Join the community today
Become a Member

centminmod.com DNS update

Discussion in 'Forum News' started by eva2000, May 13, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    centminmod.com domain is switching DNS providers from AWS Route53 to Cloudflare. I am revisiting this plan now to reduce my AWS Route53 costs for my setup.


    But I won't be using Cloudflare's Loadbalancer/Traffic Manager as it's expensive for the number of backend origins and geo regions I would have which would force me to Cloudflare's Enterprise tier plan. I just did a test AWS Route53 DNS zone export for centminmod.com, it has over 200 DNS records and that is after I removed the AWS Route53 unique GeoDNS/Alias records too !

    DNS Switch Issues


    • If your web browser has issues connecting to community.centminmod.com and reports that SSL certificate doesn't match expected certificate, you can try clearing your web browser's HSTS cache as instructed at SSL - How to clear HSTS browser cache. Irony of this is if you web browser can't connect, you wouldn't be able to see this message. So I will be posting a message to Centmin Mod social media channels as well.
    • If you're using a VPN service or own VPN server and notice this forum is slow. Try reconnecting to your VPN service.

    Updates


     
  2. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like Android Chrome browser connects to Cloudflare using ECDSA 256 bit SSL certificate over TLS v1.3 :)

    Screenshot_20180514-010839~01.jpg
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Desktop Chrome Canary TLS 1.3 connection

    upload_2018-5-14_1-54-12.png
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Switched off Sucuri WAF and moved to Cloudflare Pro plan and disabled Centmin Mod ngx_pagespeed too as not needed with Cloudflare Pro's feature set i.e. Polish and WebP support

    WebpageTest.org Dulles Cable page load tests to backend origin Centmin Mod Nginx located in Fremont, California with 4 tests done each with 3x WPT run average. The filmstrip compare shows in order from top to bottom the following:
    • Cloudflare Pro with Centmin Mod Nginx ngx_pagespeed disabled
    • Cloudflare Free plan with Sucuri WAF in between connecting to Centmin Mod Nginx
    • Cloudflare Free plan with Cloudflare in DNS only mode connecting to Sucuri WAF in front of Centmin Mod Nginx
    • Sucuri WAF in front of Centmin Mod Nginx
    As you can slowest was having Cloudflare > Sucuri WAF > Centmin Mod Nginx and fastest is as expected with Cloudflare Pro in front of Centmin Mod Nginx.

    wpt-cf-pro-dulles-150518-01.png

    wpt-cf-pro-dulles-150518-02.png

    Changing WPT location to California EC2 so same as origin server in Fremont, California shows similar result in that Cloudflare Pro by itself was fastest out of the 4 tested configurations.

    wpt-cf-pro-california-150518-01.png
    wpt-cf-pro-california-150518-02.png

    Finer details

    wpt-cf-pro-california-150518-03.png

    As a page speed addict, my journey is always continuing and Cloudflare is that next step up. I wonder how much further I can speed up things ? :D
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    First bug in download links giving 403 errors
    Code (Text):
    curl -I https://centminmodparts.centminmod.com/pcre/pcre-8.42.tar.gz
    HTTP/1.1 403 Forbidden
    Date: Tue, 15 May 2018 22:45:34 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: __cfduid=d23e4a52610ec39cd69db4d58747a41761526424334; expires=Wed, 15-May-19 22:45:34 GMT; path=/; domain=.centminmod.com; HttpOnly
    Cache-Control: private, max-age=86400
    Expires: Tue, 15 May 2018 22:45:42 GMT
    X-Frame-Options: SAMEORIGIN
    X-Powered-By: centminmod
    CF-Cache-Status: MISS
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 41b922ba8eaa24fb-ORD
    

    upload_2018-5-16_8-47-27.png

    Looks like I need to revert to non subdomain download mirror.

    Edit: issue should be fixed now removing the subdomain as Cloudflare didn't like being the origin for a Nginx reverse proxy which is also on Cloudflare it seems.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Optimising Cloudflare Origin Backend Communication Performance



    From the custom Cloudflare logging done on Centmin Mod Nginx backend origin server, I can see that my Centmin Mod Nginx origin server is using RSA 2048bit SSL certificate hence RSA based SSL/TLS handshake communication with Cloudflare on backend. Hence, I know I can improve the performance by switching my Centmin Mod Nginx to a new SSL certificate using ECC 256bit ECDSA if I wanted more speed.

    I can do this by either buying a ECC 256bit ECDSA SSL certificate, using Letsencrypt and change from RSA 2048bit default SSL cert to ECDSA 256bit SSL cert or use Cloudflare's freely provided Cloudflare Origin SSL certificates which have a validity of 15yrs and install the server on Centmin Mod Nginx backend server.

