At the time of writing, Ubuntu Trusty LTS is the latest LTS version of Ubuntu out there so perhaps it is not surprising that the version of Nginx that comes with it is not the absolute latest. Still Ubuntu’s nginx/1.4.6 is a long way behind the latest nginx/1.6.2. Functionally, they both serve the basics fine but in trying to optimize https performance, I realised the upgrade is well worth it.
Here are the steps to upgrade
Add these contents to
deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx
Then run the following commands:
apt-get remove nginx nginx-full nginx-common nginx-core
apt-get install nginx
Installing directly over is supposed to work but you can get weird errors with
/etc/logrotate.d/nginx so it is better to remove first.
Just by updating to the latest, initial SSL handshake latency reduced by 50% in my test case! (600ms to 400ms for a Dallas client connecting to the HK server).
Reducing initial SSL handshake is important for that first visitor experience but it is equally important to maximise performance for subsequent visits. Here, one still needs to get hands-on with the config. Here is my result:
listen 443 ssl spdy;
rewrite ^/(.*) https://www.gainstrack.com/$1 permanent;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Substitute server_name/ssl_certificate/ssl_certificate_key for your own server and ignore the rewrite rule, which is for AngularJS. The important optimizations here are
- Enabling the spdy protocol, along side https. This is Google’s enhancement to further reduce latency in modern browsers
- Choosing the “best” set of ciphers available (at the cost of excluding IE8 and below. I don’t care because my Angular site only supports later IE versions anyway). The “best” includes forward secrecy protocols that are not only more secure but offer lower latency because some parts of the expensive SSL handshake can be skipped
- Enabling SSL session caching so that most browers don’t need to do the expensive SLL handshake when reconnecting.
Finally, with everything optimized for performance close to unsecure HTTP, the Strict-Transport-Security header will encourage modern browsers to treat HTTPS as the default secure way to connect to the website.
The result? Almost the best possible performant nginx setup with this version of nginx and a nice A grade at SSLLabs gainstrack.com analysis.
https://www.gainstrack.com is now secure.