Skip to content

Instantly share code, notes, and snippets.

@centminmod centminmod/lxc.sh-ssl-output.md Secret
Last active Jun 13, 2018

Embed
What would you like to do?
raw output for lxc.sh ssl - get and setup self-signed ssl certificates for multiple lemp stacks within lxd containers including centmin mod nginx, easyengine, webinoly, vestacp, oneinstack nginx, oneinstack openresty nginx

Nginx HTTPS / SSL Configuration Notes

  • automated ssl configuration for respective LEMP stacks include centmin mod nginx, easyengine, webinoly, vestacp, oneinstack nginx, oneinstack openresty nginx which were installed into LXD containers outlined at https://community.centminmod.com/threads/nginx-static-html-benchmarks-centmin-mod-vs-easyengine-vs-webinoly-vs-vestacp-vs-oneinstack.14949/
  • lxc.sh ssl command automates the set up for dual rsa 2048bit/ecdsa 256bit self-signed ssl certificates which has been supported since nginx 1.11.0 https://community.centminmod.com/threads/nginx-1-11-0-introduces-dual-ecdsa-rsa-ssl-certificate-support.7449/ for each respctive lemp stacks' nginx vhost named = http2.domain.com as well as inspects each LEMP stacks' default nginx configuration settings i.e. ssl ciphers etc
  • webinoly default nginx ssl cipher configuration doesn't support ECDSA 256bit ssl ciphers out of the box so only RSA 2048bit ssl ciphers are tested
  • vestacp and easyengine failed to restart nginx as it uses deprecated ssl on; directive and doesn't use http/2 https by default so had to manually remove ssl on;, add to listen directive ssl http2 and then also manually add ecdsa 256bit ssl cert to existing rsa2048 bit ssl certifcate
  • Using nghttp2's h2load HTTP/2 HTTPS load testing tool https://nghttp2.org/documentation/h2load-howto.html for HTTP/2 HTTPS benchmarks. CentOS 7.5 yum repo nghtp2 is v1.31 while, Ubuntu 18.04 LTS used by webinoly apt package is nghttp2 v1.30. For other LEMP stacks using Ubuntu 16.04 LTS, apt ngttp2 package is very old v1.7.1 and doesn't include h2load binary so needs to be source compiled from nghttp2 github repo. So for CentOS 7.5, Ubuntu 16.04 LTS and 18.04 LTS, nghttp2/h2load v1.33 is installed via source compile.
  • easyengine 3.8.1 default ssl cipher order choice causes h2load HTTP/2 HTTPS load test to fail due to use of weak unsupported ssl cipher DHE_RSA_AES_128_GCM_SHA256

easyengine 3.8.1 default ssl cipher not supported by HTTP/2 HTTPS for DHE_RSA_AES_128_GCM_SHA256

curl -sv https://http2.domain.com/
*   Trying 10.71.164.21...
* Connected to http2.domain.com (10.71.164.21) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / DHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0

easyengine 3.8.1 failed test of h2load HTTP/2 HTTPS

h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests

finished in 4.37ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
                     min         max         mean         sd        +/- sd
time for request:        0us         0us         0us         0us     0.00%
time for connect:        0us         0us         0us         0us     0.00%
time to 1st byte:        0us         0us         0us         0us     0.00%
req/s           :       0.00        0.00        0.00        0.00   100.00%

easyengine 3.8.1 default ssl ciphers

lxc exec easyengine-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

easyengine 3.8.1 needs manually fixing for HTTP/2 HTTPS support by changing ssl cipher choices according to https://community.rtcamp.com/t/chrome-security-issue/8499/6

sed -i 's/ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;/ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;/' /etc/nginx/nginx.conf

systemctl restart nginx

recheck easyengine 3.8.1 nginx HTTP/2 HTTPS support via h2load HTTP/2 HTTPS tool = working no failed request

