Beta Branch update Nginx dynamic TLS & HPACK patch support in 123.09beta01

eva2000 · Jan 27, 2022

update Nginx dynamic TLS & HPACK patch support in 123.09beta01

- Update optional HTTP/2 HPACK full encoding & TLS dynamic record size patch support for Nginx 1.21.5 and 1.21.6
- Added 2 variables to control the max Nginx version supported for patching to control any future breakage in Nginx new versions

NGINX_HPACK_ALLOWED_VER='1021006' # Max allowed Nginx version for Nginx HTTP/2 HPACK full encoding patch support
NGINX_DYNAMICTLS_ALLOWED_VER='1021006' # Max allowed Nginx version for Nginx Dynamic TLS patch support

These 2 variables can also be set in persistent config file /etc/centminmod/custom_config.inc to override the defaults to enable newer Nginx versions to at least try to patch HTTP/2 HPACK and TLS dynamic record size patches. i.e. setting below will allow Nginx 1.21.7 to try patching

NGINX_HPACK_ALLOWED_VER='1021007' # Max allowed Nginx version for Nginx HTTP/2 HPACK full encoding patch support
NGINX_DYNAMICTLS_ALLOWED_VER='1021007' # Max allowed Nginx version for Nginx Dynamic TLS patch support

Though if Nginx 1.21.7 has breaking code changes that break patch support, the Nginx will fail to patch and Nginx server may not start properly. Hence, why optional HTTP/2 HPACK full encoding & TLS dynamic record size patch support is always incrementally tested and enabled with each Nginx version. You can use these 2 new variables to control this before Centmin Mod's official updates.

Continue reading...

123.09beta01 branch

Branch: https://github.com/centminmod/centminmod/tree/123.09beta01

Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

happyhacking · Jun 8, 2022

Confirmed to work properly with Nginx 1.22.0:
Code:
NGINX_HPACK_ALLOWED_VER='1022000'
NGINX_DYNAMICTLS_ALLOWED_VER='1022000'

eva2000 · Jun 8, 2022

happyhacking said: ↑
Confirmed to work properly with Nginx 1.22.0:
Code:
NGINX_HPACK_ALLOWED_VER='1022000'
NGINX_DYNAMICTLS_ALLOWED_VER='1022000'
Click to expand...
Thanks for the confirmation!

buik · Jun 8, 2022

eva2000 said: ↑

Thanks for the confirmation!
Click to expand...

Nginx TLS dynamic record sizing is almost 6 and a half years old.
Is this patch code still effective vs. upstream?

eva2000 · Jun 9, 2022

buik said: ↑

Nginx TLS dynamic record sizing is almost 6 and a half years old.
Is this patch code still effective vs. upstream?
Click to expand...

True haven't checked in wireshark but it does patch on latest Nginx versions.

The original discussions at https://community.centminmod.com/th...cy-tls-dynamic-record-sizing.7592/#post-32112 and https://community.centminmod.com/th...cy-tls-dynamic-record-sizing.7592/#post-32120 and https://community.centminmod.com/th...cy-tls-dynamic-record-sizing.7592/#post-32129 might shed more light on checking if it's still effective from end users perspective.

And impact over mobile speed connections https://community.centminmod.com/th...-dynamic-record-sizing.7592/page-2#post-32167

eva2000 said: ↑

Much older article but it's the reason Nginx eventually had an ssl_buffer_size value in the first place Optimizing TLS Record Size & Buffering Latency - igvita.com Good background reading

guess we should be testing benefits over mobile speed connections and not cable and higher

this next section is why ssl_buffer_size option came into being and why Centmin Mod Nginx defaulted to ssl_buffer_size = 1400 bytes (and now 1369 bytes default in 123.09beta01)

Eliminating TLS latency
The larger the TLS record size, the higher the likelihood that we may incur an additional roundtrip due to a TCP retransmission or "overflow" of the congestion window. That said, the fix is also relatively simple: send smaller records. In fact, to eliminate this problem entirely, configure your TLS record size to fit into a single TCP segment.

If the TCP congestion window is small (i.e. during slow-start), or if we're sending interactive data that should be processed as soon as possible (in other words, most HTTP traffic), then small record size helps mitigate costly latency overhead of yet another layer of buffering.
Click to expand...

Click to expand...

eva2000 said: ↑

Every single test showed a page speed and faster initiate perceived page rendering with Cloudflare's Nginx Dynamic TLS Size patch enabled And my site is very minimal for graphics and mainly text. So I'd imagine for sites with alot of images, you'd have even much more of a benefit

A big hugs and kisses to Cloudflare for sharing their patches

Speedindex chart is the one I am mainly concerned with for perceived initial page render times and seems Time To First Byte and Time to Start Render also show the same pattern of benefits after Cloudflare Nginx Dynamic TLS patch is applied.

FYI, for before and after - Centmin Mod 123.09beta01 default ssl_buffer_size is set at 1369 bytes
Click to expand...

eva2000 said: ↑

the above are the results of before vs after nginx dynamic tls size patch both with ssl_buffer_size = 1369 bytes. Didn't do tests without ssl_buffer_size specifically set to regular 16384 bytes which non-Centmin Mod Nginx sets to which is never optimal to begin with (without nginx dynamic tls patch)

default threshold is 40 records

so the patch starts with 1369 bytes sent for up to 1+40 = 41 records so first 41 x 1369 bytes = 56,129 bytes = 54.813 KB before the patch starts sending the ssl_dync_rec_size_hi 4229 bytes based records for another 40 records = 40 x 4229 = 169,160 bytes (165.19KB) before you fall back to ssl_buffer_size of 16KB for non-Centmin Mod Nginx or 1369 bytes for Centmin Mod Nginx

so 1st stage up to 54.813KB then next 165.19KB so < 220KB (54.813+165.19) before you fall back to ssl_buffer_size of 16KB for non-Centmin Mod Nginx or 1369 bytes for Centmin Mod Nginx
Click to expand...

Though these days there's so many optimisations (from Cloudflare as well) that can effect TTFB improvements too. So if you have Cloudflare in front, Cloudflare serving visitors wouldn't factor in Centmin Mod Nginx dynamic TLS record size patch on that end but will for connection between Cloudflare and Centmin Mod Nginx origin server. But Cloudflare to Centmin Mod Nginx origin connection wouldn't be on slow mobile but fast networks so the benefits of dynamic TLS record size patch might be a lot less. Round trip times on mobile devices can be between 300-800ms while round trip times between Cloudflare Edge servers and Centmin Mod Nginx would be between 50-150ms due to CF having closer datacenters, so saving round trip times with Nginx dynamic TLS record size patch won't have that big of an impact between CF and Centmin Mod Nginx origin servers.

But I don't see any negatives in enabling dynamic TLS record size patches.

Log in / Register

Forums

Welcome to Centmin Mod Community

Beta Branch update Nginx dynamic TLS & HPACK patch support in 123.09beta01

eva2000 Administrator Staff Member

happyhacking Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Beta Branch update Nginx dynamic TLS & HPACK patch support in 123.09beta01

eva2000 Administrator Staff Member

happyhacking Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.