Add support for dynamic TLS records and spdy

controllers/nginx/Dockerfile

@@ -12,19 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/google_containers/nginx-slim:0.7
+FROM gcr.io/google_containers/nginx-slim:0.8
 
 RUN apt-get update && apt-get install -y \
   diffutils \
   --no-install-recommends \
   && rm -rf /var/lib/apt/lists/*
 
-# Download of GeoIP databases
-RUN curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
-  && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
-  && gunzip /etc/nginx/GeoIP.dat.gz \
-  && gunzip /etc/nginx/GeoLiteCity.dat.gz
-
 COPY nginx-ingress-controller /
 COPY nginx.tmpl /etc/nginx/template/nginx.tmpl
 COPY default.conf /etc/nginx/nginx.conf

controllers/nginx/README.md

@@ -18,7 +18,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube
 * [NGINX status page](#nginx-status-page)
 * [Debug & Troubleshooting](#troubleshooting)
 * [Limitations](#limitations)
-
+* [NGINX Notes](#nginx-notes)
 
 ## Conventions
 
@@ -253,3 +253,18 @@ I0316 12:24:37.610073       1 command.go:69] change in configuration detected. R
 ## Limitations
 
 - Ingress rules for TLS require the definition of the field `host`
+
+
+## NGINX notes
+
+Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches:
+- Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/)
+NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency.
+
+- Add SPDY support back to Nginx with HTTP/2 [nginx_1_9_15_http2_spdy.patch](https://github.com/cloudflare/sslconfig/pull/36)
+At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support
+```
+openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg ''
+CONNECTED(00000003)
+Protocols advertised by server: h2, spdy/3.1, http/1.1
+```

controllers/nginx/nginx.tmpl

@@ -145,6 +145,10 @@ http {
     ssl_dhparam {{ .sslDHParam }};
     {{ end }}
 
+    {{- if not $cfg.enableDynamicTlsRecords }}
+    ssl_dyn_rec_size_lo 0;
+    {{ end }}
+
     {{- if .customErrors }}
     # Custom error pages
     proxy_intercept_errors on;
@@ -178,7 +182,7 @@ http {
     server {
         server_name {{ $server.Name }};
         listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};
-        {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};
+        {{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.enableSpdy }}spdy{{ end }} {{ if $cfg.useHttp2 }}http2{{ end }};
         {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
         # PEM sha: {{ $server.SSLPemChecksum }}        
         ssl_certificate {{ $server.SSLCertificate }};

controllers/nginx/nginx/config/config.go

@@ -78,6 +78,16 @@ type Configuration struct {
 	// Sets the maximum allowed size of the client request body
 	BodySize string `structs:"body-size,omitempty"`
 
+	// EnableDynamicTLSRecords enables dynamic TLS record sizes
+	// https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
+	// By default this is enabled
+	EnableDynamicTLSRecords bool `structs:"enable-dynamic-tls-records"`
+
+	// EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols
+	// https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code
+	// By default this is enabled
+	EnableSPDY bool `structs:"enable-spdy"`
+
 	// EnableStickySessions enabled sticky sessions using cookies
 	// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
 	// By default this is disabled
@@ -251,9 +261,11 @@ type Configuration struct {
 // in the file default-conf.json
 func NewDefault() Configuration {
 	cfg := Configuration{
-		BodySize:      bodySize,
+		BodySize:                bodySize,
-		ErrorLogLevel: errorLevel,
+		EnableDynamicTLSRecords: true,
-		HSTS:          true,
+		EnableSPDY:              true,
+		ErrorLogLevel:           errorLevel,
+		HSTS:                    true,
 		HSTSIncludeSubdomains:    true,
 		HSTSMaxAge:               hstsMaxAge,
 		GzipTypes:                gzipTypes,