TLS benchmarks: include nginx TLS connections job (#2123)

DeagleGross · web-flow · commit ec4e8a57113d · 2025-10-21T13:14:55.000+02:00
* nginx docker tls handshakes

* move maybe works?

* try use 5000 port everywhere
diff --git a/build/trend-scenarios.yml b/build/trend-scenarios.yml
@@ -113,7 +113,10 @@ parameters:
 
   - displayName: "Kestrel Linux: TLS Handshakes"
     arguments: --scenario tls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelTLSHandshakes --application.options.requiredOperatingSystem linux
-    
+
+  - displayName: "Nginx: TLS Handshakes"
+    arguments: --scenario tls-handshakes-nginx $(tlsJobs) --property scenario=NginxTLSHandshakes --application.options.requiredOperatingSystem linux
+
   - displayName: "Kestrel Linux: mTLS Handshakes"
     arguments: --scenario mTls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelMutualTLSHandshakes --application.options.requiredOperatingSystem linux
 
diff --git a/scenarios/tls.benchmarks.yml b/scenarios/tls.benchmarks.yml
@@ -68,10 +68,10 @@ jobs:
     dockerFile: dockerNginx/src/BenchmarksApps/TLS/Nginx/Dockerfile
     dockerImageName: dockerNginx
     dockerContextDirectory: dockerNginx/src/BenchmarksApps/TLS
-    port: 8080
+    port: 5000
     readyStateText: Application started.
     environmentVariables:
-      urls: "https://*:8080" # any ip, port 8080
+      urls: "https://*:5000" # any ip, port 8080
 
 scenarios:
 
@@ -130,6 +130,24 @@ scenarios:
         certPwd: testPassword
         sslProtocol: tls12
 
+# Nginx
+
+  tls-handshakes-docker-nginx:
+    application:
+      job: dockerLinuxNginxServer
+      buildArguments:
+      - CERT_KEY_LENGTH=2048
+      - ENABLE_FIPS_MODE=true
+    load:
+      job: httpclient
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        sslProtocol: tls12
+        serverPort: 5000
+
 # Kestrel
   
   tls-handshakes-kestrel:
@@ -253,19 +271,4 @@ scenarios:
         presetHeaders: connectionclose
         connections: 32
         serverScheme: https
-        sslProtocol: tls12
-
-  tls-handshakes-docker-nginx:
-    application:
-      job: dockerLinuxNginxServer
-      buildArguments:
-      - CERT_KEY_LENGTH=2048
-    load:
-      job: httpclient
-      variables:
-        path: /hello-world
-        serverPort: 8080
-        presetHeaders: connectionclose
-        connections: 32
-        serverScheme: https
-        sslProtocol: tls12
+        sslProtocol: tls12
diff --git a/src/BenchmarksApps/TLS/Nginx/Dockerfile b/src/BenchmarksApps/TLS/Nginx/Dockerfile
@@ -1,7 +1,10 @@
 FROM nginx:latest
 
 # or 4096 key length
-ARG CERT_KEY_LENGTH=2048 
+ARG CERT_KEY_LENGTH=2048
+ARG ENABLE_FIPS_MODE=false
+ARG OPENSSL_CIPHER_STRING=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+ARG OPENSSL_GROUPS=P-384:P-256:P-521
 
 # Copy configuration
 COPY Nginx/config/nginx.conf /etc/nginx/nginx.conf
@@ -11,11 +14,30 @@ COPY Nginx/config/start-nginx.sh /start-nginx.sh
 COPY Certificates/${CERT_KEY_LENGTH}/cert.pem /etc/nginx/certs/cert.pem
 COPY Certificates/${CERT_KEY_LENGTH}/key.pem /etc/nginx/certs/key.pem
 
+# Configure OpenSSL for FIPS-compliant cipher suites if $ENABLE_FIPS_MODE
+RUN if [ "$ENABLE_FIPS_MODE" = "true" ]; then \
+        echo "=== FIPS MODE ENABLED - Configuring OpenSSL ===" && \
+        cat /etc/ssl/openssl.cnf && \
+        echo "" >> /etc/ssl/openssl.cnf && \
+        echo "openssl_conf = openssl_init" >> /etc/ssl/openssl.cnf && \
+        echo "[openssl_init]" >> /etc/ssl/openssl.cnf && \
+        echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \
+        echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \
+        echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && \
+        echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \
+        echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/ssl/openssl.cnf && \
+        echo "Groups = $OPENSSL_GROUPS" >> /etc/ssl/openssl.cnf && \
+        echo "=== FIPS Configuration Applied ===" && \
+        tail -15 /etc/ssl/openssl.cnf; \
+    else \
+        echo "=== FIPS MODE DISABLED ==="; \
+    fi
+
 # Make the script executable
 RUN chmod +x /start-nginx.sh
 
-# Expose port 8080 for HTTPS traffic
-EXPOSE 8080
+# Expose port 5000 for HTTPS traffic
+EXPOSE 5000
 
 # Run the startup script
 CMD ["/start-nginx.sh"]
diff --git a/src/BenchmarksApps/TLS/Nginx/config/nginx.conf b/src/BenchmarksApps/TLS/Nginx/config/nginx.conf
@@ -18,8 +18,8 @@ http {
     access_log off;
 
     server {
-        listen 8080 ssl;
-        listen [::]:8080 ssl;
+        listen 5000 ssl;
+        listen [::]:5000 ssl;
         server_name YOUR_IP;
 
         ssl_certificate /etc/nginx/certs/cert.pem;
diff --git a/src/BenchmarksApps/TLS/Nginx/invoke.ps1 b/src/BenchmarksApps/TLS/Nginx/invoke.ps1
@@ -1 +1 @@
-curl -v https://127.0.0.1:8080 --insecure
+curl -v https://127.0.0.1:5000 --insecure

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-curl -v https://127.0.0.1:8080 --insecure`
	`1`	`+curl -v https://127.0.0.1:5000 --insecure`