current position:Home>Tengine uses brotli to turn on tls1 3 and optimize HTTPS access speed

Tengine uses brotli to turn on tls1 3 and optimize HTTPS access speed

2022-05-15 01:03:37Sangyu Xiaowu

Tengine Get ready

Tengine It was initiated by taobao.com Web Server project . It's in Nginx On the basis of , Demand for high volume websites , Added a lot of advanced features and features .Tengine The performance and stability have been in large websites such as Taobao , Tmall mall has been well tested . Its ultimate goal is to create an efficient 、 Stable 、 Security 、 Easy-to-use Web platform .

from 2011 year 12 Month begins ,Tengine Become an open source project ,Tengine The team is actively developing and maintaining it .Tengine The core members of the team come from Taobao 、 Sogou and other Internet enterprises .

You can go through Tengine Official website http://tengine.taobao.org/ Download and install the latest version .

The following demonstration is in /work Directory download compilation , The current version is 2.3.2 Please check the latest version on the official website .

tengineVersion='2.3.2'
cd /work
wget http://tengine.taobao.org/download/tengine-$tengineVersion.tar.gz
gzip -d tengine-$tengineVersion.tar.gz
tar xvf tengine-$tengineVersion.tar

Brotli Get ready

Brotli It is a general lossless compression algorithm , It is a combination of LZ77 Modern variants of algorithms , Huffman coding and second-order context modeling to compress data , Its compression ratio is comparable to the best general compression method at present . It's as fast as deflate The algorithm is pretty much the same , But the compression ratio is higher . Official website address :https://github.com/google/ngx_brotli

Brotli The most typical compression algorithm 3 characteristic :

  • For the common Web Resource content ,Brotli Compared with Gzip Improved 17-25%;
  • When Brotli The compression level is 1 when , Compression ratio than Gzip The compression level is 9( The highest ) When it's still high ;
  • Dealing with different HTML When the document ,Brotli Still able to provide very high compression .

in addition , except IE and Opera Mini outside , Almost all mainstream browsers support Brotli Algorithm .

cd /work
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init --recursive

If the above operation fails to time out due to network problems , You can try to use the project warehouse mirrored in the code cloud in China :

cd /work
git clone https://gitee.com/sang93/ngx_brotli.git

Already contains deps

compile

cd tengine-$tengineVersion
./configure --with-http_v2_module --with-openssl-opt=enable-tls1_3 --add-module=/work/ngx_brotli
make && make install

Parameter description :

  • –with-http_v2_module Turn on HTTP/2
  • –with-openssl-opt=enable-tls1_3 Turn on TLS 1.3 Support
  • –add-module=/work/ngx_brotli ngx_BroTli Extended source location

if ./configure error , You may need to install pcre Of devel package ,pcre-devel. Use yum Can be installed :( The following command also has ssl、zlib And so on )

yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel

Installation directory is /usr/local/nginx

find /usr/local/nginx/sbin/nginx -V View all loaded modules

You can see

[[email protected] /work]# /usr/local/nginx/sbin/nginx -V
Tengine version: Tengine/2.3.2
nginx version: nginx/1.17.3
built by gcc 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC) 
built with OpenSSL 1.1.1c FIPS  28 May 2019
TLS SNI support enabled
configure arguments: --with-http_v2_module --with-openssl-opt=enable-tls1_3 --add-module=/work/ngx_brotli

/usr/local/nginx/sbin/nginx start|stop|restart Startup and shutdown ngix service

Update configuration

Compression related

The configuration of the modification is suggested in http {} Inside , Easy to configure to the whole site .

among sendfile Parameter is used to enable efficient file transfer mode . At the same time tcp_nopush and tcp_nodelay Two commands are set to on , Can prevent network and disk I/O Blocking , To improve Nginx The work efficiency .

An example configuration is as follows :

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile on;
    tcp_nodelay on;
    tcp_nopush on;

    keepalive_timeout  65;

    #  Compression related 
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/json application/x-javascript application/javascript application/xml application/xml+rss text/x-component application/xhtml+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
    brotli on;
    brotli_min_length 1k;
    brotli_buffers 4 16k;
    brotli_comp_level 6;
    brotli_types    text/plain text/css text/xml text/javascript application/json application/x-javascript application/javascript application/xml application/xml+rss text/x-component application/xhtml+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;

    #  Agency related 
    client_max_body_size 128m;
    client_body_buffer_size 128m;
    proxy_connect_timeout   900;
    proxy_send_timeout      900;
    proxy_read_timeout      900;
    proxy_buffer_size       40k;
    proxy_buffers           40 320k;
    proxy_busy_buffers_size 640k;
    proxy_temp_file_write_size 640k;
    proxy_temp_path /tmp/proxy_temp_dir;
    proxy_cache_path /tmp/proxy_cache_dir levels=1:2 keys_zone=cache_one:50m inactive=7d max_size=2g;

HTTP/2 and TLS1.3

Turn on HTTP/2 It only needs listen 443 ssl http2 that will do .

