savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Memo: HTTP/2 support for Savannah (and pro


From: Jing Luo
Subject: Re: [Savannah-hackers-public] Memo: HTTP/2 support for Savannah (and probably *.gnu.org) and the blockers
Date: Tue, 27 Feb 2024 01:06:34 +0900

Ah Bob,

Please ignore what I said waaaay back. I didn't know what hosts use what web servers, and then Michael(?) told me once that "most of our systems use apache2".

HTTP/2 brings more performance but also brings more vulnerabilities too.

Yes, but my observation is that nginx has handled them pretty well. E.g. the "HTTP/2 rapid reset" vulnerability last October, the default settings in nginx already can mitigate this issue.

Speaking of performance, it matters the most when you are under various kinds of attack where some many things can go wrong. *.gnu.org may be small, but it's a high value target for crackers. HTTP/2 stream can reduce the number of connections. It would give a chance for legitimate users to connect IIUC when the servers are under ddos attack.

(wishlist) If not HTTP/2, maybe at least enable TLSv1.3 where OpenSSL supports it. Together with ssl_stapling on and ssl_prefer_sever_ciphers off, you can save at least 1 round trip per connection. The difference may not be obvious for youse guys in the US, but for anyone across the ocean, it will have noticeable difference. You may need to limit the ciphers like the standard certbot provided nginx config.

(not so wishlist) Therefore, HTTP/2 or not, I urge you to test the "reference nginx config" I shared on the private IRC channel (I forgot the paste bin address) :) Then we can discuss the fine tune detail of SSL, HTTP/2, etc.

--
Jing Luo
About me: https://jing.rocks/about/
PGP Fingerprint: 4E09 8D19 00AA 3F72 1899 2614 09B3 316E 13A1 1EFC

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]