Nginx HTTPS / SSL Configuration Notes
- automated ssl configuration for respective LEMP stacks include centmin mod nginx, easyengine, webinoly, vestacp, oneinstack nginx, oneinstack openresty nginx which were installed into LXD containers outlined at https://community.centminmod.com/threads/nginx-static-html-benchmarks-centmin-mod-vs-easyengine-vs-webinoly-vs-vestacp-vs-oneinstack.14949/
lxc.sh ssl
command automates the set up for dual rsa 2048bit/ecdsa 256bit self-signed ssl certificates which has been supported since nginx 1.11.0 https://community.centminmod.com/threads/nginx-1-11-0-introduces-dual-ecdsa-rsa-ssl-certificate-support.7449/ for each respctive lemp stacks' nginx vhost named =http2.domain.com
as well as inspects each LEMP stacks' default nginx configuration settings i.e. ssl ciphers etc- webinoly default nginx ssl cipher configuration doesn't support ECDSA 256bit ssl ciphers out of the box so only RSA 2048bit ssl ciphers are tested
- vestacp and easyengine failed to restart nginx as it uses deprecated
ssl on;
directive and doesn't use http/2 https by default so had to manually removessl on;
, add to listen directivessl http2
and then also manually add ecdsa 256bit ssl cert to existing rsa2048 bit ssl certifcate - Using nghttp2's h2load HTTP/2 HTTPS load testing tool https://nghttp2.org/documentation/h2load-howto.html for HTTP/2 HTTPS benchmarks. CentOS 7.5 yum repo nghtp2 is v1.31 while, Ubuntu 18.04 LTS used by webinoly apt package is nghttp2 v1.30. For other LEMP stacks using Ubuntu 16.04 LTS, apt ngttp2 package is very old v1.7.1 and doesn't include h2load binary so needs to be source compiled from nghttp2 github repo. So for CentOS 7.5, Ubuntu 16.04 LTS and 18.04 LTS, nghttp2/h2load v1.33 is installed via source compile.
- easyengine 3.8.1 default ssl cipher order choice causes h2load HTTP/2 HTTPS load test to fail due to use of weak unsupported ssl cipher
DHE_RSA_AES_128_GCM_SHA256
easyengine 3.8.1 default ssl cipher not supported by HTTP/2 HTTPS for DHE_RSA_AES_128_GCM_SHA256
curl -sv https://http2.domain.com/
* Trying 10.71.164.21...
* Connected to http2.domain.com (10.71.164.21) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / DHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
easyengine 3.8.1 failed test of h2load HTTP/2 HTTPS
h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
finished in 4.37ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
min max mean sd +/- sd
time for request: 0us 0us 0us 0us 0.00%
time for connect: 0us 0us 0us 0us 0.00%
time to 1st byte: 0us 0us 0us 0us 0.00%
req/s : 0.00 0.00 0.00 0.00 100.00%
easyengine 3.8.1 default ssl ciphers
lxc exec easyengine-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
easyengine 3.8.1 needs manually fixing for HTTP/2 HTTPS support by changing ssl cipher choices according to https://community.rtcamp.com/t/chrome-security-issue/8499/6
sed -i 's/ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHADHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!ECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;/ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;/' /etc/nginx/nginx.conf
systemctl restart nginx
recheck easyengine 3.8.1 nginx HTTP/2 HTTPS support via h2load HTTP/2 HTTPS tool = working no failed request
h2load -t1 -c1 -n1 https://http2.domain.com/index.html
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 6.35ms, 157.41 req/s, 1.00MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.51KB (6665) total, 142B (142) headers (space savings 35.16%), 6.30KB (6456) data
min max mean sd +/- sd
time for request: 506us 506us 506us 0us 100.00%
time for connect: 5.16ms 5.16ms 5.16ms 0us 100.00%
time to 1st byte: 5.71ms 5.71ms 5.71ms 0us 100.00%
req/s : 173.25 173.25 173.25 0.00 100.00%
full output for lxc.sh ssl
command
./lxc.sh ssl
lxc start centos75-2
lxc start easyengine-ubuntu1604
lxc start oneinstack-ubuntu16-nginx
lxc start oneinstack-ubuntu16-openresty
lxc start vestacp-ubuntu1604
lxc start webinoly
-------------------------------------------------------------------------------------------
lxc exec centos75-2 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec centos75-2 -- cd /etc/myssl/http2.domain.com
lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec centos75-2 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf centos75-2/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec centos75-2 -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec centos75-2 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/nginx/conf/conf.d/http2.domain.com.ssl.conf
ssl_dhparam /usr/local/nginx/conf/ssl/http2.domain.com/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
lxc exec centos75-2 -- cat /usr/local/nginx/conf/conf.d/http2.domain.com.ssl.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html
# redirect from www to non-www forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
# listen 80;
# server_name http2.domain.com www.http2.domain.com;
# return 302 https://$server_name$request_uri;
# }
server {
listen 443 ssl http2;
server_name http2.domain.com www.http2.domain.com;
ssl_dhparam /usr/local/nginx/conf/ssl/http2.domain.com/dhparam.pem;
ssl_certificate /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com.key;
include /usr/local/nginx/conf/ssl_include.conf;
include /usr/local/nginx/conf/ssl_ecc.conf;
# cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
#ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/http2.domain.com/origin.crt;
#ssl_verify_client on;
http2_max_field_size 16k;
http2_max_header_size 32k;
# mozilla recommended
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
#add_header Alternate-Protocol 443:npn-spdy/3;
# before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-Xss-Protection "1; mode=block" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header Referrer-Policy "strict-origin-when-cross-origin";
#spdy_headers_comp 5;
ssl_buffer_size 1369;
ssl_session_tickets on;
# enable ocsp stapling
#resolver 8.8.8.8 8.8.4.4 valid=10m;
#resolver_timeout 10s;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /usr/local/nginx/conf/ssl/http2.domain.com/http2.domain.com-trusted.crt;
# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;
# limit_conn limit_per_ip 16;
# ssi on;
access_log /home/nginx/domains/http2.domain.com/log/access.log combined buffer=256k flush=5m;
error_log /home/nginx/domains/http2.domain.com/log/error.log;
include /usr/local/nginx/conf/autoprotect/http2.domain.com/autoprotect-http2.domain.com.conf;
root /home/nginx/domains/http2.domain.com/public;
# uncomment cloudflare.conf include if using cloudflare for
# server and/or vhost site
#include /usr/local/nginx/conf/cloudflare.conf;
include /usr/local/nginx/conf/503include-main.conf;
location / {
include /usr/local/nginx/conf/503include-only.conf;
# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;
# Enables directory listings when index file not found
#autoindex on;
# Shows file listing times as local time
#autoindex_localtime on;
# Wordpress Permalinks example
#try_files $uri $uri/ /index.php?q=$uri&$args;
}
include /usr/local/nginx/conf/pre-staticfiles-local-http2.domain.com.conf;
include /usr/local/nginx/conf/pre-staticfiles-global.conf;
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
include /usr/local/nginx/conf/drop.conf;
#include /usr/local/nginx/conf/errorpage.conf;
include /usr/local/nginx/conf/vts_server.conf;
}
lxc exec centos75-2 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Date: Tue, 12 Jun 2018 23:54:58 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 6457
Last-Modified: Fri, 08 Jun 2018 03:54:47 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b19fe07-1939"
Server: nginx centminmod
X-Powered-By: centminmod
Accept-Ranges: bytes
lxc exec centos75-2 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.50...
* Connected to http2.domain.com (10.71.164.50) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=http2.domain.com,OU=HTTPS TEST ORG UNIT,O=HTTPS TEST ORG,L=Los Angeles,ST=California,C=US
* start date: Jun 08 04:08:27 2018 GMT
* expire date: May 15 04:08:27 2118 GMT
* common name: http2.domain.com
* issuer: CN=http2.domain.com,OU=HTTPS TEST ORG UNIT,O=HTTPS TEST ORG,L=Los Angeles,ST=California,C=US
> HEAD / HTTP/1.1
> Host: http2.domain.com
> User-Agent: curl/7.47.1
> Accept: */*
lxc exec centos75-2 -- h2load --version
h2load nghttp2/1.31.1
lxc exec centos75-2 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.52ms, 284.33 req/s, 1.81MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.53KB (6687) total, 163B (163) headers (space savings 31.80%), 6.31KB (6457) data