h2load -t1 -c1 -n1 https://http2.domain.com/index.html 
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 6.35ms, 157.41 req/s, 1.00MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.51KB (6665) total, 142B (142) headers (space savings 35.16%), 6.30KB (6456) data
                     min         max         mean         sd        +/- sd
time for request:      506us       506us       506us         0us   100.00%
time for connect:     5.16ms      5.16ms      5.16ms         0us   100.00%
time to 1st byte:     5.71ms      5.71ms      5.71ms         0us   100.00%
req/s           :     173.25      173.25      173.25        0.00   100.00%

full lxc.sh ssl output

full output for lxc.sh ssl command

./lxc.sh ssl                          

lxc start centos75-2
lxc start easyengine-ubuntu1604
lxc start oneinstack-ubuntu16-nginx
lxc start oneinstack-ubuntu16-openresty
lxc start vestacp-ubuntu1604
lxc start webinoly

-------------------------------------------------------------------------------------------
lxc exec centos75-2 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec centos75-2 -- cd /etc/myssl/http2.domain.com

lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf centos75-2/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec centos75-2 -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec centos75-2 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/nginx/conf/conf.d/http2.domain.com.ssl.conf
  ssl_dhparam /usr/local/nginx/conf/ssl/http2.domain.com/dhparam.pem;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;

lxc exec centos75-2 -- cat /usr/local/nginx/conf/conf.d/http2.domain.com.ssl.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#       listen   80;
#       server_name http2.domain.com www.http2.domain.com;
#       return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name http2.domain.com www.http2.domain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/http2.domain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com.key;
  
include /usr/local/nginx/conf/ssl_include.conf;
include /usr/local/nginx/conf/ssl_ecc.conf;

  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/http2.domain.com/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
  
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com-trusted.crt;  

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/http2.domain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/http2.domain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/http2.domain.com/autoprotect-http2.domain.com.conf;
  root /home/nginx/domains/http2.domain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  }

  include /usr/local/nginx/conf/pre-staticfiles-local-http2.domain.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

lxc exec centos75-2 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Date: Tue, 12 Jun 2018 23:54:58 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6457
Last-Modified: Fri, 08 Jun 2018 03:54:47 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b19fe07-1939"
Server: nginx centminmod
X-Powered-By: centminmod
Accept-Ranges: bytes


lxc exec centos75-2 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.50...
* Connected to http2.domain.com (10.71.164.50) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=http2.domain.com,OU=HTTPS TEST ORG UNIT,O=HTTPS TEST ORG,L=Los Angeles,ST=California,C=US
*       start date: Jun 08 04:08:27 2018 GMT
*       expire date: May 15 04:08:27 2118 GMT
*       common name: http2.domain.com
*       issuer: CN=http2.domain.com,OU=HTTPS TEST ORG UNIT,O=HTTPS TEST ORG,L=Los Angeles,ST=California,C=US
> HEAD / HTTP/1.1
> Host: http2.domain.com
> User-Agent: curl/7.47.1
> Accept: */*

lxc exec centos75-2 -- h2load --version
h2load nghttp2/1.31.1

lxc exec centos75-2 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.52ms, 284.33 req/s, 1.81MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.53KB (6687) total, 163B (163) headers (space savings 31.80%), 6.31KB (6457) data
                     min         max         mean         sd        +/- sd
time for request:      317us       317us       317us         0us   100.00%
time for connect:     2.50ms      2.50ms      2.50ms         0us   100.00%
time to 1st byte:     2.88ms      2.88ms      2.88ms         0us   100.00%
req/s           :     326.57      326.57      326.57        0.00   100.00%

lxc exec centos75-2 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 11.83ms, 84.53 req/s, 191.51KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
                     min         max         mean         sd        +/- sd
time for request:      575us       575us       575us         0us   100.00%
time for connect:    10.96ms     10.96ms     10.96ms         0us   100.00%
time to 1st byte:    11.56ms     11.56ms     11.56ms         0us   100.00%
req/s           :      85.63       85.63       85.63        0.00   100.00%

lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.03ms, 199.00 req/s, 450.87KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
                     min         max         mean         sd        +/- sd
time for request:      592us       592us       592us         0us   100.00%
time for connect:     3.00ms      3.00ms      3.00ms         0us   100.00%
time to 1st byte:     3.66ms      3.66ms      3.66ms         0us   100.00%
req/s           :     260.30      260.30      260.30        0.00   100.00%

lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.91ms, 169.32 req/s, 383.61KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
                     min         max         mean         sd        +/- sd
time for request:     1.09ms      1.09ms      1.09ms         0us   100.00%
time for connect:     4.48ms      4.48ms      4.48ms         0us   100.00%
time to 1st byte:     5.60ms      5.60ms      5.60ms         0us   100.00%
req/s           :     174.04      174.04      174.04        0.00   100.00%

lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.47ms, 223.51 req/s, 506.40KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
                     min         max         mean         sd        +/- sd
time for request:      441us       441us       441us         0us   100.00%
time for connect:     3.11ms      3.11ms      3.11ms         0us   100.00%
time to 1st byte:     3.77ms      3.77ms      3.77ms         0us   100.00%
req/s           :     244.23      244.23      244.23        0.00   100.00%

lxc exec centos75-2 -- ls -lsh /etc/myssl/http2.domain.com
total 44K
8.0K -rw-r--r-- 1 root root  423 Jun 12 18:39 dhparam.pem
8.0K -rw-r--r-- 1 root root  764 Jun 12 18:39 http2.domain.com-ecc.crt
8.0K -rw-r--r-- 1 root root  301 Jun 12 18:39 http2.domain.com-ecc.key
8.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:39 http2.domain.com.crt
8.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 12 23:54 sslcerts.conf

lxc stop centos75-2
-------------------------------------------------------------------------------------------
lxc exec easyengine-ubuntu1604 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec easyengine-ubuntu1604 -- cd /etc/myssl/http2.domain.com

lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf easyengine-ubuntu1604/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec easyengine-ubuntu1604 -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec easyengine-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

lxc file push easyengine-http2.domain.com.ssl easyengine-ubuntu1604/etc/nginx/sites-available/http2.domain.com.ssl

lxc exec easyengine-ubuntu1604 -- ln -s /etc/nginx/sites-available/http2.domain.com.ssl /etc/nginx/sites-enabled/
ln: failed to create symbolic link '/etc/nginx/sites-enabled/http2.domain.com.ssl': File exists

lxc exec easyengine-ubuntu1604 -- cat /etc/nginx/sites-available/http2.domain.com.ssl
server {
    listen 443 ssl http2;
    server_name http2.domain.com   www.http2.domain.com;
    include /etc/myssl/http2.domain.com/sslcerts.conf;

    access_log /var/log/nginx/http2.domain.com.access.log rt_cache; 
    error_log /var/log/nginx/http2.domain.com.error.log;

    root /var/www/http2.domain.com/htdocs;
    index index.php index.html index.htm;

    include common/php.conf;   
    include common/locations.conf;
    include /var/www/http2.domain.com/conf/nginx/*.conf;
}

lxc exec easyengine-ubuntu1604 -- nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

lxc exec easyengine-ubuntu1604 -- systemctl restart nginx

lxc exec easyengine-ubuntu1604 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:11 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Sun, 10 Jun 2018 06:28:01 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1cc4f1-1938"
X-Powered-By: EasyEngine 3.8.1
Accept-Ranges: bytes


lxc exec easyengine-ubuntu1604 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.21...
* Connected to http2.domain.com (10.71.164.21) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: http2.domain.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: EC
*        certificate version: #1
*        subject: C=US,ST=California,L=Los Angeles,O=HTTPS TEST ORG,OU=HTTPS TEST ORG UNIT,CN=http2.domain.com
*        start date: Fri, 08 Jun 2018 04:08:27 GMT
*        expire date: Sun, 15 May 2118 04:08:27 GMT

