Docker Image nghttp2 minimal docker image

Now that Ubuntu 19.0.4 disco beta has been released, it comes with OpenSSL 1.1.1b with TLS 1.3 support and nghttp2/h2load packages out of the box. So I do not need to source compile nghttp2/h2load with custom OpenSSL 1.1.1 version to be able to do h2load HTTP/2 HTTPS TLS 1.3 benchmark testing anymore. As such I created a new docker Ubuntu 19.0.4 container image which just has nghttp2 and OpenSSL 1.1.1b TLS 1.3 supported which is a much smaller docker image size at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2-minimal.

nghttp2/h2load Ubuntu Docker Images

• New minimal nghttp2 docker image is only 81.3MB in size at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2-minimal
• Older source compiled nghttp2 docker image is 1.1GB in size at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2

Why use nghttp2 Ubuntu docker image and not CentOS natively installed ?

---

Very early on CentOS 6 and CentOS 7 didn't have the version requirements to compile for nghttp2 and h2load. To source compile the newer version dependencies for nghttp2 on CentOS would of resulted in around 90+ minutes compile time on a decent speed server. So I created the nghttp2 Ubuntu docker image which source compiled nghttp2 but had newer version dependencies.

Later, CentOS 7's EPEL YUM repo offered up nghttp2 package with h2load etc. But this is currently using nghttp2 version 1.31 but it's built against Redhat/CentOS 7's OpenSSL 1.0.2k crypto library so there is no TLS 1.3 support. So you can't run h2load HTTP/2 HTTPS TLS 1.3 load testing benchmarks like you can with nghttp2 docker images I created as their nghttp2/h2load binaries are built against newer OpenSSL 1.1.1 branch with TLS 1.3 support.

Example on CentOS 7 VPS server with h2load HTTP/2 HTTPS TLS 1.3 load testing run with docker-ubuntu-nghttp2-minimal docker image and command aliases setup as per https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2-minimal

Code (Text):

nghttpcmd-min h2load -t1 -c100 -n1000 https://centminmod.com
starting benchmark...
spawning thread #0: 100 total client(s). 1000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 361.95ms, 2762.78 req/s, 116.86MB/s
requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 42.30MB (44353626) total, 99.34KB (101726) headers (space savings 88.58%), 42.13MB (44175000) data
                     min         max         mean         sd        +/- sd
time for request:     7.70ms     66.99ms     22.95ms     13.08ms    82.20%
time for connect:    18.03ms    123.57ms     73.35ms     30.97ms    57.00%
time to 1st byte:    77.81ms    155.80ms    123.33ms     26.42ms    55.00%
req/s           :      28.59       37.00       33.10        1.81    67.00%

Example for nghttp -nas statistics inspection of HTTP/2 HTTPS requests

Code (Text):

nghttpcmd-min nghttp -nas https://centminmod.com    
***** Statistics *****

Request timing:
  responseEnd: the  time  when  last  byte of  response  was  received
               relative to connectEnd
 requestStart: the time  just before  first byte  of request  was sent
               relative  to connectEnd.   If  '*' is  shown, this  was
               pushed by server.
      process: responseEnd - requestStart
         code: HTTP status code
         size: number  of  bytes  received as  response  body  without
               inflation.
          URI: request URI

see http://www.w3.org/TR/resource-timing/#processing-model

sorted by 'complete'

id  responseEnd requestStart  process code size request path
 13    +19.23ms       +188us  19.04ms  200  10K /
 55    +32.08ms     +19.29ms  12.79ms  200  25K /js/bootstrapValidator.min.js
 37    +32.24ms     +19.28ms  12.95ms  200  17K /fonts/glyphicons-halflings-regular.woff2
 17    +32.29ms     +19.27ms  13.02ms  200  482 /css/localfonts.css
 43    +33.12ms     +19.29ms  13.83ms  200  201 /js/gab_event.js
 25    +33.19ms     +19.27ms  13.92ms  200  596 /css/icons-set8.css
 31    +33.35ms     +19.28ms  14.08ms  200   2K /css/responsive.css
 29    +34.31ms     +19.28ms  15.04ms  200  24K /css/style.css
 27    +34.52ms     +19.27ms  15.25ms  200   3K /css/animate.min.css
 19    +35.57ms     +19.27ms  16.30ms  200   5K /css/font-awesome.min.css
 45    +36.56ms     +19.29ms  17.27ms  200  29K /js/jquery.min.js
 53    +36.63ms     +19.29ms  17.34ms  200  799 /js/jquery.easing.1.3.js
 51    +36.68ms     +19.29ms  17.39ms  200  979 /js/jquery.hover-dropdown-menu-addon.js
 33    +37.61ms     +19.28ms  18.33ms  200   1K /css/color.css
 47    +38.00ms     +19.29ms  18.71ms  200   9K /js/bootstrap.min.js
 49    +38.35ms     +19.29ms  19.06ms  200   6K /js/hover-dropdown-menu.js
 23    +39.34ms     +19.27ms  20.06ms  200   4K /css/hover-dropdown-menu.css
 21    +40.34ms     +19.27ms  21.07ms  200  19K /css/bootstrap.min.css
 39    +41.17ms     +19.29ms  21.88ms  200   4K /fonts/icomoon-set8.woff2?s8gaml
 41    +41.19ms     +19.29ms  21.90ms  200  21K /fonts-local/Arimo_400.woff2
 35    +41.60ms     +19.28ms  22.32ms  200  55K /fonts/fontawesome-webfont.woff2?v=4.3.0
 15    +51.60ms     +19.27ms  32.33ms  200  254 /img/favicon.png

