Get the most out of your Centmin Mod LEMP stack
Become a Member

Featured SSL Cloudflare Improving Cloudflare Connections To Origin Server - Use ECDSA SSL Certs

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, May 17, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Optimising Cloudflare Origin Backend Communication Performance



    From the custom Cloudflare logging done on Centmin Mod Nginx backend origin server, I can see that my Centmin Mod Nginx origin server is using RSA 2048bit SSL certificate hence RSA based SSL/TLS handshake communication with Cloudflare on backend. Hence, I know I can improve the performance by switching my Centmin Mod Nginx to a new SSL certificate using ECC 256bit ECDSA if I wanted more speed.

    I can do this by either buying a ECC 256bit ECDSA SSL certificate, using Letsencrypt and change from RSA 2048bit default SSL cert to ECDSA 256bit SSL cert or use Cloudflare's freely provided Cloudflare Origin SSL certificates which have a validity of 15yrs and install the server on Centmin Mod Nginx backend server.

    For Cloudflare Origin SSL certificates install on Nginx How to install an Origin CA certificate in NGINX you're just changing the path of existing ssl_certificate and ssl_certificate_key paths. Note Cloudflare Origin SSL certificates only trusted by Cloudflare so untrusted when used on general web so if you have clients, tools etc that communicate directly with backend Nginx origin server, you may run into issues with Cloudflare Origin SSL certs so need proper trusted SSL certificates like paid or Letsencrypt SSL certificates instead.

    cloudflare-origin-certs.png
    For RSA 2048bit Cloudflare Origin SSL certificate

    cloudflare-origin-certs2.png

    For ECDSA 256bit Cloudflare Origin SSL certificate

    cloudflare-origin-certs3.png

    ECDSA Performance Boost



    If you want even more performance, selecting ECDSA 256bit SSL certificate usage for Centmin Mod Nginx backend origin to communicate with Cloudflare isn't enough as ECDSA performance depends on the Nginx crypto library it's built with - OpenSSL 1.0.2 or 1.1.0 or 1.1.1 version based has vary performance improvements for ECDSA.
    • OpenSSL 1.1.0 has ~2x times ECDSA performance as OpenSSL 1.0.2 LibreSSL 2.6/2.7 ECDSA.
    • OpenSSL 1.1.1 in beta has ~30-40% more ECDSA performance than OpenSSL 1.1.0. So up to 2.8x times faster ECDSA peformance than OpenSSL 1.0.2 LibreSSL 2.6/2.7 ECDSA.
    OpenSSL 1.1.0g vs 1.1.1-pre1 rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    OpenSSL 1.1.0g before cloudflare patch 8278.4 181818.2 121212.1 43450.5
    OpenSSL 1.1.0g after cloudflare patch 8299.9 181818.2 173813.0 50157.2
    OpenSSL 1.1.0g after cloudflare + kernel KPTI patch 8300.9 181818.2 170212.8 50000.0
    OpenSSL 1.1.1-pre1 after cloudflare + kernel KPTI patch 8374.2 180585.7 172068.6 50028.8



    Centmin Mod 123.09beta01 and higher's Nginx server supports various crypto libraries and can support OpenSSL 1.0.2, OpenSSL 1.1.0 or OpenSSL 1.1.1 as well as LibreSSL 2.7+ as outlined here. Currently, Centmin Mod 123.09beta01 Nginx defaults to compiling Nginx against OpenSSL 1.1.0 branch latest, 1.1.0h. OpenSSL 1.1.1 is nearly final release once TLS 1.3 is finalized..

    Right now Centmin Mod 123.09beta01 defaults to latest OpenSSL 1.1.1 crypto library with TLSv1.3 support.
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Switching To Cloudflare Origin SSL Certificates for Nginx Origin



    So how do you switch your Centmin Mod Nginx backend Nginx vhost from using SSL certificates from paid vendors or Letsencrypt to using Cloudflare Origin SSL certificates ? The below guide would show you an example of how it was done from Centmin Mod own site and forums. Example below is for centminmod.com domain on Centmin Mod 123.09beta01 based Nginx LEMP stack.