/usr/local/bin/h2load

lxc exec easyengine-ubuntu1604 -- h2load --version
h2load nghttp2/1.33.0-DEV

lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.09ms, 196.54 req/s, 1.25MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.51KB (6665) total, 142B (142) headers (space savings 35.16%), 6.30KB (6456) data
                     min         max         mean         sd        +/- sd
time for request:      332us       332us       332us         0us   100.00%
time for connect:     3.88ms      3.88ms      3.88ms         0us   100.00%
time to 1st byte:     4.29ms      4.29ms      4.29ms         0us   100.00%
req/s           :     217.52      217.52      217.52        0.00   100.00%

lxc exec easyengine-ubuntu1604 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 7.32ms, 136.56 req/s, 308.58KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      734us       734us       734us         0us   100.00%
time for connect:     5.67ms      5.67ms      5.67ms         0us   100.00%
time to 1st byte:     6.47ms      6.47ms      6.47ms         0us   100.00%
req/s           :     150.38      150.38      150.38        0.00   100.00%

lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 6.46ms, 154.89 req/s, 350.03KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      677us       677us       677us         0us   100.00%
time for connect:     4.91ms      4.91ms      4.91ms         0us   100.00%
time to 1st byte:     5.68ms      5.68ms      5.68ms         0us   100.00%
req/s           :     167.71      167.71      167.71        0.00   100.00%

lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 6.13ms, 163.05 req/s, 368.46KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      903us       903us       903us         0us   100.00%
time for connect:     4.55ms      4.55ms      4.55ms         0us   100.00%
time to 1st byte:     5.49ms      5.49ms      5.49ms         0us   100.00%
req/s           :     178.88      178.88      178.88        0.00   100.00%

lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.66ms, 214.73 req/s, 485.24KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      568us       568us       568us         0us   100.00%
time for connect:     3.57ms      3.57ms      3.57ms         0us   100.00%
time to 1st byte:     4.16ms      4.16ms      4.16ms         0us   100.00%
req/s           :     235.65      235.65      235.65        0.00   100.00%

lxc exec easyengine-ubuntu1604 -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root  423 Jun 12 18:39 dhparam.pem
4.0K -rw-r--r-- 1 root root  764 Jun 12 18:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root  301 Jun 12 18:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 12 23:55 sslcerts.conf

lxc stop easyengine-ubuntu1604
-------------------------------------------------------------------------------------------
lxc exec oneinstack-ubuntu16-nginx -- mkdir -p /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-nginx -- cd /etc/myssl/http2.domain.com

lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf oneinstack-ubuntu16-nginx/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec oneinstack-ubuntu16-nginx -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec oneinstack-ubuntu16-nginx -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/nginx/conf/nginx.conf.default
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

lxc file push oneinstack-nginx-http2.domain.com.ssl.conf oneinstack-ubuntu16-nginx/usr/local/nginx/conf/vhost/http2.domain.com.ssl.conf

lxc exec oneinstack-ubuntu16-nginx -- cat /usr/local/nginx/conf/vhost/http2.domain.com.ssl.conf
server {
  listen 443 ssl http2;
  server_name http2.domain.com;
  include /etc/myssl/http2.domain.com/sslcerts.conf;
  access_log /data/wwwlogs/http2.domain.com_nginx.log combined;
  index index.html index.htm index.php;
  root /data/wwwroot/http2.domain.com;
  
  include /usr/local/nginx/conf/rewrite/other.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;
  
  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}

lxc exec oneinstack-ubuntu16-nginx -- /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

lxc exec oneinstack-ubuntu16-nginx -- systemctl restart nginx

lxc exec oneinstack-ubuntu16-nginx -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:20 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Mon, 11 Jun 2018 21:27:15 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1ee933-1938"
Accept-Ranges: bytes


lxc exec oneinstack-ubuntu16-nginx -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.124...
* Connected to http2.domain.com (10.71.164.124) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: http2.domain.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #1
*        subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
*        start date: Fri, 08 Jun 2018 03:54:56 GMT
*        expire date: Sun, 15 May 2118 03:54:56 GMT

