Recently I’ve been doing website acceleration a bit and today I’ll write on this topic. I will tell you how to build my RPM Nginx package with TLS 1.3 support and brotli encryption. Why all this is necessary and what promises advantages, read on.
If you want to understand in more detail the processes of setting up and providing comprehensive security for the local and network infrastructure, built on the basis of the Linux OS, I recommend that you get acquainted with Linux Security Online Course in OTUS. The course is not for beginners, for admission you need to go.
Introduction
I’ll get right to the point, as the title is a bit confusing. In fact, Nginx has long supported TLS 1.3, just specify its support in the parameters. But this will only work on systems with a version OpenSSL version 1.1.1 and higher. In Centos 7, you will have version 1.0.2k-fips currently with the latest updates.
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
In order for TLS 1.3 to work, Nginx must be built with OpenSSL version 1.1.1 or higher. I just want to tell you how to do it. If you do not want to understand all this yourself, then you can use the repository, where everyone has already done everything for you. You only need to connect it and complete the installation. An example of such a repository is https://repo.codeit.guru I don’t know what kind of people these are and what exact changes they make to standard packages. You can look at their site yourself and decide whether you can trust them or not.
I will tell you how to build your package yourself and add the functions you need there. In addition to TLS 1.3 support, I will add a module for support encryption brotli, instead of the standard gzip.
I do not want to describe in detail what the meaning of TLS 1.3 and brotli is. In short – they speed up the site. But they do not accelerate significantly. You do not need to rely very much on such acceleration. It makes sense if you have everything else perfect and you want to accelerate a little more. You can read more about this at cloudflare:
To summarize, I will once again explain that I will build an RPM package with the latest version of openssl and the brotli module.
Preparing to build your RPM package
To begin with, we will put everything that we need to build our RPM package ourselves.
# yum groupinstall "Development Tools" && yum install RPMdevtools yum-utils wget git
Connect the nginx repositories mainline branches for СentOS 7. I draw attention to the fact that the stable version is not used, but the main – mainline. It is quite reliable, it has all the latest updates.
# mcedit /etc/yum.repos.d/nginx.repo
(nginx) name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1 (nginx-source) name=nginx source repo baseurl=http://nginx.org/packages/mainline/centos/7/SRPMS/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/RPM-gpg/RPM-GPG-KEY-CentOS-7
Update repositories:
# yum update
Let’s go to the home directory and create a directory structure there.
# cd ~ # RPMdev-setuptree
Nginx already has everything in the repository ready to build from source. Download the source package and install it.
# yumdownloader --source nginx # RPM -Uvh nginx*.src.RPM
If you are running root, get a bunch of warnings.
It is recommended that you use a separate user to build packages. But this is not critical.
We install the dependencies necessary for assembly.
# yum-builddep nginx
Building RPM nginx package with support for brotli and TLS 1.3
Everything is ready to build the RPM package. We need to download the sources of openssl and the brotli module, which we will use. At the time of writing, the latest version of openssl is 1.1.1a. We will use it. To do this, go to https://www.openssl.org and copy the download link from the Download section.
# cd /usr/src # wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
Immediately unpack:
# tar xzvf openssl-*.tar.gz
Download the brotli module via git.
# git clone https://github.com/eustas/ngx_brotli.git # cd ngx_brotli # git submodule update --init
Everything is ready to build RPM. Now we specify in the assembly parameters our version of openssl and the brotli module.
# mcedit ~/RPMbuild/SPECS/nginx.spec
Add to the line starting with% define BASE_CONFIGURE_ARGS at the very end to the parameter list:
--add-module=/usr/src/ngx_brotli --with-openssl=/usr/src/openssl-1.1.1a --with-openssl-opt=enable-TLS1_3
Run the RPM build:
# cd ~/RPMbuild/SPECS/ # RPMbuild -ba nginx.spec
Install the assembled package:
cd ~/RPMbuild/RPM/ RPM -Uvh nginx-1.15.7-1.el7_4.ngx.x86_64.RPM
Checking the operation of TLS 1.3 and brotli in Nginx
We start nginx:
# systemctl start nginx
We check the version of openssl and the presence of the brotli module:
nginx -V
For the new functionality to work, add parameters to /etc/nginx/nginx.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT; ssl_prefer_server_ciphers on; ssl_stapling on; add_header Strict-Transport-Security max-age=15768000; brotli_static on; brotli on; brotli_comp_level 6; brotli_types text/plain text/css text/xml application/javascript image/x-icon image/svg+xml;
I draw attention to the nginx settings. If you have different ssl settings in virtual hosts, then there may be problems with TLS 1.3. Initially, I tested everything on a separate virtual host, but did not touch the rest. But nothing worked for me. Whatever ssl settings I set, TLS 1.3 did not work, only 1.2. What I just did not try – 10 times I rebuilt nginx with different parameters and openssl versions.
It only worked after I removed the ssl settings from all virtual hosts, except the paths to the certificates, and set the global settings for all in nginx.conf. After that TLS 1.3 earned.
Check the configuration for errors and restart nginx:
# nginx -t # nginx -s reload
We open the test site in the latest version of chrome and check using dev tools.
Compare with other sites. The compression will mainly be gzip, and the TLS version is -1.2. And now we are well done, on the cutting edge of progress – we have all the newest.
I draw attention to the fact that you need to check in the latest version of the browser. Not everyone still supports TLS 1.3. For example, at the time of writing, Chrome already supported it, but Yandex.The browser didn’t.
Prevent package updates through yum
In conclusion, I recommend blocking the nginx update through yum, otherwise you will replace your assembly with the next new version from the official turnip. To block, install the package yum-plugin-versionlock:
# yum install yum-plugin-versionlock
Now block the nginx package:
# yum versionlock nginx
You can view the list of blocked packages using the command:
# yum versionlock list
No longer will Nginx automatically update via yum. You will be able to prepare your own packages with it as needed and install manually. Ideally, of course, it’s best to set up your repository. But this is a topic for another discussion.
Conclusion
Do not like the article and want to teach me how to administer? Please, I like to study. Comments are at your disposal. Tell me how to do it right!
I described one small element in speeding up a site. I plan to write a series of articles on this topic. Material has already accumulated. The server side gives a slight increase, compared with the optimization of the code and the database, but nevertheless, it should also be addressed.
I also recommend my article for those who are interested in finer and more meaningful Nginx configuration. The article shared his experience and personal examples.
Comments