Optimize SSL session

This commit is contained in:
sakkiii 2021-05-18 19:39:43 +05:30
parent 2606b41b16
commit e9b878b9e9
10 changed files with 89 additions and 1 deletions

View File

@ -386,6 +386,34 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
matrix_ssl_pre_obtaining_required_service_name: ~ matrix_ssl_pre_obtaining_required_service_name: ~
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60 matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
# Nginx Optimize SSL Session
#
# ssl_session_cache:
# - Creating a cache of TLS connection parameters reduces the number of handshakes
# and thus can improve the performance of application.
# - Default session cache is not optimal as it can be used by only one worker process
# and can cause memory fragmentation. It is much better to use shared cache.
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
#
# ssl_session_timeout:
# - Nginx by default it is set to 5 minutes which is very low.
# should be like 4h or 1d but will require you to increase the size of cache.
# - Learn More:
# https://github.com/certbot/certbot/issues/6903
# https://github.com/mozilla/server-side-tls/issues/198
#
# ssl_session_tickets:
# - In case of session tickets, information about session is given to the client.
# Enabling this improve performance also make Perfect Forward Secrecy useless.
# - If you would instead like to use ssl_session_tickets by yourself, you can set
# matrix_nginx_proxy_ssl_session_tickets_off false.
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
#
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
matrix_nginx_proxy_ssl_session_timeout: "1d"
matrix_nginx_proxy_ssl_session_tickets_off: true
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance. # OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
# OCSP stapling can provide a performance boost of up to 30% # OCSP stapling can provide a performance boost of up to 30%
# nginx web server supports OCSP stapling since version 1.3.7. # nginx web server supports OCSP stapling since version 1.3.7.

View File

@ -76,6 +76,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -80,6 +80,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -85,6 +85,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -83,6 +83,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -208,6 +208,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}
@ -248,6 +254,12 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }}; ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{% endif %} {% endif %}
location / { location / {

View File

@ -91,6 +91,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -125,6 +125,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -68,6 +68,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}

View File

@ -82,6 +82,12 @@ server {
ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem; ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
{% endif %} {% endif %}
{% if matrix_nginx_proxy_ssl_session_tickets_off %}
ssl_session_tickets off;
{% endif %}
ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
{{ render_vhost_directives() }} {{ render_vhost_directives() }}
} }
{% endif %} {% endif %}