min max mean sd +/- sd
time for request: 317us 317us 317us 0us 100.00%
time for connect: 2.50ms 2.50ms 2.50ms 0us 100.00%
time to 1st byte: 2.88ms 2.88ms 2.88ms 0us 100.00%
req/s : 326.57 326.57 326.57 0.00 100.00%
lxc exec centos75-2 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 11.83ms, 84.53 req/s, 191.51KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
min max mean sd +/- sd
time for request: 575us 575us 575us 0us 100.00%
time for connect: 10.96ms 10.96ms 10.96ms 0us 100.00%
time to 1st byte: 11.56ms 11.56ms 11.56ms 0us 100.00%
req/s : 85.63 85.63 85.63 0.00 100.00%
lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.03ms, 199.00 req/s, 450.87KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
min max mean sd +/- sd
time for request: 592us 592us 592us 0us 100.00%
time for connect: 3.00ms 3.00ms 3.00ms 0us 100.00%
time to 1st byte: 3.66ms 3.66ms 3.66ms 0us 100.00%
req/s : 260.30 260.30 260.30 0.00 100.00%
lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.91ms, 169.32 req/s, 383.61KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
min max mean sd +/- sd
time for request: 1.09ms 1.09ms 1.09ms 0us 100.00%
time for connect: 4.48ms 4.48ms 4.48ms 0us 100.00%
time to 1st byte: 5.60ms 5.60ms 5.60ms 0us 100.00%
req/s : 174.04 174.04 174.04 0.00 100.00%
lxc exec centos75-2 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.47ms, 223.51 req/s, 506.40KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.27KB (2320) total, 160B (160) headers (space savings 28.89%), 2.04KB (2093) data
min max mean sd +/- sd
time for request: 441us 441us 441us 0us 100.00%
time for connect: 3.11ms 3.11ms 3.11ms 0us 100.00%
time to 1st byte: 3.77ms 3.77ms 3.77ms 0us 100.00%
req/s : 244.23 244.23 244.23 0.00 100.00%
lxc exec centos75-2 -- ls -lsh /etc/myssl/http2.domain.com
total 44K
8.0K -rw-r--r-- 1 root root 423 Jun 12 18:39 dhparam.pem
8.0K -rw-r--r-- 1 root root 764 Jun 12 18:39 http2.domain.com-ecc.crt
8.0K -rw-r--r-- 1 root root 301 Jun 12 18:39 http2.domain.com-ecc.key
8.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:39 http2.domain.com.crt
8.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 12 23:54 sslcerts.conf
lxc stop centos75-2
-------------------------------------------------------------------------------------------
lxc exec easyengine-ubuntu1604 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec easyengine-ubuntu1604 -- cd /etc/myssl/http2.domain.com
lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec easyengine-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf easyengine-ubuntu1604/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec easyengine-ubuntu1604 -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec easyengine-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
lxc file push easyengine-http2.domain.com.ssl easyengine-ubuntu1604/etc/nginx/sites-available/http2.domain.com.ssl
lxc exec easyengine-ubuntu1604 -- ln -s /etc/nginx/sites-available/http2.domain.com.ssl /etc/nginx/sites-enabled/
ln: failed to create symbolic link '/etc/nginx/sites-enabled/http2.domain.com.ssl': File exists
lxc exec easyengine-ubuntu1604 -- cat /etc/nginx/sites-available/http2.domain.com.ssl
server {
listen 443 ssl http2;
server_name http2.domain.com www.http2.domain.com;
include /etc/myssl/http2.domain.com/sslcerts.conf;
access_log /var/log/nginx/http2.domain.com.access.log rt_cache;
error_log /var/log/nginx/http2.domain.com.error.log;
root /var/www/http2.domain.com/htdocs;
index index.php index.html index.htm;
include common/php.conf;
include common/locations.conf;
include /var/www/http2.domain.com/conf/nginx/*.conf;
}
lxc exec easyengine-ubuntu1604 -- nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
lxc exec easyengine-ubuntu1604 -- systemctl restart nginx
lxc exec easyengine-ubuntu1604 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:11 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Sun, 10 Jun 2018 06:28:01 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1cc4f1-1938"
X-Powered-By: EasyEngine 3.8.1
Accept-Ranges: bytes
lxc exec easyengine-ubuntu1604 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.21...
