Add support for dynamic TLS records and spdy

kubernetes-retired · Jul 1, 2016 · a718cbe · a718cbe
1 parent e2a8815
commit a718cbe
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 12 deletions.
diff --git a/ingress/controllers/nginx/Dockerfile b/ingress/controllers/nginx/Dockerfile
@@ -12,19 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/google_containers/nginx-slim:0.7
+FROM gcr.io/google_containers/nginx-slim:0.8
 
 RUN apt-get update && apt-get install -y \
  diffutils \
  --no-install-recommends \
  && rm -rf /var/lib/apt/lists/*
 
-# Download of GeoIP databases
-RUN curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
- && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
- && gunzip /etc/nginx/GeoIP.dat.gz \
- && gunzip /etc/nginx/GeoLiteCity.dat.gz
-
 COPY nginx-ingress-controller /
 COPY nginx.tmpl /etc/nginx/template/nginx.tmpl
 COPY default.conf /etc/nginx/nginx.conf

diff --git a/ingress/controllers/nginx/README.md b/ingress/controllers/nginx/README.md
@@ -18,7 +18,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube
 * [NGINX status page](#nginx-status-page)
 * [Debug & Troubleshooting](#troubleshooting)
 * [Limitations](#limitations)
-
+* [NGINX Notes](#nginx-notes)
 
 ## Conventions
 
@@ -253,3 +253,18 @@ I0316 12:24:37.610073 1 command.go:69] change in configuration detected. R
 ## Limitations
 
 - Ingress rules for TLS require the definition of the field `host`
+
+
+## NGINX notes
+
+Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches:
+- Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/)
+NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency.
+
+- Add SPDY support back to Nginx with HTTP/2 [nginx_1_9_15_http2_spdy.patch](https://github.com/cloudflare/sslconfig/pull/36)
+At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support
+```
+openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg ''
+CONNECTED(00000003)
+Protocols advertised by server: h2, spdy/3.1, http/1.1
+```
diff --git a/ingress/controllers/nginx/nginx.tmpl b/ingress/controllers/nginx/nginx.tmpl
@@ -145,6 +145,10 @@ http {
  ssl_dhparam {{ .sslDHParam }};
  {{ end }}
 
+ {{- if not $cfg.enableDynamicTlsRecords }}
+ ssl_dyn_rec_size_lo 0;
+ {{ end }}
+
  {{- if .customErrors }}
  # Custom error pages
  proxy_intercept_errors on;
@@ -178,7 +182,7 @@ http {
  server {
  server_name {{ $server.Name }};
  listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};
- {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};
+ {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.enableSpdy }}spdy{{ end }} {{ if $cfg.useHttp2 }}http2{{ end }};
  {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
  # PEM sha: {{ $server.SSLPemChecksum }} 
  ssl_certificate {{ $server.SSLCertificate }};

diff --git a/ingress/controllers/nginx/nginx/config/config.go b/ingress/controllers/nginx/nginx/config/config.go
@@ -78,6 +78,16 @@ type Configuration struct {
  // Sets the maximum allowed size of the client request body
  BodySize string `structs:"body-size,omitempty"`
 
+ // EnableDynamicTLSRecords enables dynamic TLS record sizes
+ // https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
+ // By default this is enabled
+ EnableDynamicTLSRecords bool `structs:"enable-dynamic-tls-records"`
+
+ // EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols
+ // https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code
+ // By default this is enabled
+ EnableSPDY bool `structs:"enable-spdy"`
+
  // EnableStickySessions enabled sticky sessions using cookies
  // https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
  // By default this is disabled
@@ -251,9 +261,11 @@ type Configuration struct {
 // in the file default-conf.json
 func NewDefault() Configuration {
  cfg := Configuration{
- BodySize: bodySize,
- ErrorLogLevel: errorLevel,
- HSTS: true,
+ BodySize: bodySize,
+ EnableDynamicTLSRecords: true,
+ EnableSPDY: true,
+ ErrorLogLevel: errorLevel,
+ HSTS: true,
  HSTSIncludeSubdomains: true,
  HSTSMaxAge: hstsMaxAge,
  GzipTypes: gzipTypes,