    So change Centmin Mod Nginx vhost from something like
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/centminmod.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    

    To the following
    • Making sure to have created directory at /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/ which you may already have done when creating Cloudflare Origin Authentication Pull setup.
    • I named the RSA 2048 bit created Cloudflare Origin SSL cert as cf-origin-cert-rsa.crt while the private key is named cf-origin-cert-rsa.key
    • I also created a ECDSA 256bit Cloudflare Origin SSL cert named as cf-origin-cert-ecdsa.crt with private key as cf-origin-cert-ecdsa.key.
    • Since Nginx 1.11 has support for dual RSA + ECDSA SSL certificates you may also list both Cloudflare Origin SSL certs for RSA and ECDSA if you created both like.
    • I would keep existing ssl certs commented out with hash # in front instead of removing them so it makes it easier to revert back to previous SSL certs if you have issues.
    • You would also need to disable ssl_stapling directives by commenting them out with a hash # in front as Cloudflare Origin SSL certs are not public web trusted certs.
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/centminmod.com/dhparam.pem;
      #ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.crt;
      #ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.key;
      ssl_certificate      /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-ecdsa.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-ecdsa.key;
      ssl_certificate      /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-rsa.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-rsa.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # ssl_stapling on;
      # ssl_stapling_verify on;
    

    And further down in Nginx vhost comment out ssl_trusted_certificate path with hash in front too.

    If you used Centmin Mod Nginx's Letsencrypt integration to auto generate HTTP/2 HTTPS based site with free Letsencrypt SSL certificate, by default that SSL cert is RSA 2048bit based unless you changed the defaults to ECDSA 256bit. The SSL vhost for Letsencrypt integrated Nginx vhost is slightly different as per Using Centmin Mod acmetool.sh addon for Nginx HTTP/2 based HTTPS with free Letsencrypt SSL certificates

    Existing Centmin Mod Nginx vhost with Letsencrypt for relevant sections might look like below where only change is ssl_certificate and ssl_certificate_key is defined in include file at /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.crt.key.conf instead of directly within site Nginx vhost
    Code (Text):
      include /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    

    Contents of /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com.crt.key.conf would be
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/centminmod.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.key;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.cer;
    

    So you change that to point to your Cloudflare Origin SSL certs you setup at appropriate paths and comment out ssl_trusted_certificate path.
    • I would keep existing ssl certs commented out with hash # in front instead of removing them so it makes it easier to revert back to previous SSL certs if you have issues.
    • You would also need to disable ssl_stapling directives by commenting them out with a hash # in front as Cloudflare Origin SSL certs are not public web trusted certs.
    Code (Text):
      ssl_dhparam /usr/local/nginx/conf/ssl/centminmod.com/dhparam.pem;
      #ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.cer;
      #ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.key;
      ssl_certificate      /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-ecdsa.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-ecdsa.key;
      ssl_certificate      /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-rsa.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/cf-origin-cert-rsa.key;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.com/centminmod.com-acme.cer;
    
      # ssl_stapling on;
      # ssl_stapling_verify on;
    

    So if you had Cloudflare Origin SSL cert + Cloudflare Origin Authenticated Pull cert setup they would all be listed in directory /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/
    total 32K
    drwxr-xr-x 2 root root 4.0K May 17 01:03 .
    drwxr-xr-x 3 root root 4.0K May 14 22:33 ..
    -rw-r--r-- 1 root root 1.2K May 17 00:37 cf-origin-cert-ecdsa.crt
    -rw-r--r-- 1 root root  244 May 17 00:37 cf-origin-cert-ecdsa.key
    -rw-r--r-- 1 root root 1.7K May 17 00:36 cf-origin-cert-rsa.crt
    -rw-r--r-- 1 root root 1.7K May 17 00:37 cf-origin-cert-rsa.key
    -rw-r--r-- 1 root root 2.2K Mar  2  2015 origin.crt
    

