Hi! On Sat, 2014-06-28 at 01:14 -0400, khav wrote: > For my site , ssl seems to be slow even though i got A+ on sslabs > (implemented ocsp stapling, Forward Secrecy , spdy) > > Here is the result from pingdom > > http://tools.pingdom.com/fpt/#!/cc2MfH/https://www.filterbypass.me/ > > > Notice the high connect time and high ssl negociation time > > > Here is my nginx conf > > server { > listen 443 spdy default_server; #Change to 443 when SSL is on > ssl on; > ssl_certificate /etc/ssl/filterbypass.me.crt; #(or .pem) > ssl_certificate_key /etc/ssl/filterbypass.me.key.nopass; > ssl_client_certificate /etc/ssl/intermediate.crt; > ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; > ssl_prefer_server_ciphers on; > ssl_buffer_size 8k; > ssl_session_cache shared:SSL:10m; > ssl_dhparam /etc/ssl/dhparam.pem; > ssl_session_timeout 10m; > ssl_stapling on; > ssl_stapling_verify on; > ssl_trusted_certificate /etc/ssl/trustchain.crt; > resolver 8.8.8.8 8.8.4.4; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains"; > #rest of config goes here > } >
Setting up a local DNS resolver, and adding it in as the first one may make a bit of a help, as may implementing SPDY. However, ( using webpagetest as my preferred tool... from Dulles as the server is reported to be in Utah: http://www.webpagetest.org/result/140629_3J_518/ ) I'd say that the problem may well be with the available power on the server itself: for example, it takes .8s to download a 20KB woff file. Given the services that you're wanting to offer, I think you're going to need a load more grunt. hth, Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