/usr/local/bin/h2load

lxc exec oneinstack-ubuntu16-nginx -- h2load --version
h2load nghttp2/1.33.0-DEV

lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.14ms, 241.84 req/s, 1.53MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.49KB (6641) total, 118B (118) headers (space savings 38.22%), 6.30KB (6456) data
                     min         max         mean         sd        +/- sd
time for request:      239us       239us       239us         0us   100.00%
time for connect:     3.28ms      3.28ms      3.28ms         0us   100.00%
time to 1st byte:     3.55ms      3.55ms      3.55ms         0us   100.00%
req/s           :     274.67      274.67      274.67        0.00   100.00%

lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.32ms, 187.93 req/s, 420.28KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      660us       660us       660us         0us   100.00%
time for connect:     4.03ms      4.03ms      4.03ms         0us   100.00%
time to 1st byte:     4.72ms      4.72ms      4.72ms         0us   100.00%
req/s           :     207.65      207.65      207.65        0.00   100.00%

lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.53ms, 220.60 req/s, 493.34KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      595us       595us       595us         0us   100.00%
time for connect:     3.31ms      3.31ms      3.31ms         0us   100.00%
time to 1st byte:     3.94ms      3.94ms      3.94ms         0us   100.00%
req/s           :     246.83      246.83      246.83        0.00   100.00%

lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.26ms, 235.02 req/s, 525.58KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      698us       698us       698us         0us   100.00%
time for connect:     2.81ms      2.81ms      2.81ms         0us   100.00%
time to 1st byte:     3.60ms      3.60ms      3.60ms         0us   100.00%
req/s           :     265.46      265.46      265.46        0.00   100.00%

lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.83ms, 261.23 req/s, 584.20KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      497us       497us       497us         0us   100.00%
time for connect:     2.46ms      2.46ms      2.46ms         0us   100.00%
time to 1st byte:     3.01ms      3.01ms      3.01ms         0us   100.00%
req/s           :     318.41      318.41      318.41        0.00   100.00%

lxc exec oneinstack-ubuntu16-nginx -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root  423 Jun 13 02:39 dhparam.pem
4.0K -rw-r--r-- 1 root root  764 Jun 13 02:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root  301 Jun 13 02:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 13 02:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 13 02:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 13 07:55 sslcerts.conf

lxc stop oneinstack-ubuntu16-nginx
-------------------------------------------------------------------------------------------
lxc exec oneinstack-ubuntu16-openresty -- mkdir -p /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-openresty -- cd /etc/myssl/http2.domain.com

lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf oneinstack-ubuntu16-openresty/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec oneinstack-ubuntu16-openresty -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec oneinstack-ubuntu16-openresty -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/openresty/nginx/conf/nginx.conf.default
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

lxc file push oneinstack-openresty-http2.domain.com.ssl.conf oneinstack-ubuntu16-openresty/usr/local/openresty/nginx/conf/vhost/http2.domain.com.ssl.conf

lxc exec oneinstack-ubuntu16-openresty -- cat /usr/local/openresty/nginx/conf/vhost/http2.domain.com.ssl.conf
server {
  listen 443 ssl http2;
  server_name http2.domain.com;
  include /etc/myssl/http2.domain.com/sslcerts.conf;
  access_log /data/wwwlogs/http2.domain.com_nginx.log combined;
  index index.html index.htm index.php;
  root /data/wwwroot/http2.domain.com;
  
  include /usr/local/openresty/nginx/conf/rewrite/other.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;
  
  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}

lxc exec oneinstack-ubuntu16-openresty -- /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful

lxc exec oneinstack-ubuntu16-openresty -- systemctl restart nginx

lxc exec oneinstack-ubuntu16-openresty -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: openresty
Date: Tue, 12 Jun 2018 23:55:29 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Mon, 11 Jun 2018 22:28:32 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1ef790-1938"
Accept-Ranges: bytes


lxc exec oneinstack-ubuntu16-openresty -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.25...
* Connected to http2.domain.com (10.71.164.25) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: http2.domain.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #1
*        subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
*        start date: Fri, 08 Jun 2018 03:54:56 GMT
*        expire date: Sun, 15 May 2118 03:54:56 GMT

