0

 

Recently I’ve been doing website acceleration a bit and today I’ll write on this topic. I will tell you how to build my RPM Nginx package with TLS 1.3 support and brotli encryption. Why all this is necessary and what promises advantages, read on.

If you want to understand in more detail the processes of setting up and providing comprehensive security for the local and network infrastructure, built on the basis of the Linux OS, I recommend that you get acquainted with Linux Security Online Course in OTUS. The course is not for beginners, for admission you need to go.

Introduction

I’ll get right to the point, as the title is a bit confusing. In fact, Nginx has long supported TLS 1.3, just specify its support in the parameters. But this will only work on systems with a version OpenSSL version 1.1.1 and higher. In Centos 7, you will have version 1.0.2k-fips currently with the latest updates.

# openssl version OpenSSL 1.0.2k-fips  26 Jan 2017

In order for TLS 1.3 to work, Nginx must be built with OpenSSL version 1.1.1 or higher. I just want to tell you how to do it. If you do not want to understand all this yourself, then you can use the repository, where everyone has already done everything for you. You only need to connect it and complete the installation. An example of such a repository is https://repo.codeit.guru I don’t know what kind of people these are and what exact changes they make to standard packages. You can look at their site yourself and decide whether you can trust them or not.

I will tell you how to build your package yourself and add the functions you need there. In addition to TLS 1.3 support, I will add a module for support encryption brotli, instead of the standard gzip.

I do not want to describe in detail what the meaning of TLS 1.3 and brotli is. In short – they speed up the site. But they do not accelerate significantly. You do not need to rely very much on such acceleration. It makes sense if you have everything else perfect and you want to accelerate a little more. You can read more about this at cloudflare:

To summarize, I will once again explain that I will build an RPM package with the latest version of openssl and the brotli module.

Preparing to build your RPM package

To begin with, we will put everything that we need to build our RPM package ourselves.

# yum groupinstall "Development Tools" && yum install RPMdevtools yum-utils wget git

Connect the nginx repositories mainline branches for СentOS 7. I draw attention to the fact that the stable version is not used, but the main – mainline. It is quite reliable, it has all the latest updates.

# mcedit /etc/yum.repos.d/nginx.repo
(nginx) name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1  (nginx-source) name=nginx source repo baseurl=http://nginx.org/packages/mainline/centos/7/SRPMS/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/RPM-gpg/RPM-GPG-KEY-CentOS-7

Update repositories:

# yum update

Let’s go to the home directory and create a directory structure there.

# cd ~ # RPMdev-setuptree

Nginx already has everything in the repository ready to build from source. Download the source package and install it.

# yumdownloader --source nginx # RPM -Uvh nginx*.src.RPM

If you are running root, get a bunch of warnings.

build rpm nginx package

It is recommended that you use a separate user to build packages. But this is not critical.

We install the dependencies necessary for assembly.

# yum-builddep nginx

Building RPM nginx package with support for brotli and TLS 1.3

Everything is ready to build the RPM package. We need to download the sources of openssl and the brotli module, which we will use. At the time of writing, the latest version of openssl is 1.1.1a. We will use it. To do this, go to https://www.openssl.org and copy the download link from the Download section.

# cd /usr/src # wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz

Immediately unpack:

# tar xzvf openssl-*.tar.gz

Download the brotli module via git.

# git clone https://github.com/eustas/ngx_brotli.git # cd ngx_brotli # git submodule update --init

Everything is ready to build RPM. Now we specify in the assembly parameters our version of openssl and the brotli module.

# mcedit ~/RPMbuild/SPECS/nginx.spec

Add to the line starting with% define BASE_CONFIGURE_ARGS at the very end to the parameter list:

--add-module=/usr/src/ngx_brotli --with-openssl=/usr/src/openssl-1.1.1a --with-openssl-opt=enable-TLS1_3

Run the RPM build:

# cd ~/RPMbuild/SPECS/ # RPMbuild -ba nginx.spec

Install the assembled package:

cd ~/RPMbuild/RPM/ RPM -Uvh nginx-1.15.7-1.el7_4.ngx.x86_64.RPM

Checking the operation of TLS 1.3 and brotli in Nginx

We start nginx:

# systemctl start nginx

We check the version of openssl and the presence of the brotli module:

nginx -V

Nginx build options from source

For the new functionality to work, add parameters to /etc/nginx/nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT; ssl_prefer_server_ciphers on; ssl_stapling on; add_header Strict-Transport-Security max-age=15768000;  brotli_static on; brotli on; brotli_comp_level 6; brotli_types text/plain text/css text/xml application/javascript image/x-icon image/svg+xml;

I draw attention to the nginx settings. If you have different ssl settings in virtual hosts, then there may be problems with TLS 1.3. Initially, I tested everything on a separate virtual host, but did not touch the rest. But nothing worked for me. Whatever ssl settings I set, TLS 1.3 did not work, only 1.2. What I just did not try – 10 times I rebuilt nginx with different parameters and openssl versions.

It only worked after I removed the ssl settings from all virtual hosts, except the paths to the certificates, and set the global settings for all in nginx.conf. After that TLS 1.3 earned.

Check the configuration for errors and restart nginx:

# nginx -t # nginx -s reload

We open the test site in the latest version of chrome and check using dev tools.

Nginx tls 1.3 on Centos 7

Nginx compression brotli

Compare with other sites. The compression will mainly be gzip, and the TLS version is -1.2. And now we are well done, on the cutting edge of progress – we have all the newest.

I draw attention to the fact that you need to check in the latest version of the browser. Not everyone still supports TLS 1.3. For example, at the time of writing, Chrome already supported it, but Yandex.The browser didn’t.

Prevent package updates through yum

In conclusion, I recommend blocking the nginx update through yum, otherwise you will replace your assembly with the next new version from the official turnip. To block, install the package yum-plugin-versionlock:

# yum install yum-plugin-versionlock

Now block the nginx package:

# yum versionlock nginx

You can view the list of blocked packages using the command:

# yum versionlock list

No longer will Nginx automatically update via yum. You will be able to prepare your own packages with it as needed and install manually. Ideally, of course, it’s best to set up your repository. But this is a topic for another discussion.

Conclusion

Do not like the article and want to teach me how to administer? Please, I like to study. Comments are at your disposal. Tell me how to do it right!

I described one small element in speeding up a site. I plan to write a series of articles on this topic. Material has already accumulated. The server side gives a slight increase, compared with the optimization of the code and the database, but nevertheless, it should also be addressed.

I also recommend my article for those who are interested in finer and more meaningful Nginx configuration. The article shared his experience and personal examples.

How to Disable Safe Mode on Android

Previous article

Best Soundbars to Look for in 2019

Next article

You may also like

Comments

Leave a reply

Your email address will not be published. Required fields are marked *

More in centos