How to reduce SSL response time on a webserver?

T

tvoyadres2020-03-22 12:14:10

Nginx

tvoyadres, 2020-03-22 12:14:10

My SSL gets a response in about 200 ms,

but on some sites I saw less than 100 ms, how they achieved this

. Here are the Nginx settings for the site

server {
  server_name site.ru www.site.ru;
  ssl_certificate "/var/www/httpd-cert/site/site.ru.crtca";
  ssl_certificate_key "/var/www/httpd-cert/site/site.ru.key";
  ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_buffer_size 4k;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
  add_header Strict-Transport-Security "max-age=31536000;";
  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
  charset UTF-8;
  index index.php index.html;
  disable_symlinks if_not_owner from=$root_path;
  include /etc/nginx/vhosts-includes/*.conf;
  include /etc/nginx/vhosts-resources/site.ru/*.conf;
  error_log /dev/null crit;
  ssi on;
  set $root_path /var/www/site/data/www/site.ru;
  root $root_path;
  gzip on;
  gzip_comp_level 6;
  gzip_disable "msie6";
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
  location / {
    location ~ [^/]\.ph(p\d*|tml)$ {
      try_files /does_not_exists @fallback;
    }
    location ~* ^.+(resampled|averaged)\.(jpg|jpeg)$ {
      try_files $uri $uri/ @fallback;
      expires 365d;
    }
    location ~* ^.+\.(avi|bz2?|css|eot|gif|gz|ico|js|mp3|mpe?g|ogg|png|rar|svg|swf|ttf|woff|woff2|zip)$ {
      try_files $uri $uri/ @fallback;
      expires 365d;
    }
    location / {
      try_files /does_not_exists @fallback;
    }
  }
  location @fallback {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect http://127.0.0.1:8080 /;
    proxy_set_header Host $host;
    #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
                proxy_headers_hash_max_size 512;
                proxy_headers_hash_bucket_size 128;
                proxy_connect_timeout 300;
                proxy_send_timeout 300;
                proxy_read_timeout 300;
                send_timeout 300;
    access_log off;
  }
  access_log off;
  listen 192.168.1.22:443 ssl http2;
}

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

I

Igor Vorotnev, 2020-03-22
@HeadOnFire

You can optimize the settings a little, but still the 2 biggest time eaters will be the network (RTT) and processor time. The first can be improved by being located on a server that is physically closer to your clients, the second - by a more powerful processor. That's how you get <100ms. For example, my site uses the standard CloudFlare, and as you can see, it's just <100ms. I tried to configure on the server itself, but I couldn’t achieve the same numbers, especially considering that I have one server, and RTT for different parts of the world will be different (and often long), but CloudFlare still has adequate balancing:

K

ky0, 2020-03-22
@ky0

Everything is fine with SSL. Nothing much can be done here - the first handshake is rather long anyway. With subsequent requests, everything will happen much faster.

T

tvoyadres, 2020-03-22
@tvoyadres

I read here that you need to enable OCSP stapling by
adding
ssl_stapling on;
ssl_stapling_verify on;
and you also need to extract the certificate and register it too, but Comodo did not find normal instructions for certificates