可以通过 SSL 使用 gzip 吗?和连接:保持活动标头

发布于 2024-08-31 03:46:17 字数 545 浏览 3 评论 0原文

我正在评估工作中安全 (SSL) Web 应用程序的前端性能,我想知道是否可以通过 SSL 压缩文本文件 (html/css/javascript)。我已经进行了一些谷歌搜索,但没有找到任何与 SSL 特别相关的内容。如果可能的话,由于响应也被加密,是否值得额外的 CPU 周期?压缩响应会损害性能吗?

另外,我想确保我们保持 SSL 连接处于活动状态,这样我们就不会一遍又一遍地进行 SSL 握手。我在响应标头中没有看到连接:保持活动。我确实在 request 标头中看到 Keep-Alive: 115,但这仅使连接保持活动状态 115 毫秒(似乎应用服务器在处理单个请求后关闭连接?)您希望服务器在会话不活动超时时间内设置响应标头?

据我了解,浏览器不会将 SSL 内容缓存到磁盘,因此即使没有任何更改,我们也会在后续访问中一遍又一遍地提供相同的文件。主要的优化建议是减少 http 请求的数量、缩小、将脚本移动到底部、图像优化、可能的域分片(尽管需要权衡另一次 SSL 握手的成本),诸如此类的事情。

I'm evaluating the front end performance of a secure (SSL) web app here at work and I'm wondering if it's possible to compress text files (html/css/javascript) over SSL. I've done some googling around but haven't found anything specifically related to SSL. If it's possible, is it even worth the extra CPU cycles since responses are also being encrypted? Would compressing responses hurt performance?

Also, I'm wanting to make sure we're keeping the SSL connection alive so we're not making SSL handshakes over and over. I'm not seeing Connection: Keep-Alive in the response headers. I do see Keep-Alive: 115 in the request headers but that's only keeping the connection alive for 115 milliseconds (seems like the app server is closing the connection after a single request is processed?) Wouldn't you want the server to be setting that response header for as long as the session inactivity timeout is?

I understand browsers don't cache SSL content to disk so we're serving the same files over and over and over on subsequent visits even though nothing has changed. The main optimization recommendations are reducing the number of http requests, minification, moving scripts to bottom, image optimization, possible domain sharding (though need to weigh the cost of another SSL handshake), things of that nature.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

┈┾☆殇 2024-09-07 03:46:17

是的,可以通过 SSL 使用压缩;它发生在数据加密之前,因此可以帮助克服慢速链接。应该注意的是,这是一个坏主意:这也会打开一个漏洞

初次握手后,SSL 的开销比许多人想象的要少* - 即使客户端重新连接,也有一种机制可以继续现有会话而无需重新协商密钥,从而减少 CPU 使用率和往返次数。

不过,负载均衡器可能会破坏延续机制:如果请求在服务器之间交替,则需要更完整的握手,这可能会产生明显的影响(每个请求大约几百毫秒)。配置负载均衡器以将来自同一 IP 的所有请求转发到同一应用服务器。

您使用哪个应用程序服务器?如果无法将其配置为使用保持活动状态、压缩文件等,请考虑将其放在可以的反向代理后面(当您这样做时,放松使用以下命令发送的缓存标头静态内容 - HttpWatchSupport 的链接文章在这方面有一些有用的提示)。

(*SSL 硬件供应商会说“CPU 增加多达 5 倍”,但有些 来自 Google 的 chaps 报告称,当 Gmail 默认使用 SSL 时,它仅占约 1% 的 CPU 负载)

Yes, compression can be used over SSL; it takes place before the data is encrypted so can help over slow links. It should be noted that this is a bad idea: this also opens a vulnerability.

After the initial handshake, SSL is less of an overhead than many people think* - even if the client reconnects, there's a mechanism to continue existing sessions without renegotiating keys, resulting in less CPU usage and fewer round-trips.

Load balancers can screw with the continuation mechanism, though: if requests alternate between servers then more full handshakes are required, which can have a noticeable impact (~few hundred ms per request). Configure your load balancer to forward all requests from the same IP to the same app server.

Which app server are you using? If it can't be configured to use keep-alive, compress files and so on then consider putting it behind a reverse proxy that can (and while you're at it, relax the cache headers sent with static content - HttpWatchSupport's linked article has some useful hints on that front).

