TLS加密网站性能优化指南个人集合

随着HTTP2的发布,TLS加密的网站已经越来越流行.
SSL加密网站优点多多,缺点自然也不少.
下面是我收集的TLS优化指南,以便提高加密传输性能

1优化TCP内核参数
在/etc/sysctl.conf 添加以下参数

net.ipv4.tcp_window_scaling=1  #启用TCP大窗口,数据可以超过64K
net.ipv4.tcp_slow_start_after_idle=0  # 禁用慢启动TCP
net.ipv4.tcp_fastopen = 3 #开启tcp_fastopen

2使用最新TLS库
3使用session caching
4使用TLS False Start
    配置好forward secrecy 和ALPN ,TLS False Start自动启用
5使用动态TLS record sizing
   这个需要修改代码,仅供参考
  https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__dynamic_tls_records.patch
  https://github.com/cujanovic/nginx-dynamic-tls-records-patch

6启用 OCSP stapling 和 HSTS 和 CSP 政策
7启用HTTP2, 即ALPN
8测试启用TLS1.3, Brotli压缩, http2 hpack压缩传输
  https://github.com/cloudflare/sslconfig/blob/master/patches/nginx_1.13.1_http2_hpack.patch
  https://github.com/kn007/patch
  https://github.com/injust/hws/tree/master/individual-patches
参考来源:
https://www.cdnplanet.com/tools/initcwndcheck
https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/
https://hpbn.co/building-blocks-of-tcp/
https://hpbn.co/transport-layer-security-tls/
https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/

发表评论