karljohns0n / nginx-more

Development repository for nginx-more package
MIT License
120 stars 29 forks source link

Enable kTLS #28

Closed karljohns0n closed 1 year ago

karljohns0n commented 2 years ago

kTLS

Enable support kTLS for RHEL8+ build

Url: https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/

Requirements

w796933 commented 2 years ago

now is support ktls ?

karljohns0n commented 2 years ago

I pushed nginx-more-1.22.0-4.el8.x86_64 to testing repo which now includes kTLS support.

[root@nginx ~]# nginx -V
nginx version: nginx/1.22.0
custom build maintained on github.com/karljohns0n/nginx-more
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC) 
built with OpenSSL 3.0.5 5 Jul 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DTCP_FASTOPEN=23' --with-openssl=modules/openssl-3.0.5 --with-openssl-opt=enable-ktls --with-http_v2_hpack_enc --add-dynamic-module=modules/ngx_modsecurity-1.0.3 --add-module=modules/ngx_headers_more-0.34 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20220505 --add-module=modules/ngx_http_geoip2_module-3.4 --add-module=modules/ngx_echo-0.62
skrlance commented 2 years ago

I tried KTLS today on two of my VPS with AlmaLinux 8.6 Kernal 4.18 using nginx-more v1.22.0-4 I can see that my website performance is much more improved. I didn't found any error or problems while using it on them. So, I believe this issue should be marked resolved!

skrlance commented 2 years ago

My update: Seems like for AlmaLinux with Kernel 4.18, nginx-more KTLS works on TLS 1.2 only! There was an error log when used on TLS 1.3. I have two VPS ready with AlmaLinux 9 Kernel 5.14 where KTLS should work on TLS 1.3, however I check everyday and don't see Karl compiled nginx-more repo for EL9! Hope we get EL9 repos soon!!