Merge pull request #4418 from aledbf/dynamic-ssl

Remove dynamic TLS records

docs/user-guide/nginx-configuration/configmap.md

@@ -34,7 +34,6 @@ The following table shows a configuration option's name, type, and the default v
 |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|
 |[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"|
 |[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"|
-|[enable-dynamic-tls-records](#enable-dynamic-tls-records)|bool|"true"|
 |[enable-modsecurity](#enable-modsecurity)|bool|"false"|
 |[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"|
 |[client-header-buffer-size](#client-header-buffer-size)|string|"1k"|
@@ -209,13 +208,6 @@ __Note:__ the file `/var/log/nginx/error.log` is a symlink to `/dev/stderr`
 _References:_
 [http://nginx.org/en/docs/ngx_core_module.html#error_log](http://nginx.org/en/docs/ngx_core_module.html#error_log)
 
-## enable-dynamic-tls-records
-
-Enables dynamically sized TLS records to improve time-to-first-byte. _**default:**_ is enabled
-
-_References:_
-[https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency)
-
 ## enable-modsecurity
 
 Enables the modsecurity module for NGINX. _**default:**_ is disabled

internal/ingress/controller/config/config.go

@@ -124,11 +124,6 @@ type Configuration struct {
 	// By default error logs go to /var/log/nginx/error.log
 	ErrorLogPath string `json:"error-log-path,omitempty"`
 
-	// EnableDynamicTLSRecords enables dynamic TLS record sizes
-	// https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency
-	// By default this is enabled
-	EnableDynamicTLSRecords bool `json:"enable-dynamic-tls-records"`
-
 	// EnableModsecurity enables the modsecurity module for NGINX
 	// By default this is disabled
 	EnableModsecurity bool `json:"enable-modsecurity"`
@@ -643,7 +638,6 @@ func NewDefault() Configuration {
 		ClientHeaderTimeout:              60,
 		ClientBodyBufferSize:             "8k",
 		ClientBodyTimeout:                60,
-		EnableDynamicTLSRecords:          true,
 		EnableUnderscoresInHeaders:       false,
 		ErrorLogLevel:                    errorLevel,
 		UseForwardedHeaders:              false,

internal/ingress/controller/template/configmap_test.go

@@ -64,7 +64,6 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 		"access-log-path":               "/var/log/test/access.log",
 		"error-log-path":                "/var/log/test/error.log",
 		"use-gzip":                      "true",
-		"enable-dynamic-tls-records":    "false",
 		"gzip-level":                    "9",
 		"gzip-types":                    "text/html",
 		"proxy-real-ip-cidr":            "1.1.1.1/8,2.2.2.2/24",
@@ -85,7 +84,6 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 	def.SkipAccessLogURLs = []string{"/log", "/demo", "/test"}
 	def.ProxyReadTimeout = 1
 	def.ProxySendTimeout = 2
-	def.EnableDynamicTLSRecords = false
 	def.UseProxyProtocol = true
 	def.GzipLevel = 9
 	def.GzipTypes = "text/html"

rootfs/etc/nginx/template/nginx.tmpl

@@ -380,10 +380,6 @@ http {
     ssl_dhparam {{ $cfg.SSLDHParam }};
     {{ end }}
 
-    {{ if not $cfg.EnableDynamicTLSRecords }}
-    ssl_dyn_rec_size_lo 0;
-    {{ end }}
-
     ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
 
     {{ if gt (len $cfg.CustomHTTPErrors) 0 }}
@@ -685,7 +681,7 @@ stream {
         listen unix:{{ .StreamSocket }};
 
         access_log off;
-        
+
         content_by_lua_block {
           tcp_udp_configuration.call()
         }

test/data/config.json

@@ -20,7 +20,6 @@
 			"whitelist-source-range": null
 		},
 		"bodySize": "1m",
-		"enableDynamicTlsRecords": true,
 		"enableSpdy": false,
 		"errorLogLevel": "notice",
 		"gzipTypes": "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component",