Plan your workout before you go to the gym

Failing to plan is planning to fail. Successful gainers know what they are going to do in the gym before they go to the gym. What weights they will do, how many reps they will attempt.

With this in mind, I’m incubating a new feature were you create your workout first – with some help to auto-generate the workout perhaps. Next up is a more simplified mobile interface to actually perform the logging.

Optimizing https performance on Ubuntu/Trusty/Nginx

At the time of writing, Ubuntu Trusty LTS is the latest LTS version of Ubuntu out there so perhaps it is not surprising that the version of Nginx that comes with it is not the absolute latest. Still Ubuntu’s nginx/1.4.6 is a long way behind the latest nginx/1.6.2. Functionally, they both serve the basics fine but in trying to optimize https performance, I realised the upgrade is well worth it.

Here are the steps to upgrade

Add these contents to /etc/apt/sources.list.d/nginx.list file:

deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx

Then run the following commands:

apt-get remove nginx nginx-full nginx-common nginx-core
apt-get update
apt-get install nginx

Installing directly over is supposed to work but you can get weird errors with /etc/logrotate.d/nginx so it is better to remove first.

Just by updating to the latest, initial SSL handshake latency reduced by 50% in my test case! (600ms to 400ms for a Dallas client connecting to the HK server).

Reducing initial SSL handshake is important for that first visitor experience but it is equally important to maximise performance for subsequent visits. Here, one still needs to get hands-on with the config. Here is my result:

server {
listen 80;
listen 443 ssl spdy;
server_name gainstrack.com;
rewrite ^/(.*) https://www.gainstrack.com/$1 permanent;

ssl_certificate /etc/nginx/gainstrack.com.unified.crt;
ssl_certificate_key /etc/nginx/gainstrack.com.private.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}

Substitute server_name/ssl_certificate/ssl_certificate_key for your own server and ignore the rewrite rule, which is for AngularJS. The important optimizations here are

  • Enabling the spdy protocol, along side https. This is Google’s enhancement to further reduce latency in modern browsers
  • Choosing the “best” set of ciphers available (at the cost of excluding IE8 and below. I don’t care because my Angular site only supports later IE versions anyway). The “best” includes forward secrecy protocols that are not only more secure but offer lower latency because some parts of the expensive SSL handshake can be skipped
  • Enabling SSL session caching so that most browers don’t need to do the expensive SLL handshake when reconnecting.

Finally, with everything optimized for performance close to unsecure HTTP, the Strict-Transport-Security header will encourage modern browsers to treat HTTPS as the default secure way to connect to the website.

The result? Almost the best possible performant nginx setup with this version of nginx and a nice A grade at SSLLabs gainstrack.com analysis.

https://www.gainstrack.com is now secure.