From a718cbec752bc954d1ede0dceab7c9faa286ab07 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Sat, 18 Jun 2016 17:03:27 -0400 Subject: [PATCH] Add support for dynamic TLS records and spdy --- ingress/controllers/nginx/Dockerfile | 8 +------- ingress/controllers/nginx/README.md | 17 ++++++++++++++++- ingress/controllers/nginx/nginx.tmpl | 6 +++++- .../controllers/nginx/nginx/config/config.go | 18 +++++++++++++++--- 4 files changed, 37 insertions(+), 12 deletions(-) diff --git a/ingress/controllers/nginx/Dockerfile b/ingress/controllers/nginx/Dockerfile index 32e57ef131..1766f04e81 100644 --- a/ingress/controllers/nginx/Dockerfile +++ b/ingress/controllers/nginx/Dockerfile @@ -12,19 +12,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM gcr.io/google_containers/nginx-slim:0.7 +FROM gcr.io/google_containers/nginx-slim:0.8 RUN apt-get update && apt-get install -y \ diffutils \ --no-install-recommends \ && rm -rf /var/lib/apt/lists/* -# Download of GeoIP databases -RUN curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \ - && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \ - && gunzip /etc/nginx/GeoIP.dat.gz \ - && gunzip /etc/nginx/GeoLiteCity.dat.gz - COPY nginx-ingress-controller / COPY nginx.tmpl /etc/nginx/template/nginx.tmpl COPY default.conf /etc/nginx/nginx.conf diff --git a/ingress/controllers/nginx/README.md b/ingress/controllers/nginx/README.md index 6ad4847ca4..3e3f29fd11 100644 --- a/ingress/controllers/nginx/README.md +++ b/ingress/controllers/nginx/README.md @@ -18,7 +18,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube * [NGINX status page](#nginx-status-page) * [Debug & Troubleshooting](#troubleshooting) * [Limitations](#limitations) - +* [NGINX Notes](#nginx-notes) ## Conventions @@ -253,3 +253,18 @@ I0316 12:24:37.610073 1 command.go:69] change in configuration detected. R ## Limitations - Ingress rules for TLS require the definition of the field `host` + + +## NGINX notes + +Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches: +- Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/) +NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency. + +- Add SPDY support back to Nginx with HTTP/2 [nginx_1_9_15_http2_spdy.patch](https://github.com/cloudflare/sslconfig/pull/36) +At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support +``` +openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg '' +CONNECTED(00000003) +Protocols advertised by server: h2, spdy/3.1, http/1.1 +``` diff --git a/ingress/controllers/nginx/nginx.tmpl b/ingress/controllers/nginx/nginx.tmpl index 686959fe95..3b2cf1f588 100644 --- a/ingress/controllers/nginx/nginx.tmpl +++ b/ingress/controllers/nginx/nginx.tmpl @@ -145,6 +145,10 @@ http { ssl_dhparam {{ .sslDHParam }}; {{ end }} + {{- if not $cfg.enableDynamicTlsRecords }} + ssl_dyn_rec_size_lo 0; + {{ end }} + {{- if .customErrors }} # Custom error pages proxy_intercept_errors on; @@ -178,7 +182,7 @@ http { server { server_name {{ $server.Name }}; listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }}; - {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }}; + {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.enableSpdy }}spdy{{ end }} {{ if $cfg.useHttp2 }}http2{{ end }}; {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} # PEM sha: {{ $server.SSLPemChecksum }} ssl_certificate {{ $server.SSLCertificate }}; diff --git a/ingress/controllers/nginx/nginx/config/config.go b/ingress/controllers/nginx/nginx/config/config.go index 2fe6e652c5..74e4ed6b60 100644 --- a/ingress/controllers/nginx/nginx/config/config.go +++ b/ingress/controllers/nginx/nginx/config/config.go @@ -78,6 +78,16 @@ type Configuration struct { // Sets the maximum allowed size of the client request body BodySize string `structs:"body-size,omitempty"` + // EnableDynamicTLSRecords enables dynamic TLS record sizes + // https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency + // By default this is enabled + EnableDynamicTLSRecords bool `structs:"enable-dynamic-tls-records"` + + // EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols + // https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code + // By default this is enabled + EnableSPDY bool `structs:"enable-spdy"` + // EnableStickySessions enabled sticky sessions using cookies // https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng // By default this is disabled @@ -251,9 +261,11 @@ type Configuration struct { // in the file default-conf.json func NewDefault() Configuration { cfg := Configuration{ - BodySize: bodySize, - ErrorLogLevel: errorLevel, - HSTS: true, + BodySize: bodySize, + EnableDynamicTLSRecords: true, + EnableSPDY: true, + ErrorLogLevel: errorLevel, + HSTS: true, HSTSIncludeSubdomains: true, HSTSMaxAge: hstsMaxAge, GzipTypes: gzipTypes,