安全性
NginxでSSLの評価をA+にする手順 | 9mのパソコン日記
https://michael.lustfield.net/nginx/getting-a-perfect-ssl-labs-score
openssl dhparam -out /usr/local/etc/nginx/ssl/dhparam.pem 4096 nginx.conf ssl_dhparam ssl/dhparam.pem;
確認
https://www.ssllabs.com/ssltest/
nginx.conf
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
パフォーマンス、チューニング
For the same reasons, I don’t believe it makes sense to use certificates with 4096-bit keys, 4096-bit Diffie-Hellman key exhange parameters, or similar changes. You can actually improve subscores of your SSL score using them, but it will come at a performance cost.
翻訳
NginxでHTTPS:ゼロから始めてSSLの評価をA+にするまで Part 2 – 設定、Ciphersuite、パフォーマンス | POSTD
openssl dhparam -out /usr/local/etc/nginx/ssl/dhparam2048.pem 2048 nginx.conf ssl_dhparam ssl/dhparam2048.pem;
https://bjornjohansen.no/optimizing-https-nginx
ansible で dhparam を生成する
https://raymii.org/s/tutorials/Ansible_-_Only_if_a_file_exists_or_does_not_exist.html
OCSP Stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
ssl_buffer_size
1k 4k 8k 16k
Optimizing the TLS-record size
TLSでは一定サイズ毎に通信内容を暗号化する(通称TLS-record)
ssl_buffer_size(default: 16k)
16KBだと大きすぎて新規TCP接続時のRTTが増加
一般的なWebサイトなら小さいほうがいい
TTFB(Time To First Byte)改善に効果あり
ssl_buffer_size 4k;
https://speakerdeck.com/cubicdaiya/nginxfalsepahuomansutiyuningu
ssl_buffer_size 16k; #for throughput, video applications
#ssl_buffer_size 4k; for quick first byte deliveryhttps://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
Dynamic TLS Records in NGINX
https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/
ssl_buffer_size 1k;
http://www.slideshare.net/kazeburo/advanced-nginx-in-mercari-how-to-handle-over-1200000-https-reqsmin
http://mailman.nginx.org/pipermail/nginx/2013-December/041548.html