    I'd also download the Cloudflare CA root SSL certs for RSA and ECC ECDSA 256bit from What are the root certificate authorities (CAs) used with Cloudflare Origin CA? as well as they'd be useful for verifying and troubleshooting on SSH command line if needed.
    Code (Text):
    cd /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/
    #wget https://support.cloudflare.com/hc/en-us/article_attachments/206709098/cloudflare_origin_ecc.pem
    wget -4 https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem -O cloudflare_origin_ecc.pem
    #wget https://support.cloudflare.com/hc/en-us/article_attachments/206709108/cloudflare_origin_rsa.pem
    wget -4 https://support.cloudflare.com/hc/article_attachments/360037885371/origin_ca_rsa_root.pem -O cloudflare_origin_rsa.pem
    cat cloudflare_origin_ecc.pem cloudflare_origin_rsa.pem > cf-ca-root.pem
    

    So your directory at /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/ would now look like
    Code (Text):
    ls -lah /usr/local/nginx/conf/ssl/cloudflare/centminmod.com/
    total 52K
    drwxr-xr-x 2 root root 4.0K May 17 01:40 .
    drwxr-xr-x 3 root root 4.0K May 14 22:33 ..
    -rw-r--r-- 1 root root 2.4K May 17 01:40 cf-ca-root.pem
    -rw-r--r-- 1 root root 1.2K May 17 00:37 cf-origin-cert-ecdsa.crt
    -rw-r--r-- 1 root root  244 May 17 00:37 cf-origin-cert-ecdsa.key
    -rw-r--r-- 1 root root 1.7K May 17 00:36 cf-origin-cert-rsa.crt
    -rw-r--r-- 1 root root 1.7K May 17 00:37 cf-origin-cert-rsa.key
    -rw-r--r-- 1 root root  940 May  3  2016 cloudflare_origin_ecc.pem
    -rw-r--r-- 1 root root 1.5K May  3  2016 cloudflare_origin_rsa.pem
    -rw-r--r-- 1 root root 2.2K Mar  2  2015 origin.crt
    

    Verify Cloudflare ECDSA Based Communication To Nginx Origins



    Now you can verify if communication between Cloudflare and you Centmin Mod Nginx origin is over ECDSA SSL based connections instead of RSA if you setup custom Cloudflare Nginx logging as outlined at Cloudflare - Cloudflare custom Nginx logging

    Tailing the last line of custom cfssl-access.log which records Centmin Mod Nginx metrics for SSL Protocol and SSL cipher served to upstream Cloudflare client server shows that SSL cipher used was ECDSA based using TLSv1.2 with ECDHE-ECDSA-AES128-GCM-SHA256 hitting Cloudflare's Hong Kong datacenter according to IATA code HKG :)

    You'd do a Nginx service reload as Centmin Mod Nginx for performance reasons buffers access log writes before they are written to disk. So a Nginx reload flushes and writes the buffer to logs for most update to date entries.
    Code (Text):
    log_format cf_custom3 '$remote_addr - $remote_user [$time_local] $request '
                   '"$status" $body_bytes_sent "$http_referer" '
                   '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                   ' "$connection" "$connection_requests" "$request_time" $http_cf_ray '
                   '$ssl_protocol $ssl_cipher';

    Code (Text):
    ngxreload
    cd /home/nginx/domains/centminmod.com/log/
    tail -1 cfssl-access.log | awk '{print NR": "$0; for(i=1;i<=NF;++i)print ""i":  "$i}'
    
