Welcome! Log In Create A New Profile

mp4 + ssl

Forum List Message List New Topic Print View

Андрей Василишин

May 15, 2017 02:42PM

Привет всем!
В связи с поголовной sslзацией Интернета пришла очередь и до
mp4-стримминга. И вот Вчерашний тест показал, при 15к коннектах уже
начало потихоньку упираться в проц и в пике было 32 Гбит/с трафика.
Сегодня без ssl при тех же 15к коннектах 40 Гбит/с трафика и проц
гуляет. Может нчто-то где-то надо подтюнить в конфиге? Конфиг ssl ниже:

listen 443 ssl;
add_header Strict-Transport-Security "max-age=0;";
# add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
# ssl on;
ssl_certificate /etc/nginx/ssl/site.com.crt;
ssl_certificate_key /etc/nginx/ssl/privatekey.key;
ssl_trusted_certificate /etc/nginx/ssl/site.com.crt;
# должен содержать 80 или 48 48 or 80 bytes
# openssl rand 48 > /etc/nginx/ssl/current.key
ssl_session_ticket_key /etc/nginx/ssl/current.key;
ssl_session_ticket_key /etc/nginx/ssl/prev.key;
ssl_session_ticket_key /etc/nginx/ssl/prevprev.key;

# Use 2048 bit Diffie-Hellman RSA key parameters
# (otherwise Nginx defaults to 1024 bit, lowering the strength
of encryption # when using PFS)
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out
/etc/nginx/ssl/dhparam2048.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;

# make the server choose the best cipher instead of the browser
# Perfect Forward Secrecy(PFS) is frequently compromised without
this
ssl_prefer_server_ciphers on;

# support only believed secure ciphersuites using the following
priority:
# 1.) prefer PFS enabled ciphers
# 2.) prefer AES128 over AES256 for speed (AES128 has completely
adequate security for now)
# 3.) Support DES3 for IE8 support

# disable the following ciphersuites completely
# 1.) null ciphers
# 2.) ciphers with low security
# 3.) fixed ECDH cipher (does not allow for PFS)
# 4.) known vulnerable cypers (MD5, RC4, etc)
# 5.) little-used ciphers (Camellia, Seed)
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256
kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA
!aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';

## OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

# Cache SSL Sessions for up to 10 minutes
# This improves performance by avoiding the costly session
negotiation process where possible
ssl_session_cache builtin:10000 shared:SSL:100m;
# ssl_session_timeout 5m; # this is a default, but can be changed
ssl_session_timeout 1h;
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Reply Quote

RSS

Subject	Author	Posted
mp4 + ssl	Андрей Василишин	May 15, 2017 02:42PM
Re: mp4 + ssl	Slawa Olhovchenkov	May 15, 2017 02:54PM
Re: mp4 + ssl	Maxim Konovalov	May 15, 2017 04:06PM
Re: mp4 + ssl	Slawa Olhovchenkov	May 15, 2017 04:10PM
Re: mp4 + ssl	Maxim Konovalov	May 15, 2017 04:12PM
Re: mp4 + ssl	Konstantin Tokarev	May 15, 2017 02:56PM
Re: mp4 + ssl	Konstantin Tokarev	May 15, 2017 02:58PM
Re: mp4 + ssl	Vasiliy P. Melnik	May 15, 2017 03:24PM
Re: mp4 + ssl	Gena Makhomed	May 15, 2017 04:08PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 294

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018