/usr/local/bin/h2load

lxc exec oneinstack-ubuntu16-openresty -- h2load --version
h2load nghttp2/1.33.0-DEV

lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.76ms, 265.82 req/s, 1.68MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.49KB (6644) total, 121B (121) headers (space savings 37.95%), 6.30KB (6456) data
                     min         max         mean         sd        +/- sd
time for request:      309us       309us       309us         0us   100.00%
time for connect:     2.77ms      2.77ms      2.77ms         0us   100.00%
time to 1st byte:     3.15ms      3.15ms      3.15ms         0us   100.00%
req/s           :     302.34      302.34      302.34        0.00   100.00%

lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.43ms, 184.09 req/s, 412.23KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      998us       998us       998us         0us   100.00%
time for connect:     3.68ms      3.68ms      3.68ms         0us   100.00%
time to 1st byte:     4.72ms      4.72ms      4.72ms         0us   100.00%
req/s           :     205.83      205.83      205.83        0.00   100.00%

lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 6.51ms, 153.68 req/s, 344.13KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:     1.57ms      1.57ms      1.57ms         0us   100.00%
time for connect:     4.14ms      4.14ms      4.14ms         0us   100.00%
time to 1st byte:     5.74ms      5.74ms      5.74ms         0us   100.00%
req/s           :     169.40      169.40      169.40        0.00   100.00%

lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.19ms, 313.58 req/s, 702.18KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      491us       491us       491us         0us   100.00%
time for connect:     2.03ms      2.03ms      2.03ms         0us   100.00%
time to 1st byte:     2.55ms      2.55ms      2.55ms         0us   100.00%
req/s           :     378.22      378.22      378.22        0.00   100.00%

lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.42ms, 292.57 req/s, 655.14KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      658us       658us       658us         0us   100.00%
time for connect:     1.98ms      1.98ms      1.98ms         0us   100.00%
time to 1st byte:     2.75ms      2.75ms      2.75ms         0us   100.00%
req/s           :     339.04      339.04      339.04        0.00   100.00%

lxc exec oneinstack-ubuntu16-openresty -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root  423 Jun 13 02:39 dhparam.pem
4.0K -rw-r--r-- 1 root root  764 Jun 13 02:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root  301 Jun 13 02:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 13 02:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 13 02:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 13 07:55 sslcerts.conf

lxc stop oneinstack-ubuntu16-openresty
Firewall stopped and disabled on system startup
-------------------------------------------------------------------------------------------
lxc exec vestacp-ubuntu1604 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec vestacp-ubuntu1604 -- cd /etc/myssl/http2.domain.com

lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf vestacp-ubuntu1604/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec vestacp-ubuntu1604 -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec vestacp-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

lxc exec vestacp-ubuntu1604 -- cat /home/admin/conf/web/http2.domain.com.nginx.ssl.conf
server {
    listen      10.71.164.97:443 ssl http2;
    server_name http2.domain.com www.http2.domain.com;
    root        /home/admin/web/http2.domain.com/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/http2.domain.com.log combined;
    access_log  /var/log/nginx/domains/http2.domain.com.bytes bytes;
    error_log   /var/log/nginx/domains/http2.domain.com.error.log error;

    #ssl         on;
    ssl_certificate      /home/admin/conf/web/ssl.http2.domain.com.pem;
    ssl_certificate_key  /home/admin/conf/web/ssl.http2.domain.com.key;
    ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
    ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;

    location / {

        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    127.0.0.1:9002;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;

    location /error/ {
        alias   /home/admin/web/http2.domain.com/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }

    location /vstats/ {
        alias   /home/admin/web/http2.domain.com/stats/;
        include /home/admin/conf/web/http2.domain.com.auth*;
    }

    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     /etc/nginx/conf.d/webmail.inc*;

    include     /home/admin/conf/web/snginx.http2.domain.com.conf*;
}

lxc exec vestacp-ubuntu1604 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:38 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Sun, 10 Jun 2018 23:56:56 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "5b1dbac8-1938"
Accept-Ranges: bytes


lxc exec vestacp-ubuntu1604 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.97...
* Connected to http2.domain.com (10.71.164.97) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: http2.domain.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #1
*        subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
*        start date: Fri, 08 Jun 2018 03:54:56 GMT
*        expire date: Sun, 15 May 2118 03:54:56 GMT

