Join the community today
Become a Member

Featured Nginx How to use Brotli compression for Centmin Mod Nginx web servers

Discussion in 'Centmin Mod User Tutorials & Guides' started by eva2000, Mar 6, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app level specific configurations such as wordpress are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    But whether gzip or brotli is used doesn't matter that much at Cloudflare level as you're performance will be good either way. So I wouldn't worry too much about it.
     
  2. Nitin

    Nitin New Member

    23
    4
    3
    Apr 30, 2018
    Ratings:
    +4
    Local Time:
    7:12 PM
    ok. I understand. Thanks for the help. Even its not working but i have learned many new thing (y). Salute to your efforts for helping me. You are awesome. I am not going back to shared hosting again..:p
     
    • Like Like x 1
  3. Nitin

    Nitin New Member

    23
    4
    3
    Apr 30, 2018
    Ratings:
    +4
    Local Time:
    7:12 PM
    New Update: Cloudflare says "It is currently disabled pending a patch, but should be back online shortly." :LOL:
     
  4. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You're welcome and yes once you go VPS/dedicated very hard to go back to shared hosting - so much control :D

    :LOL::banghead: so Cloudflare had disabled it on their end !
     
  5. Kuro

    Kuro New Member

    14
    2
    3
    Feb 8, 2018
    Ratings:
    +2
    Local Time:
    8:42 PM
    1.13.9
    10.x
    Hi, i'm using CF pro plan, THIS IS NECESSARY or should i use both?
    now i installed both (CF and custom Config) but when i check my homepage. It is Gzip :D
    and when i on TLS 1.3 on my website:
    This site can't provide a secure connection (i must back TLS 1.2)

    [​IMG]

    My custom_config.inc
    [​IMG]


    [​IMG]
     
    Last edited: May 16, 2018
  6. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • Like Like x 1
  8. rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    9:42 PM
    Mainline
    10.2
    How can we check if this thing is being used by Cloudflare or just useless with CF? :unsure:
     
  9. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Brotli usage where at Cloudflare to Visitor stage or you mean between Cloudflare and Centmin Mod Nginx ? Seems Cloudflare may have turned off Brotli temporary on their servers Nginx - How to use Brotli compression for Centmin Mod Nginx web servers ?

    On CentOS 7 you can use curl resolve command to bypass Cloudflare to check headers for Centmin Mod Nginx backend origin to see if Brotli is supported.

    Inspecting output for commands. For posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags
    Code (Text):
    curl -sI -H "Accept-Encoding: gzip,br" https://yourdomain.com
    

    Code (Text):
    curl -sI -H "Accept-Encoding: gzip,br" http://yourdomain.com
    

    checking the Content-Encoding: line to see if it shows gzip or br

    Cloudflare Users & Brotli



    You can verify if cloudflare or centmin mod nginx is where the gzip compression is coming from by running curl command which bypasses cloudflare to connect with centmin mod nginx backend replacing YOURREALSERVER_IP with your real server IP address below and yourdomain.com with your domain name. You may want to mask your real ip when you post the output on this forum to protect your real IP address
    Code (Text):
    curl -sI -H "Accept-Encoding: gzip,br" --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    

    compare it to header check with cloudflare in front
    Code (Text):
    curl -sI -H "Accept-Encoding: gzip,br" https://yourdomain.com
    

    Inspecting whether Content-Encoding shows br or gzip. If bypass curl header check shows br but cloudflare curl header check shows gzip, then something at web app level i.e. wordpress is precompressing static assets as gzip.

    Cloudflare Origin Authentication Pull And Brotli



    If you have Cloudflare origin authentication setup then curl header bypass command will result in HTTP/1.1 400 Bad Request error as regular HTTPS requests to https backend nginx site are only allowed via Cloudflare, then you need to temporarily disable Cloudflare origin authentication by commenting out the line in your nginx vhost domain config file

    changing line from
    Code (Text):
    ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    ssl_verify_client on;
    

    to comment out and disable them with hash in front
    Code (Text):
    #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    #ssl_verify_client on;
    

    restart Nginx and PHP-FPM services
    Code (Text):
    nprestart
    

    Then disable Original Authentication Pull in Cloudflare dashboard.

    Then re-run single command line for curl header check that bypasses cloudflare
    Code (Text):
    curl -sI -H"Accept-Encoding: gzip,br" --resolve yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    

    After you got output, re-enable Cloudflare origin authentication by removing comment hashes from the 2 lines and then restarting nginx and php-fpm services and then re-enable Original Authentication Pull in Cloudflare dashboard.

