nginx SSL best practice including PFS and OCSP

nginx enables many additional features over Apache’s httpd server, which allows a much more secure SSL configuration, enabling features such as Perfect Forward Secrecy (PFS) which cannot be enabled using default Apache installs from repository.

Below is a guide on how to enable a very secure SSL configuration for your nginx server, including using Diffie–Hellman for key exchange, enabling Online Certificate Status Protocol (OCSP) features and making use of higher security ciphers and protocols only.

Continue reading “nginx SSL best practice including PFS and OCSP”

Adding nginx to the LAMP stack for performance

The Apache HTTP Server is a very flexible server that can be used with almost all open source projects with little to no customisation due to Apache’s ubiquity within the community, however being a jack of all trades unfortunately means it isn’t necessarily a master of everything. One of the more commonly cited issues with Apache HTTP, is that its resource usage is more considerable compared to other options available, which can lead to issues when under heavy load.

In order to obtain the benefits of lower resource usage, there are plenty of other options available such as the choice for this article of nginx as well as others such as Apache Traffic Server or lighttpd, however making use of these options as your server software of choice may lead to compatibility issues with your applications. To avoid any of these issues, this article outlines how to add nginx into the mix, without losing Apache.

Continue reading “Adding nginx to the LAMP stack for performance”

Installing mod_pagespeed for performance increase on RHEL/Centos for Apache

mod_pagespeed is an Open Source module published by Google which automatically configures various different optimisations within your configuration to enable faster site performance. Given the benefits and ease at which it can be installed, it should be high on the priority list to configure.

Continue reading “Installing mod_pagespeed for performance increase on RHEL/Centos for Apache”

Configuring content caching for speed optimisation

By default, Apache does not apply browser caching headers to any content it serves to users. Although this is desirable if you are testing or developing a website, the reality is that for the majority of the content you serve, it does not change frequently. This is especially the case for images, javascript and CSS files on a production website. Enabling caching on the browser side will mean that users make far fewer subsequent requests when navigating to additional pages, as they no longer have to make a repeated request for a resource already downloaded. End result: faster page loads and lower server and bandwidth requirements.

Continue reading “Configuring content caching for speed optimisation”

Enabling Apache content compression for performance increase

One simple and highly recommended way to improve performance of sites, especially those with large Javascript and CSS files is to enable compression of these files when they are sent to users. By default this behaviour is not enabled by default within Apache, however there is a simple block of code that can be added to your configuration to enable it and achieve compression rates of over 75% on your page load, which given the drop off rate of site visitors for slow loading pages (as reflected by Google’s ranking algorithm) is a very easy win.

Although the below works in the majority of cases, it is important to test your site after completing the change to ensure there are no issues and you may need to make some changes to the files you are allowing to be compressed if you do see any issues.

How to

First off, check that mod_deflate is enabled within your Apache configuration. The easiest way to do this is to output the configuration of Apache and check for “deflate_module” using the following command:

# apachectl -M | grep deflate
deflate_module

 

If this does not show, you will need to pre-append “LoadModule deflate_module modules/mod_deflate.so” to the below content.

The below directives should be added to your Apache configuration. The best way to manage this is to create a new configuration file within the Apache directory (the below locations may need to be adjusted for your environment).

# vi /etc/httpd/conf.d/deflate.conf

 

Then add the below:

<IfModule mod_mime.c>
AddType application/x-javascript .js
AddType text/css .css
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/atom_xml application/javascript application/rss+xml application/x-javascript application/x-httpd-php application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/html text/plain text/richtext text/x-component text/xml text/xsd text/xsl
<IfModule mod_setenvif.c>
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4.0[678] no-gzip
 BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>

 

Once this file is saved, check that the Apache configuration is still valid, before restarting Apache.

# apachectl -t
Syntax OK

# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

 

Now this is complete, you can test your site to check for compression and what should be a drastically improved load time.