* Connected to http2.domain.com (10.71.164.21) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: http2.domain.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: EC
* certificate version: #1
* subject: C=US,ST=California,L=Los Angeles,O=HTTPS TEST ORG,OU=HTTPS TEST ORG UNIT,CN=http2.domain.com
* start date: Fri, 08 Jun 2018 04:08:27 GMT
* expire date: Sun, 15 May 2118 04:08:27 GMT
/usr/local/bin/h2load
lxc exec easyengine-ubuntu1604 -- h2load --version
h2load nghttp2/1.33.0-DEV
lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.09ms, 196.54 req/s, 1.25MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.51KB (6665) total, 142B (142) headers (space savings 35.16%), 6.30KB (6456) data
min max mean sd +/- sd
time for request: 332us 332us 332us 0us 100.00%
time for connect: 3.88ms 3.88ms 3.88ms 0us 100.00%
time to 1st byte: 4.29ms 4.29ms 4.29ms 0us 100.00%
req/s : 217.52 217.52 217.52 0.00 100.00%
lxc exec easyengine-ubuntu1604 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 7.32ms, 136.56 req/s, 308.58KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 734us 734us 734us 0us 100.00%
time for connect: 5.67ms 5.67ms 5.67ms 0us 100.00%
time to 1st byte: 6.47ms 6.47ms 6.47ms 0us 100.00%
req/s : 150.38 150.38 150.38 0.00 100.00%
lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 6.46ms, 154.89 req/s, 350.03KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 677us 677us 677us 0us 100.00%
time for connect: 4.91ms 4.91ms 4.91ms 0us 100.00%
time to 1st byte: 5.68ms 5.68ms 5.68ms 0us 100.00%
req/s : 167.71 167.71 167.71 0.00 100.00%
lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 6.13ms, 163.05 req/s, 368.46KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 903us 903us 903us 0us 100.00%
time for connect: 4.55ms 4.55ms 4.55ms 0us 100.00%
time to 1st byte: 5.49ms 5.49ms 5.49ms 0us 100.00%
req/s : 178.88 178.88 178.88 0.00 100.00%
lxc exec easyengine-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.66ms, 214.73 req/s, 485.24KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.26KB (2314) total, 139B (139) headers (space savings 32.20%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 568us 568us 568us 0us 100.00%
time for connect: 3.57ms 3.57ms 3.57ms 0us 100.00%
time to 1st byte: 4.16ms 4.16ms 4.16ms 0us 100.00%
req/s : 235.65 235.65 235.65 0.00 100.00%
lxc exec easyengine-ubuntu1604 -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root 423 Jun 12 18:39 dhparam.pem
4.0K -rw-r--r-- 1 root root 764 Jun 12 18:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root 301 Jun 12 18:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 12 23:55 sslcerts.conf
lxc stop easyengine-ubuntu1604
-------------------------------------------------------------------------------------------
lxc exec oneinstack-ubuntu16-nginx -- mkdir -p /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-nginx -- cd /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec oneinstack-ubuntu16-nginx -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf oneinstack-ubuntu16-nginx/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec oneinstack-ubuntu16-nginx -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec oneinstack-ubuntu16-nginx -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/nginx/conf/nginx.conf.default
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
lxc file push oneinstack-nginx-http2.domain.com.ssl.conf oneinstack-ubuntu16-nginx/usr/local/nginx/conf/vhost/http2.domain.com.ssl.conf
lxc exec oneinstack-ubuntu16-nginx -- cat /usr/local/nginx/conf/vhost/http2.domain.com.ssl.conf
server {
listen 443 ssl http2;
server_name http2.domain.com;
include /etc/myssl/http2.domain.com/sslcerts.conf;
access_log /data/wwwlogs/http2.domain.com_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/http2.domain.com;
include /usr/local/nginx/conf/rewrite/other.conf;
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}
lxc exec oneinstack-ubuntu16-nginx -- /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
lxc exec oneinstack-ubuntu16-nginx -- systemctl restart nginx
lxc exec oneinstack-ubuntu16-nginx -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:20 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Mon, 11 Jun 2018 21:27:15 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1ee933-1938"
Accept-Ranges: bytes
lxc exec oneinstack-ubuntu16-nginx -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.124...
* Connected to http2.domain.com (10.71.164.124) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: http2.domain.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #1
* subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
* start date: Fri, 08 Jun 2018 03:54:56 GMT
* expire date: Sun, 15 May 2118 03:54:56 GMT
/usr/local/bin/h2load
lxc exec oneinstack-ubuntu16-nginx -- h2load --version
h2load nghttp2/1.33.0-DEV
lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.14ms, 241.84 req/s, 1.53MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.49KB (6641) total, 118B (118) headers (space savings 38.22%), 6.30KB (6456) data
min max mean sd +/- sd
time for request: 239us 239us 239us 0us 100.00%
time for connect: 3.28ms 3.28ms 3.28ms 0us 100.00%
time to 1st byte: 3.55ms 3.55ms 3.55ms 0us 100.00%
req/s : 274.67 274.67 274.67 0.00 100.00%
lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.32ms, 187.93 req/s, 420.28KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 660us 660us 660us 0us 100.00%
time for connect: 4.03ms 4.03ms 4.03ms 0us 100.00%
time to 1st byte: 4.72ms 4.72ms 4.72ms 0us 100.00%
req/s : 207.65 207.65 207.65 0.00 100.00%
lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.53ms, 220.60 req/s, 493.34KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 595us 595us 595us 0us 100.00%
time for connect: 3.31ms 3.31ms 3.31ms 0us 100.00%
time to 1st byte: 3.94ms 3.94ms 3.94ms 0us 100.00%
req/s : 246.83 246.83 246.83 0.00 100.00%
lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.26ms, 235.02 req/s, 525.58KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 698us 698us 698us 0us 100.00%
time for connect: 2.81ms 2.81ms 2.81ms 0us 100.00%
time to 1st byte: 3.60ms 3.60ms 3.60ms 0us 100.00%
req/s : 265.46 265.46 265.46 0.00 100.00%
lxc exec oneinstack-ubuntu16-nginx -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.83ms, 261.23 req/s, 584.20KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2290) total, 115B (115) headers (space savings 35.03%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 497us 497us 497us 0us 100.00%
time for connect: 2.46ms 2.46ms 2.46ms 0us 100.00%
time to 1st byte: 3.01ms 3.01ms 3.01ms 0us 100.00%
req/s : 318.41 318.41 318.41 0.00 100.00%
lxc exec oneinstack-ubuntu16-nginx -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root 423 Jun 13 02:39 dhparam.pem
4.0K -rw-r--r-- 1 root root 764 Jun 13 02:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root 301 Jun 13 02:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 13 02:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 13 02:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 13 07:55 sslcerts.conf
lxc stop oneinstack-ubuntu16-nginx
-------------------------------------------------------------------------------------------
lxc exec oneinstack-ubuntu16-openresty -- mkdir -p /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-openresty -- cd /etc/myssl/http2.domain.com
lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec oneinstack-ubuntu16-openresty -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf oneinstack-ubuntu16-openresty/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec oneinstack-ubuntu16-openresty -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec oneinstack-ubuntu16-openresty -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /usr/local/openresty/nginx/conf/nginx.conf.default
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
lxc file push oneinstack-openresty-http2.domain.com.ssl.conf oneinstack-ubuntu16-openresty/usr/local/openresty/nginx/conf/vhost/http2.domain.com.ssl.conf
lxc exec oneinstack-ubuntu16-openresty -- cat /usr/local/openresty/nginx/conf/vhost/http2.domain.com.ssl.conf
server {
listen 443 ssl http2;
server_name http2.domain.com;
include /etc/myssl/http2.domain.com/sslcerts.conf;
access_log /data/wwwlogs/http2.domain.com_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/http2.domain.com;
include /usr/local/openresty/nginx/conf/rewrite/other.conf;
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}
lxc exec oneinstack-ubuntu16-openresty -- /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful
lxc exec oneinstack-ubuntu16-openresty -- systemctl restart nginx
lxc exec oneinstack-ubuntu16-openresty -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: openresty
Date: Tue, 12 Jun 2018 23:55:29 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Mon, 11 Jun 2018 22:28:32 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5b1ef790-1938"
Accept-Ranges: bytes
lxc exec oneinstack-ubuntu16-openresty -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.25...
* Connected to http2.domain.com (10.71.164.25) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: http2.domain.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #1
* subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
* start date: Fri, 08 Jun 2018 03:54:56 GMT
* expire date: Sun, 15 May 2118 03:54:56 GMT
/usr/local/bin/h2load
lxc exec oneinstack-ubuntu16-openresty -- h2load --version
h2load nghttp2/1.33.0-DEV
lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.76ms, 265.82 req/s, 1.68MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.49KB (6644) total, 121B (121) headers (space savings 37.95%), 6.30KB (6456) data
min max mean sd +/- sd
time for request: 309us 309us 309us 0us 100.00%
time for connect: 2.77ms 2.77ms 2.77ms 0us 100.00%
time to 1st byte: 3.15ms 3.15ms 3.15ms 0us 100.00%
req/s : 302.34 302.34 302.34 0.00 100.00%
lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.43ms, 184.09 req/s, 412.23KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 998us 998us 998us 0us 100.00%
time for connect: 3.68ms 3.68ms 3.68ms 0us 100.00%
time to 1st byte: 4.72ms 4.72ms 4.72ms 0us 100.00%
req/s : 205.83 205.83 205.83 0.00 100.00%
lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 6.51ms, 153.68 req/s, 344.13KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 1.57ms 1.57ms 1.57ms 0us 100.00%
time for connect: 4.14ms 4.14ms 4.14ms 0us 100.00%
time to 1st byte: 5.74ms 5.74ms 5.74ms 0us 100.00%
req/s : 169.40 169.40 169.40 0.00 100.00%
lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.19ms, 313.58 req/s, 702.18KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 491us 491us 491us 0us 100.00%
time for connect: 2.03ms 2.03ms 2.03ms 0us 100.00%
time to 1st byte: 2.55ms 2.55ms 2.55ms 0us 100.00%
req/s : 378.22 378.22 378.22 0.00 100.00%
lxc exec oneinstack-ubuntu16-openresty -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.42ms, 292.57 req/s, 655.14KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.24KB (2293) total, 118B (118) headers (space savings 34.81%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 658us 658us 658us 0us 100.00%
time for connect: 1.98ms 1.98ms 1.98ms 0us 100.00%
time to 1st byte: 2.75ms 2.75ms 2.75ms 0us 100.00%
req/s : 339.04 339.04 339.04 0.00 100.00%
lxc exec oneinstack-ubuntu16-openresty -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root 423 Jun 13 02:39 dhparam.pem
4.0K -rw-r--r-- 1 root root 764 Jun 13 02:39 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root 301 Jun 13 02:39 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 13 02:39 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 13 02:39 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 13 07:55 sslcerts.conf
lxc stop oneinstack-ubuntu16-openresty
Firewall stopped and disabled on system startup
-------------------------------------------------------------------------------------------
lxc exec vestacp-ubuntu1604 -- mkdir -p /etc/myssl/http2.domain.com
lxc exec vestacp-ubuntu1604 -- cd /etc/myssl/http2.domain.com
lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec vestacp-ubuntu1604 -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf vestacp-ubuntu1604/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec vestacp-ubuntu1604 -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec vestacp-ubuntu1604 -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
lxc exec vestacp-ubuntu1604 -- cat /home/admin/conf/web/http2.domain.com.nginx.ssl.conf
server {
listen 10.71.164.97:443 ssl http2;
server_name http2.domain.com www.http2.domain.com;
root /home/admin/web/http2.domain.com/public_html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/http2.domain.com.log combined;
access_log /var/log/nginx/domains/http2.domain.com.bytes bytes;
error_log /var/log/nginx/domains/http2.domain.com.error.log error;
#ssl on;
ssl_certificate /home/admin/conf/web/ssl.http2.domain.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
location / {
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias /home/admin/web/http2.domain.com/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias /home/admin/web/http2.domain.com/stats/;
include /home/admin/conf/web/http2.domain.com.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include /home/admin/conf/web/snginx.http2.domain.com.conf*;
}
lxc exec vestacp-ubuntu1604 -- curl -Ik https://http2.domain.com/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Jun 2018 23:55:38 GMT
Content-Type: text/html
Content-Length: 6456
Last-Modified: Sun, 10 Jun 2018 23:56:56 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "5b1dbac8-1938"
Accept-Ranges: bytes
lxc exec vestacp-ubuntu1604 -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n18
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.97...
* Connected to http2.domain.com (10.71.164.97) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: http2.domain.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #1
* subject: O=http2.domain.com,OU=http2.domain.com,CN=http2.domain.com
* start date: Fri, 08 Jun 2018 03:54:56 GMT
* expire date: Sun, 15 May 2118 03:54:56 GMT
/usr/local/bin/h2load
lxc exec vestacp-ubuntu1604 -- h2load --version
h2load nghttp2/1.33.0-DEV
lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.03ms, 198.89 req/s, 1.26MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.47KB (6629) total, 106B (106) headers (space savings 38.37%), 6.30KB (6456) data
min max mean sd +/- sd
time for request: 561us 561us 561us 0us 100.00%
time for connect: 3.75ms 3.75ms 3.75ms 0us 100.00%
time to 1st byte: 4.35ms 4.35ms 4.35ms 0us 100.00%
