Join the community today
Register Now

Docker Image nghttp2 minimal docker image

Discussion in 'Centmin Mod Docker Development' started by eva2000, Mar 30, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    7:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Now that Ubuntu 19.0.4 disco beta has been released, it comes with OpenSSL 1.1.1b with TLS 1.3 support and nghttp2/h2load packages out of the box. So I do not need to source compile nghttp2/h2load with custom OpenSSL 1.1.1 version to be able to do h2load HTTP/2 HTTPS TLS 1.3 benchmark testing anymore. As such I created a new docker Ubuntu 19.0.4 container image which just has nghttp2 and OpenSSL 1.1.1b TLS 1.3 supported which is a much smaller docker image size at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2-minimal.

    nghttp2/h2load Ubuntu Docker Images


    Why use nghttp2 Ubuntu docker image and not CentOS natively installed ?




    Very early on CentOS 6 and CentOS 7 didn't have the version requirements to compile for nghttp2 and h2load. To source compile the newer version dependencies for nghttp2 on CentOS would of resulted in around 90+ minutes compile time on a decent speed server. So I created the nghttp2 Ubuntu docker image which source compiled nghttp2 but had newer version dependencies.

    Later, CentOS 7's EPEL YUM repo offered up nghttp2 package with h2load etc. But this is currently using nghttp2 version 1.31 but it's built against Redhat/CentOS 7's OpenSSL 1.0.2k crypto library so there is no TLS 1.3 support. So you can't run h2load HTTP/2 HTTPS TLS 1.3 load testing benchmarks like you can with nghttp2 docker images I created as their nghttp2/h2load binaries are built against newer OpenSSL 1.1.1 branch with TLS 1.3 support.

    Example on CentOS 7 VPS server with h2load HTTP/2 HTTPS TLS 1.3 load testing run with docker-ubuntu-nghttp2-minimal docker image and command aliases setup as per https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2-minimal
    Code (Text):
    nghttpcmd-min h2load -t1 -c100 -n1000 https://centminmod.com
    starting benchmark...
    spawning thread #0: 100 total client(s). 1000 total requests
    TLS Protocol: TLSv1.3
    Cipher: TLS_AES_256_GCM_SHA384
    Server Temp Key: X25519 253 bits
    Application protocol: h2
    progress: 10% done
    progress: 20% done
    progress: 30% done
    progress: 40% done
    progress: 50% done
    progress: 60% done
    progress: 70% done
    progress: 80% done
    progress: 90% done
    progress: 100% done
    
    finished in 361.95ms, 2762.78 req/s, 116.86MB/s
    requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
    status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
    traffic: 42.30MB (44353626) total, 99.34KB (101726) headers (space savings 88.58%), 42.13MB (44175000) data
                         min         max         mean         sd        +/- sd
    time for request:     7.70ms     66.99ms     22.95ms     13.08ms    82.20%
    time for connect:    18.03ms    123.57ms     73.35ms     30.97ms    57.00%
    time to 1st byte:    77.81ms    155.80ms    123.33ms     26.42ms    55.00%
    req/s           :      28.59       37.00       33.10        1.81    67.00%
    

    Example for nghttp -nas statistics inspection of HTTP/2 HTTPS requests
    Code (Text):
    nghttpcmd-min nghttp -nas https://centminmod.com    
    ***** Statistics *****
    
    Request timing:
      responseEnd: the  time  when  last  byte of  response  was  received
                   relative to connectEnd
     requestStart: the time  just before  first byte  of request  was sent
                   relative  to connectEnd.   If  '*' is  shown, this  was
                   pushed by server.
          process: responseEnd - requestStart
             code: HTTP status code
             size: number  of  bytes  received as  response  body  without
                   inflation.
              URI: request URI
    
    see http://www.w3.org/TR/resource-timing/#processing-model
    
    sorted by 'complete'
    
