understand. thecustomizewindows.com‘s certificate is signed by GeoTrust DV SSL Primary Intermediate Server. GeoTrust DV SSL Primary Intermediate Server certificate is signed by the GeoTrust Certification Authority. GeoTrust Certification Authority is a recognized root certificate authority to all browsers. Certificate Transparency project addresses flaws by providing a public log for monitoring and auditing of issuance of all new certificates.

Certificate Revocation – The issuer of a certificate will need to invalidate the certificate due to various possible reasons. It can be serious like the private key of the certificate has been compromised or just there is a superseding certificate or change in affiliation.

Certificate Revocation List (CRL) – RFC 5280 specifies a simple mechanism to check the status of every certificate.

OCSP Stapling – For various reasons, CRL and OCSP are suboptimal. We discussed about OCSP Stapling in details in separate guide.

TLS Record Protocol – TLS Record protocol identifies different handshake, alert or data via the “Content Type” field, securing and verifying the integrity of each.

 

Logical Steps to Optimize Nginx Configuration For HTTP/2 TLS

 

It is obvious, if we optimize all the points of above, or rather check to validate points of any standard test like SSL Lab, we can make our server’s HTTP/2 TLS connection faster without compromise in security. Deploying our web application over TLS will require some additional work, first within the application to migrate each resources to HTTPS to avoid mixed content and on the configuration of the infrastructure. Highest possible tuned TLS web application or webpage will add one extra roundtrip for negotiating the TLS connection. We need to configure session resumption, and enable forward secrecy to enable TLS False Start.

  • First, we need to optimize the webpage or web application using general rules of Page Speed optimization. If a webpage is HTML and has very small CSS with only text, it will be always faster to load.
  • Second, our server, DNS should have no bottleneck on networking or hardware resource.
  • Third, our CDN should have no bottleneck exactly like our server.

Being either ready to use resource or configurable via Nginx config file, most of the above are quite easy to configure.

 

Problems : Head-of-line blocking, TLS records, and latency

 

TLS runs over TCP. TCP promises delivery of all the transferred packets. TCP suffers from head-of-line (HOL) blocking. In HOL one lost packet may hold all other received packets in the buffer until it is successfully retransmitted. Else the packets would be delivered out of order. This is a tradeoff for any in-order transport. For TLS there is an extra layer of buffering due to the integrity checks. If the server sends data in 16KB record chunks, then client must also read data 16KB at a time.

Optimizing Nginx HTTP-2 TLS - Basic Principles

Sadly, most web servers do not provide any easy way to configure TLS record size and instead use the default maximum of 16 KB. That is a big chapter.

Tagged With abhishek ghosh , http/2 push , nginx optimize , paperuri:(977408e6869644e0dd2a21b563c5474b) , tcp tls record diagram , v2ay WebSocket TLS nginx

This Article Has Been Shared 175 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Optimizing Nginx HTTP/2 TLS : Basic Principles

  • How to Upload Backup to Dropbox from Cloud Server

    Here is How to Upload Backup to Dropbox from Cloud Server in Case You Want To Keep Your Backup of Files and Database on a Free Cloud Storage.

  • WordPress Multisite on Nginx on Ubuntu 14.04 on HP Cloud

    Here is a Step by Step Guide on Setting Up WordPress Multisite on Nginx on Ubuntu 14.04 on HP Cloud with All Commands and the Configuration.

  • Steps To Install Nginx Plus on Ubuntu Server (HP Cloud)

    Here Are the Steps To Install Nginx Plus on Ubuntu Server Running on HP Cloud. Nginx Plus is the Paid Version of Nginx with Extra Features.

  • unix Commands to Check Server Logs For Security

    Here is a Basic Guide For the Beginners to Self Manage Cloud Server Instances. Master these unix Commands to Check Server Logs For Security.

  • Upgrading Ubuntu 14.04 to Latest Nginx to Support HTTP2

    Here Are Steps For Upgrading Ubuntu 14.04 to Latest Nginx to Support HTTP2 With Troubleshooting Error. Nginx Has No Support For this Upgrade.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Zebronics Pixaplay 16 : Entry Level Movie Projector Review February 2, 2023
  • What is Voice User Interface (VUI) January 31, 2023
  • Proxy Server: Design Pattern in Programming January 30, 2023
  • Cyberpunk Aesthetics: What’s in it Special January 27, 2023
  • How to Do Electrical Layout Plan for Adding Smart Switches January 26, 2023

About This Article

Cite this article as: Abhishek Ghosh, "Optimizing Nginx HTTP/2 TLS : Basic Principles," in The Customize Windows, August 24, 2016, February 3, 2023, https://thecustomizewindows.com/2016/08/optimizing-nginx-http2-tls-basic-principles/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT