Get the most out of your Centmin Mod LEMP stack
Become a Member

Beta Branch add Nginx Dynamic TLS Cloudflare Patch support 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 11, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    add Nginx Dynamic TLS Cloudflare Patch support 123.09beta01


    Add NGINX_DYNAMICTLS='n' option to centmin.sh. When set in persistent config at /etc/centminmod/custom_config.inc to NGINX_DYNAMICTLS='y' + NGINXPATCH='y' and centmin.sh menu option 4 is used to recompile Nginx, then you enable the Cloudflare Nginx Dynamic TLS patch as discussed at Nginx - Optimizing TLS over TCP to reduce latency: TLS dynamic record sizing. Untested on Centmin Mod Nginx 1.11 branch, so mileage will vary. To disable, do the reverse set NGINX_DYNMAICTLS='n' and recompile nginx again.

    Continue reading...

    123.09beta01 branch
     
  2. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    10:11 PM
    Mainline
    10.2
    Can I enable this with LibreSSL or it will not work?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nginx dynamic tls patch is for patching nginx not openssl nor for libressl :)
     
  4. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    10:11 PM
    How do I know if I still need to do NGINX_DYNAMICTLS='n' ? I just install the latest CMM. Thanks.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    No need to disable it. Guess only time you may want to disable it, is if you have issues with HTTPS sites and want to rule out this patch as being a factor.
     
  6. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    10:11 PM
    Thank you so much.
     
  7. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    10:11 PM
    So I should have NGINX_DYNAMICTLS='y' in my persistent configure file right? What about the others? I saw others from the file on github. Thanks.

    Code:
    OPENSSLECDSA_PATCH=‘y’       # https://community.centminmod.com/posts/57725/
    OPENSSLECDHX_PATCH=‘y’       # https://community.centminmod.com/posts/57726/
    OPENSSLEQUALCIPHER_PATCH=‘y’ # https://community.centminmod.com/posts/57916/
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes if you want to enable it

    keep OPENSSLEQUALCIPHER_PATCH disabled unless you know what you're doing with editing ssl_ciphers outlined at OpenSSL - [PATCH] OpenSSL 1.1 Equal-preference groups of cipher suites

    as to to the other 2 only needed for OpenSSL 1.1.0g with Nginx but only beneficial if you have ECDSA SSL certificates and not default RSA 2048bit SSL certificates.
    Code (Text):
    OPENSSLECDSA_PATCH='y'       # https://community.centminmod.com/posts/57725/
    OPENSSLECDHX_PATCH='y'       # https://community.centminmod.com/posts/57726/
    OPENSSLEQUALCIPHER_PATCH='n' # https://community.centminmod.com/posts/57916/
    
     
  9. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    10:11 PM
    I will try to have 2 type of SSL enabled for my new site. Thank you again for excellent support as always. @eva2000
     
  10. anthony parsons

    anthony parsons Premium Member Premium Member

    79
    20
    8
    Feb 12, 2017
    Ratings:
    +24
    Local Time:
    1:11 AM
    1.22.0
    10.4.26
    Is this still a thing to improve current performance?

    NGINX_DYNAMICTLS='y'
    NGINXPATCH='y'

    And do I need OPENSSLECDSA_PATCH='y' when using the ECDSA cloudflare cert?
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:11 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just need
    Code (Text):
    NGINX_DYNAMICTLS='y'
    

    :)