mp4 + ssl

Пн Май 15 18:40:26 UTC 2017

Привет всем!
В связи с поголовной sslзацией Интернета пришла очередь и до
mp4-стримминга. И вот Вчерашний тест показал, при 15к коннектах уже
начало потихоньку упираться в проц и в пике было 32 Гбит/с трафика.
Сегодня без ssl при тех же 15к коннектах 40 Гбит/с трафика и проц
гуляет. Может нчто-то где-то надо подтюнить в конфиге? Конфиг ssl ниже:

        listen  443 ssl;
        add_header  Strict-Transport-Security "max-age=0;";
#        add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
#        ssl on;
        ssl_certificate /etc/nginx/ssl/site.com.crt;
        ssl_certificate_key /etc/nginx/ssl/privatekey.key;
        ssl_trusted_certificate /etc/nginx/ssl/site.com.crt;
        # должен содержать 80 или 48 48 or 80 bytes
        # openssl rand 48 > /etc/nginx/ssl/current.key
        ssl_session_ticket_key /etc/nginx/ssl/current.key;
        ssl_session_ticket_key /etc/nginx/ssl/prev.key;
        ssl_session_ticket_key /etc/nginx/ssl/prevprev.key;

        # Use 2048 bit Diffie-Hellman RSA key parameters
        # (otherwise Nginx defaults to 1024 bit, lowering the strength
of encryption # when using PFS)
        # Generated by OpenSSL with the following command:
        # openssl dhparam -outform pem -out
/etc/nginx/ssl/dhparam2048.pem 2048
        ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;

        # make the server choose the best cipher instead of the browser
        # Perfect Forward Secrecy(PFS) is frequently compromised without
this
        ssl_prefer_server_ciphers on;

        # support only believed secure ciphersuites using the following
priority:
        # 1.) prefer PFS enabled ciphers
        # 2.) prefer AES128 over AES256 for speed (AES128 has completely
adequate security for now)
        # 3.) Support DES3 for IE8 support

        # disable the following ciphersuites completely
        # 1.) null ciphers
        # 2.) ciphers with low security
        # 3.) fixed ECDH cipher (does not allow for PFS)
        # 4.) known vulnerable cypers (MD5, RC4, etc)
        # 5.) little-used ciphers (Camellia, Seed)
        ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256
kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA
!aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';

        ## OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        # Cache SSL Sessions for up to 10 minutes
        # This improves performance by avoiding the costly session
negotiation process where possible
        ssl_session_cache builtin:10000 shared:SSL:100m;
        # ssl_session_timeout 5m; # this is a default, but can be changed
        ssl_session_timeout 1h;