    For Cloudflare Origin SSL certificates install on Nginx How to install an Origin CA certificate in NGINX you're just changing the path of existing ssl_certificate and ssl_certificate_key paths. Note Cloudflare Origin SSL certificates only trusted by Cloudflare so untrusted when used on general web so if you have clients, tools etc that communicate directly with backend Nginx origin server, you may run into issues with Cloudflare Origin SSL certs so need proper trusted SSL certificates like paid or Letsencrypt SSL certificates instead.

    cloudflare-origin-certs.png
    For RSA 2048bit Cloudflare Origin SSL certificate

    cloudflare-origin-certs2.png

    For ECDSA 256bit Cloudflare Origin SSL certificate

    cloudflare-origin-certs3.png

    ECDSA Performance Boost



    If you want even more performance, selecting ECDSA 256bit SSL certificate usage for Centmin Mod Nginx backend origin to communicate with Cloudflare isn't enough as ECDSA performance depends on the Nginx crypto library it's built with - OpenSSL 1.0.2 or 1.1.0 or 1.1.1 version based has vary performance improvements for ECDSA.
    Centmin Mod 123.09beta01 and higher's Nginx server supports various crypto libraries and can support OpenSSL 1.0.2, OpenSSL 1.1.0 or OpenSSL 1.1.1 as well as LibreSSL 2.7+ as outlined here. Currently, Centmin Mod 123.09beta01 Nginx defaults to compiling Nginx against OpenSSL 1.1.0 branch latest, 1.1.0h. OpenSSL 1.1.1 is nearly final release once TLS 1.3 is finalized.
    For specific details on how to use Cloudflare Origin SSL certificates check out full guide at here.
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,853
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Cloudflare Brotli vs Gzip HTTPS Compression Benchmarks



    @bassie asked about Cloudflare's HTTP compression performance for Brotli vs Gzip so did a quick h2load HTTP/2 HTTPS load test for Cloudflare Brotli vs Gzip. Looks like Cloudflare has managed to optimise Brotli to the point of just beating out Gzip compression :D

    h2load test servers:
    • h2load test server - 2GB DigitalOcean San Fransciso KVM VPS
    • h2load target test server - 8GB Linode Fremont, California
    h2load test configurations:
    • First 1x concurrent user and 1x request verbose look to check content-encoding is either gzip or broti.
    • Second test is 100x concurrent users and 1000x requests
    h2load test results:
    • Cloudflare Gzip -c1 -n1: 31.18 req/s, 580.21KB/s and mean TTFB 27.95ms
    • Cloudflare Gzip -c100 -n1000: 978.73 req/s, 17.19MB/s and mean TTFB 210.97ms
    • Cloudflare Brotli -c1 -n1: 32.77 req/s, 553.91KB/s and mean TTFB 26.74ms
    • Cloudflare Brotli -c100 -n1000: 986.72 req/s, 15.71MB/s and mean TTFB 192.96ms
    For Cloudflare Gzip compression
    Code (Text):
    h2load -v -c1 -n1 -H "Accept-Encoding: gzip" https://community.centminmod.com/
    starting benchmark...
    spawning thread #0: 1 total client(s). 1 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-ECDSA-CHACHA20-POLY1305
    Server Temp Key: X25519 253 bits
    Application protocol: h2
    [stream_id=1] :status: 200
    [stream_id=1] date: Fri, 18 May 2018 04:22:57 GMT
    [stream_id=1] content-type: text/html; charset=UTF-8
    [stream_id=1] set-cookie: __cfduid=db5363300bc4cedd0549bafb58cfc79d61526617377; expires=Sat, 18-May-19 04:22:57 GMT; path=/; domain=.centminmod.com; HttpOnly
    [stream_id=1] vary: Accept-Encoding
    [stream_id=1] expires: Thu, 19 Nov 1981 08:52:00 GMT
    [stream_id=1] cache-control: private, max-age=0
    [stream_id=1] set-cookie: xfcmi_session=3c69660c1c6dfc67ab79cd4a9c087528; path=/; secure; HttpOnly
    [stream_id=1] x-frame-options: SAMEORIGIN
    [stream_id=1] x-xss-protection: 1
    [stream_id=1] x-powered-by: centminmod
    [stream_id=1] x-content-type-options: nosniff
    [stream_id=1] referrer-policy: strict-origin-when-cross-origin
    [stream_id=1] strict-transport-security: max-age=31536000; includeSubdomains
    [stream_id=1] link: </styles/xenbase/font-awesome/css/font-awesome.min.css>; rel="preload" as="style"
    [stream_id=1] link: </js/jquery/jquery-1.11.0.min.js>; rel="preload" as="script"
    [stream_id=1] link: </js/xenforo/xenforo.js>; rel="preload" as="script"
    [stream_id=1] link: </OneSignalSDK.js>; rel="preload" as="script"
    [stream_id=1] link: </styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0>; rel="preload" as="font" crossorigin
    [stream_id=1] expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    [stream_id=1] server: cloudflare
    [stream_id=1] cf-ray: 41cb8bb14cc46d4e-SJC
    [stream_id=1] content-encoding: gzip
    progress: 100% done
    
    finished in 32.07ms, 31.18 req/s, 580.21KB/s
    requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 18.61KB (19055) total, 781B (781) headers (space savings 29.58%), 17.73KB (18153) data
                        min         max         mean         sd        +/- sd
    time for request:    20.28ms     20.28ms     20.28ms         0us   100.00%
    time for connect:    11.03ms     11.03ms     11.03ms         0us   100.00%
    time to 1st byte:    27.95ms     27.95ms     27.95ms         0us   100.00%
    req/s           :      31.57       31.57       31.57        0.00   100.00%
    

