hit rate in the cluster state? The simplest approach is that the polling policy of the payload uses Ip_hash to ensure that the same client is always distributed to the same node in the cluster, but this is not flexible enough. Therefore, it is necessary to use distributed caching to store session state in a cluster-shared redis.How to operate the TLS session information in Nginx, you can refer to the module in Openresty ssl_session_fetch_by_lua_block . See Https://github.com/openresty/lua-nginx
(CRL) or uses an online certificate status Protocol (OCSP) record. However, the problem with CRLs is that the list items of CRLs are increasing and need to be downloaded continuously.
OCSP is more lightweight because it only gets one record at a time. The side effect, however, is that when you connect to the server, OCSP requests must be sent to a third party r
preferred to support session ticket.
2.4 OCSP stapling
The OCSP full name online certificate status Check Protocol (rfc6960), which is used to query the CA site for certificate status, such as revocation. Typically, the browser uses the OCSP protocol to initiate a query request, the CA returns the certificate status c
Check Protocol (rfc6960), which is used to query the CA site for certificate status, such as revocation. Typically, the browser uses the OCSP protocol to initiate a query request, the CA returns the certificate status content, and then the browser accepts that the certificate is in a trusted state.This process is very time consuming, because the CA site is likely to be abroad, the network is unstable, the RTT is also relatively large. Is there a way
TLSv1.2; # Only TLS protocol is allowedSsl_ciphers ECDHE-RSA-AES256-SHA384: AES256-SHA256: RC4: HIGH :! MD5 :! ANULL :! ENULL :! NULL :! DH :! EDH :! AESGCM; # cipher suite. Here we use CloudFlare's Internet facing SSL cipher configurationssl_prefer_server_ciphers on; # The server negotiates the best encryption algorithm ssl_session_cache builtin: 1000 shared: SSL: 10 m;# Session Cache: Cache the Session to the server, which may occupy more server resources ssl_session_tickets on; # enable Sess
Cache, the Session is cached to the server, which may consume more server resources ssl_session_tickets on;#开启浏览器的Session ticket cache ssl_session_timeout 10m;#SSL session Expiration time ssl_stapling on;#OCSP stapling on, OCSP is a service for online query certificate revocation, using OCSP
and is now hard-coded into the Chrome browser and proves to be valid. 2 proposals:1, public Key pinning Extension for Http:http://tools.ietf.org/html/draft-ietf-websec-key-pinning2, Trust Assertions for Certificate keyshttp://tack.io/draft.html* ECDSA private key In fact, all Web sites rely on RSA private keys. This algorithm is the basis of web communication security. For some reason, we are turning from 1024 bits to a 2048-bit RSA key. Increasing the key length may cause performance problems.
compress. This is why it is a good choice to use Zopfli in a way that does not become a resource, such files are generally compressed once and downloaded several times.is OCSP binding available?Having the server use OCSP stapling can increase the speed of your TLS handshake. The Line Certificate Status Protocol (OCSP)
The current version of OPENSSL-1.0.2J does not support Google's CHACHA20 encryption algorithm. The CHACHA20 encryption algorithm is relatively safe relative to RC4, and is optimized for ARM's mobile phone, making it faster and more power-saving.However, the latest Intel processors and ARM V8 processors are optimized for AES-GCM encryption algorithms through the AES-NI instruction set, which is much faster than chacha20, so the Aes-ni encryption algorithm is preferred on devices that support AES-
certificate to the client, in principle, the client is to check the validity of the certificate from the CA, one but can not be verified (verify), will report the above error, and strict-ssl=false is to let npm not to verify, NODE_TLS_REJECT_UNAUTHORIZED=0 is to let node-gyp not to verify. So the two sides on the basis of a fake certificate in the HTTPS communication. In turn, it also shows that the agent I'm using has a MITM attack.Optimizations for other HTTPS
HSTs: In short, it is i
. Optimize SSL/TLS access
Although Ssl/tls is becoming more and more popular, its impact on performance should also be taken seriously. Its impact on performance is mainly reflected in two aspects:
The initial handshake is unavoidable whenever a new connection is turned on, that is, the browser needs to use http/1.x to establish a server connection each time. The encrypted data stored on the server will be more and more large, and the user will need to decode it when they read it. So how to deal
23:50:26 and added "nginx, HTTPS, http2" tags, last modified in 2016-12-25 15:26:07. View Markdown versions of this article» This site uses "Attribution 4.0 International" Creative sharing agreement, related instructions»Featured "web Server" other articles»
Start using Verynginx (DEC)
Start using ECC certificate
Why should we upgrade to HTTPS as soon as possible? (May)
This blog Nginx configuration of the complete chapter (Mar)
From the inability to open
to compress images, videos, audios, and other files efficiently.5. Optimized SSL/TLS access
Although SSL/TLS is becoming more and more popular, its impact on performance should also be paid attention. Its impact on performance is mainly reflected in two aspects:
When a new connection is enabled, the initialization handshake is unavoidable, that is, the browser needs to use HTTP/1.x to establish a server connection each time.
The encrypted data stored on the server will become larger and larg
provide browser-class services, use Sfsafariviewcontroller, which is better than Wkwebview, which is more appropriate for users accessing Web content.For more information about ATS settings, you can refer to Apple's official documentation for development.In addition, Apple has proposed to abandon the following older standards
UCS
SSLv3
SHA-1
3DES
and migrate to the latest security standards, including
Forward secrecy
SHA-2
SSL/TLS AccessAlthough SSL/TLS is becoming more and more popular, its impact on performance should also be taken seriously. Its impact on performance is mainly reflected in two aspects:
The initial handshake is unavoidable whenever a new connection is opened, which means that the browser needs to use http/1.x to establish a server connection every time.
The encrypted data stored on the server becomes larger, and is decoded when the user reads it after being encrypted.
So how d
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.