Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch Nginx HTTP/2 & OpenSSL 1.1.0 patch updates

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jun 23, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    haven't looked at the code, so just to be safe for now :)

    and well Centmin Mod default Nginx version now is 1.13.1
     
  2. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +610
    Local Time:
    10:11 AM
    Hihi so actually you are running unstable Nginx software in centmin stable?
     
  3. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    both 123.08stable and 123.09beta01 use Nginx 1.13.1 :)

    Nginx mainline ain't unstable it actually has more bug fixes than Nginx stable branch and is recommended by Nginx NGINX 1.12 and 1.13 Released. Also mainline is source of Nginx Plus commercial builds :)
     
    Last edited: Jun 24, 2017
  4. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +610
    Local Time:
    10:11 AM
    Every code change could be a potential reason to get software unstable. Nevertheless the main cause that Redhat et al choose for fixing the proven software rather then releasing new software versions.

    Only if needed the code will be changed. Nobody can get their development software more stable then their stable software, while changing code time over time and releasing new features every month. Google not. Facebook not. Microsoft not. Red hat Not.

    In case of Nginx.
    It's a simple joke to get tons of free (beta) testers for its commercial software edition.
     
  5. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Been using Nginx mainline for 6+ yrs :D
     
  6. bassie

    bassie Active Member

    869
    203
    43
    Apr 29, 2016
    Ratings:
    +610
    Local Time:
    10:11 AM
    Nothing wrong with mainline, rather then that i prefer; Nginx stable for mission critical web servers.
    Nginx mainline is great to test new fresh features but, testing new is nothing for your money site where the goal is to make money and not to serve the latest features via the web server.

    Its about Nginx's statement that mainline is more stable then stable. It simply can't be.
     
  7. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah each person would need to decide what is acceptable. Nginx mainline does have more fixes though just look at the HTTP/2 related ones since 1.12.0 tagged commit nginx: log. Anyway all software is in a perpetual state of development. Just take a peak at MariaDB Jira tracker of outstanding bugs post GA releases. Essentially, stable isn't really stable and development/mainline isn't really unstable :)
     
    Last edited: Jun 25, 2017
    • Agree Agree x 1
  8. Revenge

    Revenge Active Member

    401
    84
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +299
    Local Time:
    9:11 AM
    1.9.x
    10.1.x
    This works out of the box or we need to add something to nginx conf?
     
  9. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    once patched should work out of box for HTTP/2 based sites
     
    • Like Like x 1
  10. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    4:11 PM
    Mainline
    10.2
    Why doesn't support LibreSSL?
     
  11. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    haven't tested it that's why :)
     
  12. pamamolf

    pamamolf Well-Known Member

    3,111
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    11:11 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Can you please post more details on this?

    Code:
    once patched should work out of box for HTTP/2 based sites
    I guess having the latest updates for Centminmod and recompiling the Nginx to 1.13.1 should auto work ?

    In case that i have a self signed certificate and use the Cloudflare one in front will be ok?

    In case that i use Let's encrypt ?
     
  13. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    following 1st post instructions to enable it first before recompiling nginx 1.13.1+
    Wouldn't do much as cloudflare flexible ssl talks to non-https origin server. Only cloudflare full ssl would talk wto https origin would have some benefit somewhat.
     
    • Like Like x 1
  14. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    4:11 PM
    Mainline
    10.2
  15. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • Winner Winner x 2
  16. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    update looking good for HPACK full encoding patch + LibreSSL 2.5.4 (with default LIBRESSL_SWITCH='y')
    with persistent config set with /etc/centminmod/custom_config.inc
    Code (Text):
    NGINX_HPACK='y'
    

    to enable Cloudflare's HPACK full encoding patch for Nginx 1.13.1+
    Code (Text):
    url=https://domain.com
    
    for i in $(seq 1 8); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done 
    h2load run 1
    traffic: 4.02KB (4117) total, 249B (249) headers (space savings 34.99%), 3.71KB (3801) data
    h2load run 2
    traffic: 7.76KB (7951) total, 264B (264) headers (space savings 65.54%), 7.42KB (7602) data
    h2load run 3
    traffic: 11.51KB (11785) total, 279B (279) headers (space savings 75.72%), 11.14KB (11403) data
    h2load run 4
    traffic: 15.25KB (15619) total, 294B (294) headers (space savings 80.81%), 14.85KB (15204) data
    h2load run 5
    traffic: 18.00KB (19453) total, 309B (309) headers (space savings 83.86%), 18.56KB (19005) data
    h2load run 6
    traffic: 22.74KB (23287) total, 324B (324) headers (space savings 85.90%), 22.27KB (22806) data
    h2load run 7
    traffic: 26.49KB (27121) total, 339B (339) headers (space savings 87.36%), 25.98KB (26607) data
    h2load run 8
    traffic: 30.23KB (30955) total, 354B (354) headers (space savings 88.45%), 29.70KB (30408) data
    
     
    • Winner Winner x 2
  17. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    4:11 PM
    Mainline
    10.2
  18. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    4:11 PM
    Mainline
    10.2
    Code:
    nginx version: nginx/1.13.2
    built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
    built with LibreSSL 2.5.4
    TLS SNI support enabled
    configure arguments: 
    --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' 
    --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold 
    --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' 
    --sbin-path=/usr/local/sbin/nginx 
    --conf-path=/usr/local/nginx/conf/nginx.conf 
    --with-compat 
    --with-http_ssl_module 
    --with-http_v2_module 
    --with-http_v2_hpack_enc 
    --with-http_gzip_static_module 
    --add-dynamic-module=../ngx_brotli 
    --with-openssl=../libressl-2.5.4 
    --with-libatomic 
    --with-pcre=../pcre-8.40 
    --with-pcre-jit 
    --with-zlib=../zlib-1.2.11 
    --add-dynamic-module=../ngx_pagespeed-1.12.34.2-beta
    
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    35,123
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    6:11 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looking good

    need nghttp2's h2load stress testing tool mentioned at HPACK: the silent killer (feature) of HTTP/2
    nghttp2 has too many dependencies that have newer versions than CentOS can provide via rpm install and source installl would take ~1-2hrs. That is why i created a Ubuntu 17.10 based docker image for HTTP/2 testing tools including nghttp2 which is source compiled https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2/
     
    Last edited: Jun 29, 2017
    • Like Like x 1
  20. Sunka

    Sunka Well-Known Member

    993
    270
    63
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +445
    Local Time:
    10:11 AM
    Nginx 1.15.0
    MariaDB 10.2.15
    This is only for those who use Cloudflare?
     
..