debian

Debian Nginx SSL性能优化

小樊
34
2025-10-10 22:40:17
栏目: 云计算

1. Update Nginx and SSL Certificates
Ensure you’re running the latest stable version of Nginx to benefit from performance improvements and security patches. Use certbot to obtain and manage free Let’s Encrypt SSL certificates, which auto-renew to avoid expiration issues.

sudo apt update && sudo apt upgrade nginx -y
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com with your actual domain. This command installs Nginx (if missing), sets up Certbot, and configures HTTPS for your domain.

2. Enable HTTP/2 Protocol
HTTP/2 supports multiplexing (multiple requests/responses over a single connection) and header compression, reducing latency for websites with multiple resources (e.g., images, scripts). Add http2 to your Nginx listen directive:

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    # Other SSL configurations...
}

This is a simple yet impactful change—most modern browsers prioritize HTTP/2 when available.

3. Optimize SSL/TLS Protocols and Ciphers
Disable outdated protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1) and use only secure versions (TLSv1.2, TLSv1.3). Pair with strong ciphers that offer forward secrecy (ECDHE) for encrypted connections. Add this to your Nginx config:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

TLSv1.3 is faster than TLSv1.2 due to fewer round trips during the handshake, while ECDHE ciphers provide perfect forward secrecy.

4. Enable OCSP Stapling
OCSP Stapling reduces client-side certificate verification time by allowing the server to fetch and “staple” the OCSP response (which checks if a certificate is revoked) during the handshake. Configure it in Nginx:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

The resolver directive specifies DNS servers for resolving the OCSP responder’s address. This can cut handshake times by 100–500ms.

5. Configure SSL Session Caching
Session caching stores session parameters (like keys and algorithms) after the first handshake, so subsequent connections reuse them instead of renegotiating. This drastically reduces handshake overhead for returning visitors. Add these lines:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

The shared cache is accessible to all Nginx workers, and 10m allocates 10MB for storing ~4000 sessions (adjust based on traffic).

6. Enable Gzip Compression
Compressing response data (HTML, CSS, JS, JSON) reduces the amount of data sent over the network, improving page load times. Enable Gzip in Nginx:

gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

gzip_comp_level 6 offers a good balance between compression ratio and CPU usage (higher levels = more compression but more CPU load). The gzip_types directive specifies which file types to compress.

7. Adjust Nginx Worker Processes and Connections
Optimize Nginx’s worker settings to handle more concurrent connections efficiently. Edit the main Nginx config (/etc/nginx/nginx.conf):

worker_processes auto;  # Auto-detect CPU cores (e.g., 4 cores = 4 workers)
events {
    worker_connections 1024;  # Max connections per worker
    use epoll;  # High-performance event model for Linux
    multi_accept on;  # Accept multiple connections per worker event
}

worker_processes auto ensures Nginx uses all available CPU cores. worker_connections 1024 allows each worker to handle up to 1024 simultaneous connections (increase if you expect high traffic).

8. Enable TCP Optimizations
Adjust Linux kernel parameters to improve TCP performance for high-traffic sites. Edit /etc/sysctl.conf and add:

net.core.somaxconn = 65535  # Max pending connections in the backlog
net.ipv4.tcp_max_syn_backlog = 65535  # Max SYN requests queued
net.ipv4.ip_local_port_range = 1024 65535  # Range of local ports for outgoing connections
net.ipv4.tcp_tw_reuse = 1  # Reuse TIME-WAIT sockets
net.ipv4.tcp_fin_timeout = 30  # Time to wait before closing FIN_WAIT2 sockets

Apply changes with sudo sysctl -p. These tweaks reduce connection setup/teardown overhead and improve scalability.

9. Increase File Descriptor Limits
Each Nginx connection requires a file descriptor (FD). Increase the system-wide and per-user FD limits to avoid “too many open files” errors. Edit /etc/security/limits.conf and add:

* soft nofile 65535
* hard nofile 65535

Also, edit /etc/systemd/system/nginx.service.d/override.conf (create the directory if it doesn’t exist) to apply limits to the Nginx service:

[Service]
LimitNOFILE=65535

Reload systemd and restart Nginx:

sudo systemctl daemon-reload
sudo systemctl restart nginx

This ensures Nginx can handle a large number of concurrent connections.

10. Monitor Performance and Adjust
Use tools like nginx -t (to test config syntax), systemctl status nginx (to check Nginx status), and certbot renew --dry-run (to verify certificate auto-renewal). For advanced monitoring, install tools like htop (to track CPU/memory usage), ngxtop (to analyze Nginx logs in real-time), or Prometheus + Grafana (for historical performance metrics). Regularly review logs (/var/log/nginx/access.log, /var/log/nginx/error.log) to identify bottlenecks (e.g., slow requests, high error rates).

0
看了该问题的人还看了