    Code (Text):
    h2load -v -c100 -n1000 -H "Accept-Encoding: gzip" https://community.centminmod.com/
    
    finished in 1.02s, 978.73 req/s, 17.19MB/s
    requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 17.56MB (18416959) total, 123.12KB (126078) headers (space savings 88.63%), 17.36MB (18207294) data
                        min         max         mean         sd        +/- sd
    time for request:    12.73ms    395.05ms     67.66ms     42.31ms    80.70%
    time for connect:    81.65ms    100.43ms     91.33ms      5.46ms    57.00%
    time to 1st byte:   107.00ms    376.89ms    210.97ms     46.44ms    72.00%
    req/s           :       9.82       19.62       13.28        1.86    69.00%
    


    For Cloudflare Brotli compression
    Code (Text):
    h2load -v -c1 -n1 -H "Accept-Encoding: br" https://community.centminmod.com/
    starting benchmark...
    spawning thread #0: 1 total client(s). 1 total requests
    TLS Protocol: TLSv1.2
    Cipher: ECDHE-ECDSA-CHACHA20-POLY1305
    Server Temp Key: X25519 253 bits
    Application protocol: h2
    [stream_id=1] :status: 200
    [stream_id=1] date: Fri, 18 May 2018 04:21:46 GMT
    [stream_id=1] content-type: text/html; charset=UTF-8
    [stream_id=1] set-cookie: __cfduid=d8334c50859b1ee335d3ef13cc20c67001526617305; expires=Sat, 18-May-19 04:21:45 GMT; path=/; domain=.centminmod.com; HttpOnly
    [stream_id=1] vary: Accept-Encoding
    [stream_id=1] expires: Thu, 19 Nov 1981 08:52:00 GMT
    [stream_id=1] cache-control: private, max-age=0
    [stream_id=1] set-cookie: xfcmi_session=3c69660c1c6dfc67ab79cd4a9c087528; path=/; secure; HttpOnly
    [stream_id=1] x-frame-options: SAMEORIGIN
    [stream_id=1] x-xss-protection: 1
    [stream_id=1] x-powered-by: centminmod
    [stream_id=1] x-content-type-options: nosniff
    [stream_id=1] referrer-policy: strict-origin-when-cross-origin
    [stream_id=1] strict-transport-security: max-age=31536000; includeSubdomains
    [stream_id=1] link: </styles/xenbase/font-awesome/css/font-awesome.min.css>; rel="preload" as="style"
    [stream_id=1] link: </js/jquery/jquery-1.11.0.min.js>; rel="preload" as="script"
    [stream_id=1] link: </js/xenforo/xenforo.js>; rel="preload" as="script"
    [stream_id=1] link: </OneSignalSDK.js>; rel="preload" as="script"
    [stream_id=1] link: </styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0>; rel="preload" as="font" crossorigin
    [stream_id=1] expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    [stream_id=1] server: cloudflare
    [stream_id=1] cf-ray: 41cb89f27b125176-SJC
    [stream_id=1] content-encoding: br
    progress: 100% done
    
    finished in 30.51ms, 32.77 req/s, 553.91KB/s
    requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 16.90KB (17307) total, 780B (780) headers (space savings 29.54%), 16.04KB (16424) data
                        min         max         mean         sd        +/- sd
    time for request:    19.55ms     19.55ms     19.55ms         0us   100.00%
    time for connect:    10.35ms     10.35ms     10.35ms         0us   100.00%
    time to 1st byte:    26.74ms     26.74ms     26.74ms         0us   100.00%
    req/s           :      33.22       33.22       33.22        0.00   100.00%
    

    Code (Text):
    h2load -v -c100 -n1000 -H "Accept-Encoding: br" https://community.centminmod.com/
    
    finished in 1.01s, 986.72 req/s, 15.71MB/s
    requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 15.92MB (16697350) total, 121.85KB (124771) headers (space savings 88.73%), 15.73MB (16492394) data
                        min         max         mean         sd        +/- sd
    time for request:    12.32ms    397.35ms     61.62ms     39.72ms    80.30%
    time for connect:    84.81ms    106.16ms     96.23ms      6.54ms    62.00%
    time to 1st byte:   105.95ms    255.08ms    192.96ms     29.41ms    65.00%
    req/s           :       9.94       20.21       14.27        1.91    69.00%
    
     
Thread Status:
Not open for further replies.