/usr/local/bin/h2load

lxc exec vestacp-ubuntu1604 -- h2load --version
h2load nghttp2/1.33.0-DEV

lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.03ms, 198.89 req/s, 1.26MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.47KB (6629) total, 106B (106) headers (space savings 38.37%), 6.30KB (6456) data
                     min         max         mean         sd        +/- sd
time for request:      561us       561us       561us         0us   100.00%
time for connect:     3.75ms      3.75ms      3.75ms         0us   100.00%
time to 1st byte:     4.35ms      4.35ms      4.35ms         0us   100.00%
req/s           :     221.50      221.50      221.50        0.00   100.00%

lxc exec vestacp-ubuntu1604 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 5.33ms, 187.69 req/s, 416.43KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
                     min         max         mean         sd        +/- sd
time for request:      705us       705us       705us         0us   100.00%
time for connect:     3.70ms      3.70ms      3.70ms         0us   100.00%
time to 1st byte:     4.44ms      4.44ms      4.44ms         0us   100.00%
req/s           :     215.89      215.89      215.89        0.00   100.00%

lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 4.87ms, 205.34 req/s, 455.59KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
                     min         max         mean         sd        +/- sd
time for request:      695us       695us       695us         0us   100.00%
time for connect:     3.01ms      3.01ms      3.01ms         0us   100.00%
time to 1st byte:     3.76ms      3.76ms      3.76ms         0us   100.00%
req/s           :     257.80      257.80      257.80        0.00   100.00%

lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.42ms, 292.06 req/s, 648.00KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
                     min         max         mean         sd        +/- sd
time for request:      547us       547us       547us         0us   100.00%
time for connect:     2.05ms      2.05ms      2.05ms         0us   100.00%
time to 1st byte:     2.68ms      2.68ms      2.68ms         0us   100.00%
req/s           :     342.43      342.43      342.43        0.00   100.00%

lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done

finished in 3.08ms, 324.57 req/s, 720.14KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
                     min         max         mean         sd        +/- sd
time for request:      454us       454us       454us         0us   100.00%
time for connect:     2.03ms      2.03ms      2.03ms         0us   100.00%
time to 1st byte:     2.52ms      2.52ms      2.52ms         0us   100.00%
req/s           :     385.72      385.72      385.72        0.00   100.00%

lxc exec vestacp-ubuntu1604 -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root  423 Jun 12 18:44 dhparam.pem
4.0K -rw-r--r-- 1 root root  764 Jun 12 18:44 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root  301 Jun 12 18:44 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:44 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:44 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 12 23:55 sslcerts.conf

lxc stop vestacp-ubuntu1604
-------------------------------------------------------------------------------------------
lxc exec webinoly -- mkdir -p /etc/myssl/http2.domain.com
lxc exec webinoly -- cd /etc/myssl/http2.domain.com

lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem

lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt

lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key

lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt

lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key

lxc file push sslcerts.conf webinoly/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec webinoly -- cat /etc/myssl/http2.domain.com/sslcerts.conf

ssl_dhparam          /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate      /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key  /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers   on;

ssl config settings

lxc exec webinoly -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_timeout 10m;
        ssl_session_cache shared:SSL:20m;
        ssl_dhparam /etc/ssl/dhparam.pem;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT;

lxc file push webinoly-http2.domain.com.ssl webinoly/etc/nginx/sites-available/http2.domain.com.ssl

lxc exec webinoly -- ln -s /etc/nginx/sites-available/http2.domain.com.ssl /etc/nginx/sites-enabled/
ln: failed to create symbolic link '/etc/nginx/sites-enabled/http2.domain.com.ssl': File exists

lxc exec webinoly -- cat /etc/nginx/sites-available/http2.domain.com.ssl
server {
        listen 443 ssl http2;
        server_name http2.domain.com;
        include /etc/myssl/http2.domain.com/sslcerts.conf;

        access_log /var/log/nginx/http2.domain.com.access.log we_log; 
        error_log /var/log/nginx/http2.domain.com.error.log;

        root /var/www/http2.domain.com/htdocs;

        index  index.php index.html index.htm;

        include common/php.conf;
        include common/locations.conf;
        include common/headers-http.conf;
        include common/headers-html.conf;
        #include /var/www/http2.domain.com/conf/nginx/*.conf;
}