HTTP/2 and TLS1.3 Put it in Server in , A complete server{} as follows :

server {
    listen 443 ssl http2;
    server_name  sang.cool;

    # certificate 
    ssl_certificate      server.pem;
    ssl_certificate_key  server.key;

    # Handshake optimization 
    ssl_session_cache    shared:SSL:50m;
    ssl_session_timeout  5m;
    keepalive_timeout    75s;
    keepalive_requests   100;
    
    # version control 
    ssl_protocols    TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    

    location / {
        root   html;
        index  index.html index.htm;
    }
}

Server push Preload

Multiplexing is HTTP/2 A feature of , So how to enable server-side push to speed up the loading of web resources ? W3C There are two options , One is HTTP The header writes the pushed information , One is in html Head write , Specific methods can be referred to Preload Related articles https://www.w3.org/TR/preload .

In order to modify and update later, you need to preload resources for convenience , The demonstration here is written in html The way of file header .

Only need <header> Add the resource files that need to be preloaded into the , Different files , The writing is different , More examples can go to W3C Website view .

<link rel="preload" href="/styles/other.css" as="style">
<link rel="preload" as="script" href="/js/utils.js" />

Of course , Written in HTTP In the response header , The browser will handle preloading better than writing in header Medium fast .

The transformation of this piece , Specific effects need to be tested , If your website needs to load too many resource files , This optimization is still not recommended , You can do a specific test .

meanwhile , It should be noted that , For non local resources , While pushing , Need to add crossorigin attribute , Such as :

<link rel="preload" href="https://cdn.domain.com/exp.css" as="style" crossorigin>

Here's the thing to watch out for Font files, whether local or not , All need to add crossorigin attribute , Otherwise it will be loaded repeatedly , Such as :

<link rel="preload" as="font" href="/css/digit.woff2" type="font/woff2" crossorigin>

If only partially preloaded , It may cause some files that are not preloaded to start loading too late , Cause the overall loading completion time to become longer .

In a word, it's just one sentence : See the effect after the specific transformation .

For using CDN Or resource files of other source stations , You can do it DNS Optimization of pre parsing . Generally speaking ,HTTPS It's better to use support when using external resources HTTPS Agreed , Otherwise, the safety green label of the whole site will turn gray ,Chrome The browser will directly display unsafe . Then a request for an outstation resource , You need to go through DNS → TCP → TSL , In this way, using many messy external resources will also slow down the overall access of the website , Especially loaded with some core CSS Styles and other resource files .

DNS Pre resolution can resolve domain names that may be used later in advance , Cache the parsing results into the system , This will shorten DNS Parsing time , Then the access speed of the website will also be improved . Including Taobao's official website , Used a lot of other sites CDN resources , Added a lot of DNS Pre parsing settings , To improve the access speed of the front end .

 Insert picture description here

According to the above figure, we can find ,DNS Pre parsing is actually very simple , Similar to preloading resources , Just add one link Labels can be .

<link rel="dns-prefetch" href="//cdn.domain.com" />

Restart and verify

After updating nginx After the configuration , Remember to verify the configuration file :

/usr/local/nginx/sbin/nginx -t

The following feedback is available , That is, there is no problem

[[email protected] nginx]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

If system services have been added ,service nginx restart that will do .

[!WARNING]
If your conf There are multiple files server Configuration of , You need every server The configuration is the same TLS1.3 , Otherwise, it will not open successfully .

How to verify our configured encryption method and TLS Well ? You can test the system through this website https://www.ssllabs.com/ssltest/index.html.

Before optimization

 Insert picture description here
In front of the optimization , Content loading 191ms .

After optimization

Here's the picture , so , Improved after optimization Brotli Compress , Smaller data , The content loading speed becomes 132ms.

 Insert picture description here

To enable the TLS1.3:

 Insert picture description here

copyright notice
author[Sangyu Xiaowu],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/132/202205120549258497.html

Random recommended