    1: 180.76.15.8 - - [17/May/2018:01:50:33 +0000] GET /threads/update-imagick-php-extension-to-3-4-0rc2.5243/ HTTP/1.1 "200" 124742 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "180.76.15.8" "-" "107" "1" "0.100" 41c26f0d3b233313-HKG TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
    1:  180.76.15.8
    2:  -
    3:  -
    4:  [17/May/2018:01:50:33
    5:  +0000]
    6:  GET
    7:  /threads/update-imagick-php-extension-to-3-4-0rc2.5243/
    8:  HTTP/1.1
    9:  "200"
    10:  124742
    11:  "-"
    12:  "Mozilla/5.0
    13:  (compatible;
    14:  Baiduspider/2.0;
    15:  +http://www.baidu.com/search/spider.html)"
    16:  "180.76.15.8"
    17:  "-"
    18:  "107"
    19:  "1"
    20:  "0.100"
    21:  41c26f0d3b233313-HKG
    22:  TLSv1.2
    23:  ECDHE-ECDSA-AES128-GCM-SHA256
    


    Inspecting the custom Cloudflare Nginx logging done on origin Nginx server now shows ECDSA ciphers amongst the listing coming in 3rd place. Eventually it will rise to 1st place as all subsequent Cloudflare to Nginx origin connections will be ECDSA based.
    Code (Text):
    ngxreload
    cd /home/nginx/domains/centminmod.com/log
    pzcat -f cfssl-access.log{,-*} | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    111118  TLSv1.2  ECDHE-RSA-AES128-GCM-SHA256
    40652   TLSv1.2  ECDHE-RSA-AES256-GCM-SHA384
    4427    TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    22      TLSv1.2  ECDHE-RSA-CHACHA20-POLY1305
    4       -        -
    1       TLSv1    ECDHE-RSA-AES128-SHA
    1       TLSv1.1  ECDHE-RSA-AES128-SHA
    

    recheck and ECDSA ssl cipher served requests logged move to 2nd place for ECDHE-ECDSA-AES128-GCM-SHA256 and now a few other ECDSA variants are being served to some other supported clients for ECDHE-ECDSA-CHACHA20-POLY1305 (h2load HTTP/2 HTTPS load test checks connected to this ssl cipher) and ECDHE-ECDSA-AES256-GCM-SHA384
    Code (Text):
    ngxreload
    cd /home/nginx/domains/centminmod.com/log
    pzcat -f cfssl-access.log{,-*} | awk '{n = 2; for (--n; n >= 0; n--){ printf "%s\t",$(NF-n)} print ""}' | sort | uniq -c | sort -rn | head -n20 | column -t
    113377  TLSv1.2  ECDHE-RSA-AES128-GCM-SHA256
    97432   TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256
    41027   TLSv1.2  ECDHE-RSA-AES256-GCM-SHA384
    22      TLSv1.2  ECDHE-RSA-CHACHA20-POLY1305
    10      -        -
    3       TLSv1.2  ECDHE-ECDSA-CHACHA20-POLY1305
    3       TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
    1       TLSv1    ECDHE-RSA-AES128-SHA
    1       TLSv1.1  ECDHE-RSA-AES128-SHA
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    9:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Using HTTPS TLS 1.3 On Centmin Mod Nginx Origin Backends



    Another way to optimise Cloudflare to Centmin Mod Nginx origin communications and data transfer is to ensure Centmin Mod Nginx supports latest TLS 1.3 protocol which can be enabled in Nginx 1.15.4+ with either BoringSSL or default OpenSSL 1.1.1 crypto libraries in Centmin Mod 123.09beta01 and newer branch as outlined at Centmin Mod Nginx HTTP/2 HTTPS TLS 1.3 Support

    Then once Cloudflare updates their end from TLS 1.3 draft 22 to TLS 1.3 RFC final version support, then communication between Cloudflare and Centmin Mod Nginx based HTTP/2 HTTPS sites can be done over TLS 1.3 and thus improve latency and response times when you set Cloudflare to Full SSL. See Cloudflare speak TLS 1.3 0-RTT with Origin Backend?

    Edit: Cloudflare can now speak TLS 1.3 with your origin servers if they support it - see SSL - Cloudflare - Cloudflare Enables HTTPS TLS 1.3 Backend Origin Communication :)
     
Thread Status:
Not open for further replies.