Discover Centmin Mod today
Register Now

Beta Branch add Nginx Dynamic TLS Cloudflare Patch support 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 11, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    36,907
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    1:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    add Nginx Dynamic TLS Cloudflare Patch support 123.09beta01

    Add NGINX_DYNAMICTLS='n' option to centmin.sh. When set in persistent config at /etc/centminmod/custom_config.inc to NGINX_DYNAMICTLS='y' + NGINXPATCH='y' and centmin.sh menu option 4 is used to recompile Nginx, then you enable the Cloudflare Nginx Dynamic TLS patch as discussed at Nginx - Optimizing TLS over TCP to reduce latency: TLS dynamic record sizing. Untested on Centmin Mod Nginx 1.11 branch, so mileage will vary. To disable, do the reverse set NGINX_DYNMAICTLS='n' and recompile nginx again.

    Continue reading...

    123.09beta01 branch
     
  2. rdan

    rdan Premium Member Premium Member

    4,367
    1,053
    113
    May 25, 2014
    Ratings:
    +1,524
    Local Time:
    11:30 AM
    Mainline
    10.2
    Can I enable this with LibreSSL or it will not work?
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,907
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    1:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    nginx dynamic tls patch is for patching nginx not openssl nor for libressl :)
     
    • Informative Informative x 1
  4. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:30 AM
    How do I know if I still need to do NGINX_DYNAMICTLS='n' ? I just install the latest CMM. Thanks.
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,907
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    1:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    No need to disable it. Guess only time you may want to disable it, is if you have issues with HTTPS sites and want to rule out this patch as being a factor.
     
    • Like Like x 1
  6. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:30 AM
    Thank you so much.
     
  7. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:30 AM
    So I should have NGINX_DYNAMICTLS='y' in my persistent configure file right? What about the others? I saw others from the file on github. Thanks.

    Code:
    OPENSSLECDSA_PATCH=‘y’       # https://community.centminmod.com/posts/57725/
    OPENSSLECDHX_PATCH=‘y’       # https://community.centminmod.com/posts/57726/
    OPENSSLEQUALCIPHER_PATCH=‘y’ # https://community.centminmod.com/posts/57916/
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    36,907
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    1:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes if you want to enable it

    keep OPENSSLEQUALCIPHER_PATCH disabled unless you know what you're doing with editing ssl_ciphers outlined at OpenSSL - [PATCH] OpenSSL 1.1 Equal-preference groups of cipher suites

    as to to the other 2 only needed for OpenSSL 1.1.0g with Nginx but only beneficial if you have ECDSA SSL certificates and not default RSA 2048bit SSL certificates.
    Code (Text):
    OPENSSLECDSA_PATCH='y'       # https://community.centminmod.com/posts/57725/
    OPENSSLECDHX_PATCH='y'       # https://community.centminmod.com/posts/57726/
    OPENSSLEQUALCIPHER_PATCH='n' # https://community.centminmod.com/posts/57916/
    
     
    • Winner Winner x 2
  9. rc112

    rc112 Member

    124
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:30 AM
    I will try to have 2 type of SSL enabled for my new site. Thank you again for excellent support as always. @eva2000
     
    • Like Like x 1
  10. anthony parsons

    anthony parsons Premium Member Premium Member

    77
    18
    8
    Feb 12, 2017
    Ratings:
    +22
    Local Time:
    2:30 PM
    Current yum stable
    10.1
    Is this still a thing to improve current performance?

    NGINX_DYNAMICTLS='y'
    NGINXPATCH='y'

    And do I need OPENSSLECDSA_PATCH='y' when using the ECDSA cloudflare cert?
     
  11. eva2000

    eva2000 Administrator Staff Member

    36,907
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,436
    Local Time:
    1:30 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    just need
    Code (Text):
    NGINX_DYNAMICTLS='y'
    

    :)
     
    • Like Like x 1
..