    For further checks I suppose you can do a custom Nginx log format which includes the content-encoding header being logged to nginx access log similar to Cloudflare logging done for CF-RAY header at Cloudflare - Cloudflare custom Nginx logging
     
    • Informative Informative x 1
  10. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    3:42 PM
    Why using Brotli anyway?:)
    Gzip is supported by all for all.

    With Cloudflare Gzip (Zlib), you get the maximum out of it.
    If you use both, you must test both: test updates, compile updates, extra layer for debugging problems over and over again.
     
  11. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Actually doesn't matter if Brotli isn't used it falls back to Gzip on either Cloudflare or Centmin Mod Nginx layer. So there's no troubleshooting involved - let server decide which to server visitors with - either Gzip or Brotli compression when available.
     
  12. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    3:42 PM
    I limit myself to Centminmod. That is what this topic is about.

    True giving the fact that a nice fall back is realized by Nginx Brotli if Brotli isn't supported.
    If all is settled and done.

    Problem is that the Nginx Brotli plugin isn't maintained since 2016.
    There is a fork. But the pre-existence is very uncertain. Given this quote:
     
  13. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah Centmin Mod Nginx used more updated ngx_brotli fork at eustas/ngx_brotli though the maintainer is also the maintainer for official Google Brotli library too so there would be some updating I suppose :)
     
  14. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +609
    Local Time:
    3:42 PM
    Did you bench Coudflare Zlib vs Brotli? curious about the results
     
  15. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  16. eva2000

    eva2000 Administrator Staff Member

    35,076
    7,742
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,941
    Local Time:
    11:42 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    @Nitin @Kuro @RoldanLT looks like Cloudflare has now re-enabled Brotli on their end

    upload_2018-5-18_14-16-25.png

    Code (Text):
    curl -I -H "Accept-Encoding: gzip,br" https://community.centminmod.com/
    HTTP/2 200 
    date: Fri, 18 May 2018 04:18:38 GMT
    content-type: text/html; charset=UTF-8
    set-cookie: __cfduid=dea2e1bcf37bd11ca3ffd795c8b3ec2461526617118; expires=Sat, 18-May-19 04:18:38 GMT; path=/; domain=.centminmod.com; HttpOnly
    vary: Accept-Encoding
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, max-age=0
    set-cookie: xfcmi_session=20f5c86be55b597512003266b97262a8; path=/; secure; HttpOnly
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1
    x-powered-by: centminmod
    x-content-type-options: nosniff
    referrer-policy: strict-origin-when-cross-origin
    strict-transport-security: max-age=31536000; includeSubdomains
    link: </styles/xenbase/font-awesome/css/font-awesome.min.css>; rel="preload" as="style"
    link: </js/jquery/jquery-1.11.0.min.js>; rel="preload" as="script"
    link: </js/xenforo/xenforo.js>; rel="preload" as="script"
    link: </OneSignalSDK.js>; rel="preload" as="script"
    link: </styles/xenbase/font-awesome/fonts/fontawesome-webfont.woff2?v=4.7.0>; rel="preload" as="font" crossorigin
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    server: cloudflare
    cf-ray: 41cb855e6be41ead-SJC
    content-encoding: br
    
     
  17. rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    9:42 PM
    Mainline
    10.2
    I run this on my Ubuntu Desktop and doesn't output anything.
    Code:
    curl -sI -H "Accept-Encoding: gzip,br" --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    
    This works fine:
    Code:
    curl -sI -H "Accept-Encoding: gzip,br" https://yourdomain.com
    My CURL installed:
    Code:
    curl -V
    curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
    Release-Date: 2018-01-24
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 
     
  18. rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    9:42 PM
    Mainline
    10.2
    Yes, between Cloudflare Edge server to/from our CMM Server.
     
  19. rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    9:42 PM
    Mainline
    10.2
    Aha :D
    Seems cert error because I use Cloudflare ECC own cert.
     
    • Informative Informative x 1
  20. rdan

    rdan Premium Member Premium Member

    4,227
    1,028
    113
    May 25, 2014
    Ratings:
    +1,469
    Local Time:
    9:42 PM
    Mainline
    10.2
    Works now:
    Code:
    curl -sI -H "Accept-Encoding: gzip,br" -k --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    
     
..