req/s : 221.50 221.50 221.50 0.00 100.00%
lxc exec vestacp-ubuntu1604 -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 5.33ms, 187.69 req/s, 416.43KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
min max mean sd +/- sd
time for request: 705us 705us 705us 0us 100.00%
time for connect: 3.70ms 3.70ms 3.70ms 0us 100.00%
time to 1st byte: 4.44ms 4.44ms 4.44ms 0us 100.00%
req/s : 215.89 215.89 215.89 0.00 100.00%
lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 4.87ms, 205.34 req/s, 455.59KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
min max mean sd +/- sd
time for request: 695us 695us 695us 0us 100.00%
time for connect: 3.01ms 3.01ms 3.01ms 0us 100.00%
time to 1st byte: 3.76ms 3.76ms 3.76ms 0us 100.00%
req/s : 257.80 257.80 257.80 0.00 100.00%
lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.42ms, 292.06 req/s, 648.00KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
min max mean sd +/- sd
time for request: 547us 547us 547us 0us 100.00%
time for connect: 2.05ms 2.05ms 2.05ms 0us 100.00%
time to 1st byte: 2.68ms 2.68ms 2.68ms 0us 100.00%
req/s : 342.43 342.43 342.43 0.00 100.00%
lxc exec vestacp-ubuntu1604 -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 100% done
finished in 3.08ms, 324.57 req/s, 720.14KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.22KB (2272) total, 103B (103) headers (space savings 34.81%), 2.05KB (2102) data
min max mean sd +/- sd
time for request: 454us 454us 454us 0us 100.00%
time for connect: 2.03ms 2.03ms 2.03ms 0us 100.00%
time to 1st byte: 2.52ms 2.52ms 2.52ms 0us 100.00%
req/s : 385.72 385.72 385.72 0.00 100.00%
lxc exec vestacp-ubuntu1604 -- ls -lsh /etc/myssl/http2.domain.com
total 24K
4.0K -rw-r--r-- 1 root root 423 Jun 12 18:44 dhparam.pem
4.0K -rw-r--r-- 1 root root 764 Jun 12 18:44 http2.domain.com-ecc.crt
4.0K -rw-r--r-- 1 root root 301 Jun 12 18:44 http2.domain.com-ecc.key
4.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:44 http2.domain.com.crt
4.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:44 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 12 23:55 sslcerts.conf
lxc stop vestacp-ubuntu1604
-------------------------------------------------------------------------------------------
lxc exec webinoly -- mkdir -p /etc/myssl/http2.domain.com
lxc exec webinoly -- cd /etc/myssl/http2.domain.com
lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/dhparam.pem https://gist.github.com/centminmod/***/raw/dhparam.pem
lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.crt https://gist.github.com/centminmod/***/raw/http2.domain.com.crt
lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com.key https://gist.github.com/centminmod/***/raw/http2.domain.com.key
lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.crt
lxc exec webinoly -- wget -cnv -O /etc/myssl/http2.domain.com/http2.domain.com-ecc.key https://gist.github.com/centminmod/***/raw/http2.domain.com-ecc.key
lxc file push sslcerts.conf webinoly/etc/myssl/http2.domain.com/sslcerts.conf
lxc exec webinoly -- cat /etc/myssl/http2.domain.com/sslcerts.conf
ssl_dhparam /etc/myssl/http2.domain.com/dhparam.pem;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com.key;
ssl_certificate /etc/myssl/http2.domain.com/http2.domain.com-ecc.crt;
ssl_certificate_key /etc/myssl/http2.domain.com/http2.domain.com-ecc.key;
ssl_prefer_server_ciphers on;
ssl config settings
lxc exec webinoly -- egrep 'ssl_session_cache|ssl_session_timeout|ssl_prefer_server_ciphers|ssl_ciphers|ssl_protocols|ssl_dhparam' /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:20m;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT;
lxc file push webinoly-http2.domain.com.ssl webinoly/etc/nginx/sites-available/http2.domain.com.ssl
lxc exec webinoly -- ln -s /etc/nginx/sites-available/http2.domain.com.ssl /etc/nginx/sites-enabled/
ln: failed to create symbolic link '/etc/nginx/sites-enabled/http2.domain.com.ssl': File exists
lxc exec webinoly -- cat /etc/nginx/sites-available/http2.domain.com.ssl
server {
listen 443 ssl http2;
server_name http2.domain.com;
include /etc/myssl/http2.domain.com/sslcerts.conf;
access_log /var/log/nginx/http2.domain.com.access.log we_log;
error_log /var/log/nginx/http2.domain.com.error.log;
root /var/www/http2.domain.com/htdocs;
index index.php index.html index.htm;
include common/php.conf;
include common/locations.conf;
include common/headers-http.conf;
include common/headers-html.conf;
#include /var/www/http2.domain.com/conf/nginx/*.conf;
}
lxc exec webinoly -- nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
lxc exec webinoly -- systemctl restart nginx
lxc exec webinoly -- curl -Ik https://http2.domain.com/
HTTP/2 200
server: nginx
date: Tue, 12 Jun 2018 23:55:50 GMT
content-type: text/html
content-length: 6457
last-modified: Sun, 10 Jun 2018 05:51:21 GMT
vary: Accept-Encoding
etag: "5b1cbc59-1939"
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: public, no-cache
referrer-policy: unsafe-url
accept-ranges: bytes
lxc exec webinoly -- curl -Ikv https://http2.domain.com/ 2>&1 | head -n48
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.71.164.45...