lxc exec webinoly -- nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

lxc exec webinoly -- systemctl restart nginx

lxc exec webinoly -- curl -Ik https://http2.domain.com/
HTTP/2 200 
server: nginx
date: Tue, 12 Jun 2018 23:55:50 GMT
content-type: text/html
content-length: 6457
last-modified: Sun, 10 Jun 2018 05:51:21 GMT
vary: Accept-Encoding
etag: "5b1cbc59-1939"
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: public, no-cache
referrer-policy: unsafe-url
accept-ranges: bytes


lxc exec webinoly -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n48
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.71.164.45...
* TCP_NODELAY set
* Connected to http2.domain.com (10.71.164.45) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [214 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [814 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=http2.domain.com; OU=http2.domain.com; CN=http2.domain.com
*  start date: Jun  8 03:54:56 2018 GMT
*  expire date: May 15 03:54:56 2118 GMT
*  issuer: O=http2.domain.com; OU=http2.domain.com; CN=http2.domain.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55ad635ea940)
} [5 bytes data]
> HEAD / HTTP/2
> Host: http2.domain.com
> User-Agent: curl/7.58.0
> Accept: */*
> 

/usr/local/bin/h2load

lxc exec webinoly -- h2load --version
h2load nghttp2/1.33.0-DEV

lxc exec webinoly -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done

finished in 4.90ms, 203.96 req/s, 1.31MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.60KB (6760) total, 236B (236) headers (space savings 28.05%), 6.31KB (6457) data
                     min         max         mean         sd        +/- sd
time for request:      239us       239us       239us         0us   100.00%
time for connect:     3.98ms      3.98ms      3.98ms         0us   100.00%
time to 1st byte:     4.25ms      4.25ms      4.25ms         0us   100.00%
req/s           :     227.45      227.45      227.45        0.00   100.00%

lxc exec webinoly -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done

finished in 5.06ms, 197.82 req/s, 465.20KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.35KB (2408) total, 233B (233) headers (space savings 25.80%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      722us       722us       722us         0us   100.00%
time for connect:     3.74ms      3.74ms      3.74ms         0us   100.00%
time to 1st byte:     4.49ms      4.49ms      4.49ms         0us   100.00%
req/s           :     218.67      218.67      218.67        0.00   100.00%

lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done

finished in 4.86ms, 205.93 req/s, 484.26KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.35KB (2408) total, 233B (233) headers (space savings 25.80%), 2.06KB (2108) data
                     min         max         mean         sd        +/- sd
time for request:      431us       431us       431us         0us   100.00%
time for connect:     3.80ms      3.80ms      3.80ms         0us   100.00%
time to 1st byte:     4.29ms      4.29ms      4.29ms         0us   100.00%
req/s           :     226.32      226.32      226.32        0.00   100.00%

lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests

finished in 2.03ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
                     min         max         mean         sd        +/- sd
time for request:        0us         0us         0us         0us     0.00%
time for connect:        0us         0us         0us         0us     0.00%
time to 1st byte:        0us         0us         0us         0us     0.00%
req/s           :       0.00        0.00        0.00        0.00   100.00%

lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests

finished in 2.12ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
                     min         max         mean         sd        +/- sd
time for request:        0us         0us         0us         0us     0.00%
time for connect:        0us         0us         0us         0us     0.00%
time to 1st byte:        0us         0us         0us         0us     0.00%
req/s           :       0.00        0.00        0.00        0.00   100.00%

lxc exec webinoly -- ls -lsh /etc/myssl/http2.domain.com
total 44K
8.0K -rw-r--r-- 1 root root  423 Jun 12 18:41 dhparam.pem
8.0K -rw-r--r-- 1 root root  764 Jun 12 18:41 http2.domain.com-ecc.crt
8.0K -rw-r--r-- 1 root root  301 Jun 12 18:41 http2.domain.com-ecc.key
8.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:41 http2.domain.com.crt
8.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:41 http2.domain.com.key
4.0K -rw-r--r-- 1 root root  386 Jun 12 23:55 sslcerts.conf

lxc stop webinoly
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.