[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Memo: HTTP/2 support for Savannah (and pro
From: |
Jing Luo |
Subject: |
Re: [Savannah-hackers-public] Memo: HTTP/2 support for Savannah (and probably *.gnu.org) and the blockers |
Date: |
Tue, 27 Feb 2024 01:06:34 +0900 |
Ah Bob,
Please ignore what I said waaaay back. I didn't know what hosts use what
web servers, and then Michael(?) told me once that "most of our systems
use apache2".
HTTP/2 brings more performance but also brings more vulnerabilities
too.
Yes, but my observation is that nginx has handled them pretty well. E.g.
the "HTTP/2 rapid reset" vulnerability last October, the default
settings in nginx already can mitigate this issue.
Speaking of performance, it matters the most when you are under various
kinds of attack where some many things can go wrong. *.gnu.org may be
small, but it's a high value target for crackers. HTTP/2 stream can
reduce the number of connections. It would give a chance for legitimate
users to connect IIUC when the servers are under ddos attack.
(wishlist) If not HTTP/2, maybe at least enable TLSv1.3 where OpenSSL
supports it. Together with ssl_stapling on and ssl_prefer_sever_ciphers
off, you can save at least 1 round trip per connection. The difference
may not be obvious for youse guys in the US, but for anyone across the
ocean, it will have noticeable difference. You may need to limit the
ciphers like the standard certbot provided nginx config.
(not so wishlist) Therefore, HTTP/2 or not, I urge you to test the
"reference nginx config" I shared on the private IRC channel (I forgot
the paste bin address) :) Then we can discuss the fine tune detail of
SSL, HTTP/2, etc.
--
Jing Luo
About me: https://jing.rocks/about/
PGP Fingerprint: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC
signature.asc
Description: OpenPGP digital signature