    id  responseEnd requestStart  process code size request path
     13    +19.23ms       +188us  19.04ms  200  10K /
     55    +32.08ms     +19.29ms  12.79ms  200  25K /js/bootstrapValidator.min.js
     37    +32.24ms     +19.28ms  12.95ms  200  17K /fonts/glyphicons-halflings-regular.woff2
     17    +32.29ms     +19.27ms  13.02ms  200  482 /css/localfonts.css
     43    +33.12ms     +19.29ms  13.83ms  200  201 /js/gab_event.js
     25    +33.19ms     +19.27ms  13.92ms  200  596 /css/icons-set8.css
     31    +33.35ms     +19.28ms  14.08ms  200   2K /css/responsive.css
     29    +34.31ms     +19.28ms  15.04ms  200  24K /css/style.css
     27    +34.52ms     +19.27ms  15.25ms  200   3K /css/animate.min.css
     19    +35.57ms     +19.27ms  16.30ms  200   5K /css/font-awesome.min.css
     45    +36.56ms     +19.29ms  17.27ms  200  29K /js/jquery.min.js
     53    +36.63ms     +19.29ms  17.34ms  200  799 /js/jquery.easing.1.3.js
     51    +36.68ms     +19.29ms  17.39ms  200  979 /js/jquery.hover-dropdown-menu-addon.js
     33    +37.61ms     +19.28ms  18.33ms  200   1K /css/color.css
     47    +38.00ms     +19.29ms  18.71ms  200   9K /js/bootstrap.min.js
     49    +38.35ms     +19.29ms  19.06ms  200   6K /js/hover-dropdown-menu.js
     23    +39.34ms     +19.27ms  20.06ms  200   4K /css/hover-dropdown-menu.css
     21    +40.34ms     +19.27ms  21.07ms  200  19K /css/bootstrap.min.css
     39    +41.17ms     +19.29ms  21.88ms  200   4K /fonts/icomoon-set8.woff2?s8gaml
     41    +41.19ms     +19.29ms  21.90ms  200  21K /fonts-local/Arimo_400.woff2
     35    +41.60ms     +19.28ms  22.32ms  200  55K /fonts/fontawesome-webfont.woff2?v=4.3.0
     15    +51.60ms     +19.27ms  32.33ms  200  254 /img/favicon.png
    


    Links

    testssl, cipherscan & curltest



    Also added additional command line tools for:
    • testssl latest version
    • cipherscan
    • curltest - can check a HTTP compressed requests uncompressed versus compressed size for both gzip & brotli HTTP compressed assets.
    Example commands using command alias in docker host SSH.

    testssl
    Code (Text):
    nghttpcmd-min testssl https://centminmod.com

    or testssl with some tests and not all, so this will test TLS protocols, server ssl cipher preferences, headers and client ssl cipher/protocol simulation and --quiet flag disables the testssl info message banner.
    Code (Text):
    nghttpcmd-min testssl -p -P -h -c --quiet https://centminmod.com
    

    cipherscan
    Code (Text):
    nghttpcmd-min cipherscan https://centminmod.com
    .......................................................
    Target: centminmod.com:443
    
    prio  ciphersuite                        protocols  pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs                 curves                                    curves_ordering
    1     ECDHE-ECDSA-CHACHA20-POLY1305-OLD  TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
    2     ECDHE-ECDSA-AES128-GCM-SHA256      TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
    3     ECDHE-ECDSA-AES128-SHA             TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  server
    4     ECDHE-ECDSA-AES128-SHA256          TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
    5     ECDHE-ECDSA-AES256-GCM-SHA384      TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
    6     ECDHE-ECDSA-AES256-SHA             TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  server
    7     ECDHE-ECDSA-AES256-SHA384          TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
    8     ECDHE-RSA-CHACHA20-POLY1305-OLD    TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    9     ECDHE-RSA-AES128-GCM-SHA256        TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    10    ECDHE-RSA-AES128-SHA               TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    11    ECDHE-RSA-AES128-SHA256            TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    12    AES128-GCM-SHA256                  TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
    13    AES128-SHA                         TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
    14    AES128-SHA256                      TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
    15    ECDHE-RSA-AES256-GCM-SHA384        TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    16    ECDHE-RSA-AES256-SHA               TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    17    ECDHE-RSA-AES256-SHA384            TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
    18    AES256-GCM-SHA384                  TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
    19    AES256-SHA                         TLSv1.2    2048         sha256WithRSAEncryption  True     64799        True         h2,http/1.1  None                None                                      server
    20    AES256-SHA256                      TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
    
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: server - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    TLS Tolerance: yes
    
    Intolerance to:
     SSL 3.254           : absent
     TLS 1.0             : PRESENT
     TLS 1.1             : PRESENT
     TLS 1.2             : absent
     TLS 1.3             : absent
     TLS 1.4             : absent
    

    curltest - Can check a HTTP compressed requests uncompressed versus compressed size for both gzip & brotli HTTP compressed assets
    Code (Text):
    nghttpcmd-min curltest gzip https://centminmod.com
    URI: https://centminmod.com (gzip)
    Uncompressed size : 43.13 KiB
    Compressed size   : 10.72 KiB
    

    Code (Text):
    nghttpcmd-min curltest br https://centminmod.com
    URI: https://centminmod.com (br)
    Uncompressed size : 43.13 KiB
    Compressed size   : 10.15 KiB
    
     
  2. buik

    buik “The best traveler is one without a camera.”

    2,031
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,676
    Local Time:
    11:35 PM
    Disco is currently Beta, as the release is set at April 18th.
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,158
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    7:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah it is beta... I am just glad it's released even in beta :D