Skip to content
This repository has been archived by the owner on Apr 17, 2019. It is now read-only.

Commit

Permalink
Add support for dynamic TLS records and spdy
Browse files Browse the repository at this point in the history
  • Loading branch information
aledbf committed Jul 1, 2016
1 parent e2a8815 commit a718cbe
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 12 deletions.
8 changes: 1 addition & 7 deletions ingress/controllers/nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM gcr.io/google_containers/nginx-slim:0.7
FROM gcr.io/google_containers/nginx-slim:0.8

RUN apt-get update && apt-get install -y \
diffutils \
--no-install-recommends \
&& rm -rf /var/lib/apt/lists/*

# Download of GeoIP databases
RUN curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz

COPY nginx-ingress-controller /
COPY nginx.tmpl /etc/nginx/template/nginx.tmpl
COPY default.conf /etc/nginx/nginx.conf
Expand Down
17 changes: 16 additions & 1 deletion ingress/controllers/nginx/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube
* [NGINX status page](#nginx-status-page)
* [Debug & Troubleshooting](#troubleshooting)
* [Limitations](#limitations)

* [NGINX Notes](#nginx-notes)

## Conventions

Expand Down Expand Up @@ -253,3 +253,18 @@ I0316 12:24:37.610073 1 command.go:69] change in configuration detected. R
## Limitations

- Ingress rules for TLS require the definition of the field `host`


## NGINX notes

Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches:
- Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/)
NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency.

- Add SPDY support back to Nginx with HTTP/2 [nginx_1_9_15_http2_spdy.patch](https://github.com/cloudflare/sslconfig/pull/36)
At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support
```
openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: h2, spdy/3.1, http/1.1
```
6 changes: 5 additions & 1 deletion ingress/controllers/nginx/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@ http {
ssl_dhparam {{ .sslDHParam }};
{{ end }}

{{- if not $cfg.enableDynamicTlsRecords }}
ssl_dyn_rec_size_lo 0;
{{ end }}

{{- if .customErrors }}
# Custom error pages
proxy_intercept_errors on;
Expand Down Expand Up @@ -178,7 +182,7 @@ http {
server {
server_name {{ $server.Name }};
listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};
{{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};
{{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.enableSpdy }}spdy{{ end }} {{ if $cfg.useHttp2 }}http2{{ end }};
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
# PEM sha: {{ $server.SSLPemChecksum }}
ssl_certificate {{ $server.SSLCertificate }};
Expand Down
18 changes: 15 additions & 3 deletions ingress/controllers/nginx/nginx/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,16 @@ type Configuration struct {
// Sets the maximum allowed size of the client request body
BodySize string `structs:"body-size,omitempty"`

// EnableDynamicTLSRecords enables dynamic TLS record sizes
// https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
// By default this is enabled
EnableDynamicTLSRecords bool `structs:"enable-dynamic-tls-records"`

// EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols
// https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code
// By default this is enabled
EnableSPDY bool `structs:"enable-spdy"`

// EnableStickySessions enabled sticky sessions using cookies
// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
// By default this is disabled
Expand Down Expand Up @@ -251,9 +261,11 @@ type Configuration struct {
// in the file default-conf.json
func NewDefault() Configuration {
cfg := Configuration{
BodySize: bodySize,
ErrorLogLevel: errorLevel,
HSTS: true,
BodySize: bodySize,
EnableDynamicTLSRecords: true,
EnableSPDY: true,
ErrorLogLevel: errorLevel,
HSTS: true,
HSTSIncludeSubdomains: true,
HSTSMaxAge: hstsMaxAge,
GzipTypes: gzipTypes,
Expand Down

0 comments on commit a718cbe

Please sign in to comment.