SSL Reuse not happening in s3 presigned urls
Paul
paul at stormy.ca
Sun Oct 1 15:08:06 UTC 2023
On 2023-09-30 15:09, Vijay Kumar Kamannavar wrote:
> I am using nginx reverse proxy for s3 presigned urls.
[Disclaimer: very limited experience with amazonaws, so will assume that
you comply fully with
<https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html>,
if not, maybe ask them?]
[snip]
> # HTTPS server block with SSL certificate and S3 reverse proxy
> server {
> listen 443 ssl;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
nginx strongly suggested at
<https://www.nginx.com/blog/nginx-poodle-ssl/> removing SSLv3 nine years
ago. SSL Labs will also give you a rock bottom rating when you allow
TLSv1 and TLSv1.1 (although they might still be vaguely acceptable) and
the latest security standard TLSv1.3 (rfc8446, 2018) works extremely
well in nginx with e.g. CertBot certificates.
*Perhaps* if you updated your config. to basic industry standards
(probably required for compatibility with amazonaws?), then some of your
handshake caching timeouts and errors would be vastly attenuated or
disappear.
[snip]
> If I run 4K clients using a simulator,I will see 100% CPU in the nginx
> container.I believe if we cache SSL sessions then SSL handshake for
> every request will be avoided hence we may not have high CPU at nginx
> container.
"run 4k clients"? Over what period of time? Simultaneous, identical
connection requests? Even if your connectivity, router and firewall can
handle that, your "16 Core and 32GB" with potential security problems
could well be brought to its knees. As a rule of thumb for servers
(nginx and apache), I have always used 8 GiB memory per core. YMMV.
Paul
More information about the nginx
mailing list