(*SSL hardware vendors will say things like "up to 5 times more CPU" but some chaps from Google reported that when Gmail went to SSL by default, it only accounted for ~1% CPU load)

一身仙ぐ女味 2024-09-07 03:46:17
  1. 您可能永远不应该使用 TLS 压缩。无论如何,某些用户代理(至少 Chrome)会禁用它。

  2. 您可以有选择地使用 HTTP 压缩

  3. 您始终可以缩小

  4. 我们也来谈谈缓存

假设您正在使用 HTTPS Everywhere 风格的网站。

场景:

  1. 静态内容,如 css 或 js:

    • 使用 HTTP 压缩
    • 使用缩小
    • 缓存期长(例如一年)
    • etag 的用处不大(由于缓存较长)
    • 在指向此资源的 HTML 网址中包含某种版本号,以便您可以清除缓存
  2. 具有零敏感信息的 HTML 内容(例如“关于我们”页面):

    • 使用 HTTP 压缩
    • 使用 HTML 缩小
    • 使用较短的缓存周期
    • 使用 etag
  3. 包含任何敏感信息的 HTML 内容(例如 CSRF 令牌或银行帐号) :

    • 无 HTTP 压缩
    • 使用 HTML 缩小
    • 缓存控制:无存储,必须重新验证
    • etag 在这里毫无意义(由于重新验证)
    • 会话超时后重定向页面的一些逻辑(考虑到多个选项卡)。如果有人按下浏览器的后退按钮,由于缓存标头,敏感信息不会显示。

您可以对敏感数据使用 HTTP 压缩如果:

  1. 您从不在响应中返回用户输入(有搜索框?不使用 HTTP 压缩)
  2. 或者您确实在响应中返回用户输入但随机填充响应
  1. You should probably never use TLS compression. Some user agents (at least Chrome) will disable it anyways.

  2. You can selectively use HTTP compression

  3. You can always minify

  4. Let's talk about caching too

I am going to assume you are using an HTTPS Everywhere style web site.

Scenario:

  1. Static content like css or js:

    • Use HTTP compression
    • Use minification
    • Long cache period (like a year)
    • etag is only marginally useful (due to long cache)
    • Include some sort of version number in the URL in your HTML pointing to this asset so you can cache-bust
  2. HTML content with ZERO sensitive info (like an About Us page):

    • Use HTTP compression
    • Use HTML minification
    • Use a short cache period
    • Use etag
  3. HTML content with ANY sensitive info (like a CSRF token or bank account number):

    • NO HTTP compression
    • Use HTML minification
    • Cache-Control: no-store, must-revalidate
    • etag is pointless here (due to revalidation)
    • some logic to redirect the page after session timeout (taking into account multiple tabs). If someone presses the browser's Back button, the sensitive info is not displayed due to the cache header.

You can use HTTP compression with sensitive data IF:

  1. You never return user input in the response (got a search box? don't use HTTP compression)
  2. Or you do return user input in the response but randomly pad the response
眼眸印温柔 2024-09-07 03:46:17

使用 SSL 压缩会让您面临漏洞,例如 BREACH、CRIME 或其他选定的纯文本攻击。

您应该禁用压缩,因为 SSL/TLS 目前无法缓解这些长度预言机攻击。

Using compression with SSL opens you up to vulnerabilities like BREACH, CRIME, or other chosen plain-text attacks.

You should disable compression as SSL/TLS have no way to currently mitigate against these length oracle attacks.

硪扪都還晓 2024-09-07 03:46:17

对于你的第一个问题:SSL 工作在与压缩不同的层上。从某种意义上说,这两个是 Web 服务器的功能,可以一起工作而不重叠。是的,通过启用压缩,您将在服务器上使用更多的 CPU,但传出流量会更少。所以这更多的是一种权衡。

对于第二个问题:Keep-Alive 行为实际上取决于 HTTP 版本。您可以将静态内容移动到非 SSL 服务器(可能包括图像、电影、音频等)

To your first question: SSL is working on a different layer than compression. In a sense these two are features of a web server that can work together and not overlap. Yes, by enabling compression you'll use more CPU on your server but have less of outgoing traffic. So it's more of a tradeoff.

To your second question: Keep-Alive behavior is really dependent on HTTP version. You could move your static content to a non-ssl server (may include images, movies, audio, etc)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文