nginx-more icon indicating copy to clipboard operation
nginx-more copied to clipboard

Published 20 hours ago verified publisher icon karljohns0n

Enable kTLS

Open karljohns0n opened this issue 2 years ago • 4 comments

kTLS

Enable support kTLS for RHEL8+ build

Url: https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/

Requirements

  • OpenSSL 3
  • Nginx 1.22
  • EL8

karljohns0n avatar Dec 28 '21 20:12 karljohns0n

now is support ktls ?

w796933 avatar Mar 02 '22 15:03 w796933

I pushed nginx-more-1.22.0-4.el8.x86_64 to testing repo which now includes kTLS support.

[root@nginx ~]# nginx -V
nginx version: nginx/1.22.0
custom build maintained on github.com/karljohns0n/nginx-more
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC) 
built with OpenSSL 3.0.5 5 Jul 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DTCP_FASTOPEN=23' --with-openssl=modules/openssl-3.0.5 --with-openssl-opt=enable-ktls --with-http_v2_hpack_enc --add-dynamic-module=modules/ngx_modsecurity-1.0.3 --add-module=modules/ngx_headers_more-0.34 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20220505 --add-module=modules/ngx_http_geoip2_module-3.4 --add-module=modules/ngx_echo-0.62

karljohns0n avatar Jul 20 '22 17:07 karljohns0n

I tried KTLS today on two of my VPS with AlmaLinux 8.6 Kernal 4.18 using nginx-more v1.22.0-4 I can see that my website performance is much more improved. I didn't found any error or problems while using it on them. So, I believe this issue should be marked resolved!

skrlance avatar Aug 10 '22 16:08 skrlance

My update: Seems like for AlmaLinux with Kernel 4.18, nginx-more KTLS works on TLS 1.2 only! There was an error log when used on TLS 1.3. I have two VPS ready with AlmaLinux 9 Kernel 5.14 where KTLS should work on TLS 1.3, however I check everyday and don't see Karl compiled nginx-more repo for EL9! Hope we get EL9 repos soon!!

skrlance avatar Aug 27 '22 06:08 skrlance