15.05.2017, 21:54, "Konstantin Tokarev" <[email protected]>: > 15.05.2017, 21:40, "Андрей Василишин" <[email protected]>: >> Привет всем! >> В связи с поголовной sslзацией Интернета пришла очередь и до >> mp4-стримминга. И вот Вчерашний тест показал, при 15к коннектах уже >> начало потихоньку упираться в проц и в пике было 32 Гбит/с трафика. >> Сегодня без ssl при тех же 15к коннектах 40 Гбит/с трафика и проц >> гуляет. Может нчто-то где-то надо подтюнить в конфиге? > > Поставить в качестве предпочитаемых шифров null и rc4, все равно это > шифрование для галочки
Естественно только для раздачи mp4 и т.п. ассетов > >> Конфиг ssl ниже: >> >> listen 443 ssl; >> add_header Strict-Transport-Security "max-age=0;"; >> # add_header Strict-Transport-Security "max-age=31536000; >> includeSubDomains" always; >> # ssl on; >> ssl_certificate /etc/nginx/ssl/site.com.crt; >> ssl_certificate_key /etc/nginx/ssl/privatekey.key; >> ssl_trusted_certificate /etc/nginx/ssl/site.com.crt; >> # должен содержать 80 или 48 48 or 80 bytes >> # openssl rand 48 > /etc/nginx/ssl/current.key >> ssl_session_ticket_key /etc/nginx/ssl/current.key; >> ssl_session_ticket_key /etc/nginx/ssl/prev.key; >> ssl_session_ticket_key /etc/nginx/ssl/prevprev.key; >> >> # Use 2048 bit Diffie-Hellman RSA key parameters >> # (otherwise Nginx defaults to 1024 bit, lowering the strength >> of encryption # when using PFS) >> # Generated by OpenSSL with the following command: >> # openssl dhparam -outform pem -out >> /etc/nginx/ssl/dhparam2048.pem 2048 >> ssl_dhparam /etc/nginx/ssl/dhparam2048.pem; >> >> # make the server choose the best cipher instead of the browser >> # Perfect Forward Secrecy(PFS) is frequently compromised without >> this >> ssl_prefer_server_ciphers on; >> >> # support only believed secure ciphersuites using the following >> priority: >> # 1.) prefer PFS enabled ciphers >> # 2.) prefer AES128 over AES256 for speed (AES128 has completely >> adequate security for now) >> # 3.) Support DES3 for IE8 support >> >> # disable the following ciphersuites completely >> # 1.) null ciphers >> # 2.) ciphers with low security >> # 3.) fixed ECDH cipher (does not allow for PFS) >> # 4.) known vulnerable cypers (MD5, RC4, etc) >> # 5.) little-used ciphers (Camellia, Seed) >> ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 >> kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA >> !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED'; >> >> ## OCSP Stapling >> ssl_stapling on; >> ssl_stapling_verify on; >> ssl_protocols TLSv1.2 TLSv1.1 TLSv1; >> >> # Cache SSL Sessions for up to 10 minutes >> # This improves performance by avoiding the costly session >> negotiation process where possible >> ssl_session_cache builtin:10000 shared:SSL:100m; >> # ssl_session_timeout 5m; # this is a default, but can be changed >> ssl_session_timeout 1h; >> _______________________________________________ >> nginx-ru mailing list >> [email protected] >> http://mailman.nginx.org/mailman/listinfo/nginx-ru > > -- > Regards, > Konstantin > _______________________________________________ > nginx-ru mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-ru -- Regards, Konstantin _______________________________________________ nginx-ru mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-ru