* TCP_NODELAY set
* Connected to http2.domain.com (10.71.164.45) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [214 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [814 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=http2.domain.com; OU=http2.domain.com; CN=http2.domain.com
* start date: Jun 8 03:54:56 2018 GMT
* expire date: May 15 03:54:56 2118 GMT
* issuer: O=http2.domain.com; OU=http2.domain.com; CN=http2.domain.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55ad635ea940)
} [5 bytes data]
> HEAD / HTTP/2
> Host: http2.domain.com
> User-Agent: curl/7.58.0
> Accept: */*
>
/usr/local/bin/h2load
lxc exec webinoly -- h2load --version
h2load nghttp2/1.33.0-DEV
lxc exec webinoly -- h2load -t1 -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done
finished in 4.90ms, 203.96 req/s, 1.31MB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 6.60KB (6760) total, 236B (236) headers (space savings 28.05%), 6.31KB (6457) data
min max mean sd +/- sd
time for request: 239us 239us 239us 0us 100.00%
time for connect: 3.98ms 3.98ms 3.98ms 0us 100.00%
time to 1st byte: 4.25ms 4.25ms 4.25ms 0us 100.00%
req/s : 227.45 227.45 227.45 0.00 100.00%
lxc exec webinoly -- h2load -t1 --ciphers=ECDHE-RSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -c1 -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done
finished in 5.06ms, 197.82 req/s, 465.20KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.35KB (2408) total, 233B (233) headers (space savings 25.80%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 722us 722us 722us 0us 100.00%
time for connect: 3.74ms 3.74ms 3.74ms 0us 100.00%
time to 1st byte: 4.49ms 4.49ms 4.49ms 0us 100.00%
req/s : 218.67 218.67 218.67 0.00 100.00%
lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-RSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 100% done
finished in 4.86ms, 205.93 req/s, 484.26KB/s
requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 2.35KB (2408) total, 233B (233) headers (space savings 25.80%), 2.06KB (2108) data
min max mean sd +/- sd
time for request: 431us 431us 431us 0us 100.00%
time for connect: 3.80ms 3.80ms 3.80ms 0us 100.00%
time to 1st byte: 4.29ms 4.29ms 4.29ms 0us 100.00%
req/s : 226.32 226.32 226.32 0.00 100.00%
lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES128-GCM-SHA256 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
finished in 2.03ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
min max mean sd +/- sd
time for request: 0us 0us 0us 0us 0.00%
time for connect: 0us 0us 0us 0us 0.00%
time to 1st byte: 0us 0us 0us 0us 0.00%
req/s : 0.00 0.00 0.00 0.00 100.00%
lxc exec webinoly -- h2load -t1 -c1 --ciphers=ECDHE-ECDSA-AES256-GCM-SHA384 -H 'Accept-Encoding: gzip' -n1 https://http2.domain.com/
starting benchmark...
spawning thread #0: 1 total client(s). 1 total requests
finished in 2.12ms, 0.00 req/s, 0B/s
requests: 1 total, 0 started, 0 done, 0 succeeded, 1 failed, 1 errored, 0 timeout
status codes: 0 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 0B (0) total, 0B (0) headers (space savings 0.00%), 0B (0) data
min max mean sd +/- sd
time for request: 0us 0us 0us 0us 0.00%
time for connect: 0us 0us 0us 0us 0.00%
time to 1st byte: 0us 0us 0us 0us 0.00%
req/s : 0.00 0.00 0.00 0.00 100.00%
lxc exec webinoly -- ls -lsh /etc/myssl/http2.domain.com
total 44K
8.0K -rw-r--r-- 1 root root 423 Jun 12 18:41 dhparam.pem
8.0K -rw-r--r-- 1 root root 764 Jun 12 18:41 http2.domain.com-ecc.crt
8.0K -rw-r--r-- 1 root root 301 Jun 12 18:41 http2.domain.com-ecc.key
8.0K -rw-r--r-- 1 root root 1.2K Jun 12 18:41 http2.domain.com.crt
8.0K -rw-r--r-- 1 root root 1.7K Jun 12 18:41 http2.domain.com.key
4.0K -rw-r--r-- 1 root root 386 Jun 12 23:55 sslcerts.conf
lxc stop webinoly