Skip to content
Permalink
Browse files

add Nginx Dynamic TLS Cloudflare Patch support 123.09beta01

Add NGINX_DYNAMICTLS='n' option to centmin.sh. When set in persistent config at /etc/centminmod/custom_config.inc to NGINX_DYNAMICTLS='y' + NGINXPATCH='y' and centmin.sh menu option 4 is used to recompile Nginx, then you enable the Cloudflare Nginx Dynamic TLS patch as discussed at https://community.centminmod.com/threads/optimizing-tls-over-tcp-to-reduce-latency-tls-dynamic-record-sizing.7592/. Untested on Centmin Mod Nginx 1.11 branch, so mileage will vary. To disable, do the reverse set NGINX_DYNMAICTLS='n' and recompile nginx again.
  • Loading branch information...
centminmod committed Jun 10, 2016
1 parent 4bcab2e commit cfcc21e7c75a80e5554afafdc23d460381756d05
Showing with 27 additions and 0 deletions.
  1. +1 −0 centmin.sh
  2. +1 −0 example/custom_config.inc
  3. +25 −0 inc/nginx_patch.inc
@@ -463,6 +463,7 @@ NGINXBACKUPDIR='/usr/local/nginxbackup'
NOSOURCEOPENSSL='y' # set to 'y' to disable OpenSSL source compile for system default YUM package setup
OPENSSL_VERSION='1.0.2h' # Use this version of OpenSSL http://openssl.org/
CLOUDFLARE_PATCHSSL='y' # set 'y' to implement Cloudflare's chacha20 patch https://github.com/cloudflare/sslconfig
NGINX_DYNAMICTLS='n' # set 'y' and recompile nginx https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/

# LibreSSL
LIBRESSL_SWITCH='y' # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
@@ -161,6 +161,7 @@ POSTGRESQL='n' # set to ='y'o install PostgreSQL 9.4 server, devel
NOSOURCEOPENSSL='y' # set to 'y' to disable OpenSSL source compile for system default YUM package setup
OPENSSL_VERSION='1.0.2h' # Use this version of OpenSSL http://openssl.org/
CLOUDFLARE_PATCHSSL='y' # set 'y' to implement Cloudflare's chacha20 patch https://github.com/cloudflare/sslconfig
NGINX_DYNAMICTLS='n' # set 'y' and recompile nginx https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/

# LibreSSL
LIBRESSL_SWITCH='y' # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
@@ -26,6 +26,31 @@ patchnginx() {
echo
fi
fi
if [[ "$NGINX_DYNAMICTLS" = [yY] ]]; then
if [ -f "$(which figlet)" ]; then
figlet -ckf standard "Cloudflare Nginx Dynamic TLS Patch"
fi
echo "######################################################################"
echo "Patching Nginx for Dynamic TLS Size Support"
echo "######################################################################"
echo "Cloudflare Nginx Dynamic TLS patch"
echo "https://github.com/cloudflare/sslconfig/raw/master/patches/nginx__dynamic_tls_records.patch"
echo "######################################################################"
NGINXTLSPATCH_NAME='nginx__dynamic_tls_records.patch'
rm -rf "${NGINXTLSPATCH_NAME}"
NGINXTLSPATCHLINK="https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/${NGINXTLSPATCH_NAME}"
# fallback mirror if github down, use gitlab mirror
curl -sI --connect-timeout 5 --max-time 5 "${NGINXTLSPATCHLINK}" | grep 'HTTP\/' | egrep '200' >/dev/null 2>&1
NGINXTLSPATCH_CURLCHECK=$?
if [[ "$NGINXTLSPATCH_CURLCHECK" != '0' ]]; then
NGINXTLSPATCHLINK="https://gitlab.com/centminmod-github-mirror/sslconfig/raw/master/patches/${NGINXTLSPATCH_NAME}"
fi
wget -cnv --no-check-certificate "$NGINXTLSPATCHLINK"
else
if [ -f "${NGINXTLSPATCH_NAME}" ]; then
rm -rf "${NGINXTLSPATCH_NAME}"
fi
fi
}

luapatch() {

0 comments on commit cfcc21e

Please sign in to comment.
You can’t perform that action at this time.