DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for dynamic TLS records and spdy

Browse source
This commit is contained in:
Manuel de Brito Fontes 2016-06-18 17:03:27 -04:00
parent 8bbf869030
commit 09d7b756db
4 changed files with 37 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
controllers/nginx/Dockerfile
View file

@ -12,19 +12,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
FROM gcr.io/google_containers/nginx-slim:0.7
FROM gcr.io/google_containers/nginx-slim:0.8
RUN apt-get update && apt-get install -y \
diffutils \
--no-install-recommends \
&& rm -rf /var/lib/apt/lists/*
# Download of GeoIP databases
RUN curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz
COPY nginx-ingress-controller /
COPY nginx.tmpl /etc/nginx/template/nginx.tmpl
COPY default.conf /etc/nginx/nginx.conf

17
controllers/nginx/README.md
View file

@ -18,7 +18,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube
* [NGINX status page](#nginx-status-page)
* [Debug & Troubleshooting](#troubleshooting)
* [Limitations](#limitations)
* [NGINX Notes](#nginx-notes)
## Conventions
@ -253,3 +253,18 @@ I0316 12:24:37.610073 1 command.go:69] change in configuration detected. R
## Limitations
- Ingress rules for TLS require the definition of the field `host`
## NGINX notes
Since `gcr.io/google_containers/nginx-slim:0.8` NGINX contains the next patches:
- Dynamic TLS record size [nginx__dynamic_tls_records.patch](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/)
NGINX provides the parameter `ssl_buffer_size` to adjust the size of the buffer. Default value in NGINX is 16KB. The ingress controller changes the default to 4KB. This improves the [TLS Time To First Byte (TTTFB)](https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/) but the size is fixed. This patches adapts the size of the buffer to the content is being served helping to improve the perceived latency.
- Add SPDY support back to Nginx with HTTP/2 [nginx_1_9_15_http2_spdy.patch](https://github.com/cloudflare/sslconfig/pull/36)
At the same NGINX introduced HTTP/2 support for SPDY was removed. This patch add support for SPDY wichout compromising HTTP/2 support using the Application-Layer Protocol Negotiation (ALPN) or Next Protocol Negotiation (NPN) Transport Layer Security (TLS) extension to negotiate what protocol the server and client support
```
openssl s_client -servername www.my-site.com -connect www.my-site.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: h2, spdy/3.1, http/1.1
```

6
controllers/nginx/nginx.tmpl
View file

@ -145,6 +145,10 @@ http {
ssl_dhparam {{ .sslDHParam }};
{{ end }}
{{- if not $cfg.enableDynamicTlsRecords }}
ssl_dyn_rec_size_lo 0;
{{ end }}
{{- if .customErrors }}
# Custom error pages
proxy_intercept_errors on;
@ -178,7 +182,7 @@ http {
server {
server_name {{ $server.Name }};
listen 80{{ if $cfg.useProxyProtocol }} proxy_protocol{{ end }};
{{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.useHttp2 }}http2{{ end }};
{{ if $server.SSL }}listen 443 {{ if $cfg.useProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.enableSpdy }}spdy{{ end }} {{ if $cfg.useHttp2 }}http2{{ end }};
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
# PEM sha: {{ $server.SSLPemChecksum }}
ssl_certificate {{ $server.SSLCertificate }};

12
controllers/nginx/nginx/config/config.go
View file

@ -78,6 +78,16 @@ type Configuration struct {
// Sets the maximum allowed size of the client request body
BodySize string `structs:"body-size,omitempty"`
// EnableDynamicTLSRecords enables dynamic TLS record sizes
// https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
// By default this is enabled
EnableDynamicTLSRecords bool `structs:"enable-dynamic-tls-records"`
// EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols
// https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code
// By default this is enabled
EnableSPDY bool `structs:"enable-spdy"`
// EnableStickySessions enabled sticky sessions using cookies
// https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng
// By default this is disabled
@ -252,6 +262,8 @@ type Configuration struct {
func NewDefault() Configuration {
cfg := Configuration{
BodySize: bodySize,
EnableDynamicTLSRecords: true,
EnableSPDY: true,
ErrorLogLevel: errorLevel,
HSTS: true,
HSTSIncludeSubdomains: true,