Links

• h2load documentation h2load - HTTP/2 benchmarking tool - HOW-TO — nghttp2 1.38.0-DEV documentation

testssl, cipherscan & curltest

Also added additional command line tools for:

• testssl latest version
• cipherscan
• curltest - can check a HTTP compressed requests uncompressed versus compressed size for both gzip & brotli HTTP compressed assets.

Example commands using command alias in docker host SSH.

testssl

Code (Text):

nghttpcmd-min testssl https://centminmod.com

or testssl with some tests and not all, so this will test TLS protocols, server ssl cipher preferences, headers and client ssl cipher/protocol simulation and --quiet flag disables the testssl info message banner.

Code (Text):

nghttpcmd-min testssl -p -P -h -c --quiet https://centminmod.com

cipherscan

Code (Text):

nghttpcmd-min cipherscan https://centminmod.com
.......................................................
Target: centminmod.com:443

prio  ciphersuite                        protocols  pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  npn          pfs                 curves                                    curves_ordering
1     ECDHE-ECDSA-CHACHA20-POLY1305-OLD  TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
2     ECDHE-ECDSA-AES128-GCM-SHA256      TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
3     ECDHE-ECDSA-AES128-SHA             TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  server
4     ECDHE-ECDSA-AES128-SHA256          TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
5     ECDHE-ECDSA-AES256-GCM-SHA384      TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
6     ECDHE-ECDSA-AES256-SHA             TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  server
7     ECDHE-ECDSA-AES256-SHA384          TLSv1.2    256          ecdsa-with-SHA256        True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1                                server
8     ECDHE-RSA-CHACHA20-POLY1305-OLD    TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
9     ECDHE-RSA-AES128-GCM-SHA256        TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
10    ECDHE-RSA-AES128-SHA               TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
11    ECDHE-RSA-AES128-SHA256            TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
12    AES128-GCM-SHA256                  TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
13    AES128-SHA                         TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
14    AES128-SHA256                      TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
15    ECDHE-RSA-AES256-GCM-SHA384        TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
16    ECDHE-RSA-AES256-SHA               TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
17    ECDHE-RSA-AES256-SHA384            TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  ECDH,P-256,256bits  prime256v1,secp384r1,secp224r1,secp521r1  server
18    AES256-GCM-SHA384                  TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server
19    AES256-SHA                         TLSv1.2    2048         sha256WithRSAEncryption  True     64799        True         h2,http/1.1  None                None                                      server
20    AES256-SHA256                      TLSv1.2    2048         sha256WithRSAEncryption  True     64800        True         h2,http/1.1  None                None                                      server

OCSP stapling: supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Intolerance to:
 SSL 3.254           : absent
 TLS 1.0             : PRESENT
 TLS 1.1             : PRESENT
 TLS 1.2             : absent
 TLS 1.3             : absent
 TLS 1.4             : absent

curltest - Can check a HTTP compressed requests uncompressed versus compressed size for both gzip & brotli HTTP compressed assets

Code (Text):

nghttpcmd-min curltest gzip https://centminmod.com
URI: https://centminmod.com (gzip)
Uncompressed size : 43.13 KiB
Compressed size   : 10.72 KiB

Code (Text):

nghttpcmd-min curltest br https://centminmod.com
URI: https://centminmod.com (br)
Uncompressed size : 43.13 KiB
Compressed size   : 10.15 KiB

 

Yeah it is beta... I am just glad it's released even in beta