Nginx FastOpen 折腾记录

本文发布于 ,内容可能和实际情况存在出入。如果文章存在错误欢迎指正,我会根据情况对文章进行修改或做隐藏处理

本文被标记为隐藏,可能是由于存在错误或其他原因。将内容作为参考时请谨慎

最初是看到SS的配置文件有fastopen的选项,上网找了一下

TCP Fast Open

From Wikipedia, the free encyclopedia In computer
networking, TCP Fast Open (TFO) is an extension to speed up the
opening of successive Transmission Control Protocol (TCP) connections
between two endpoints. It works by using a TFO cookie (a TCP option),
which is a cryptographic cookie stored on the client side and set upon
the initial connection with the server. When the client later
reconnects, it sends the initial SYN packet along with the TFO cookie
data to authenticate itself. If successful, the server may start
sending data to the client even before the reception of the final ACK
packet of the three-way handshake, skipping that way a round-trip
delay and lowering the latency in the start of data transmission.

The cookie is generated by applying a block cipher keyed on a key held
secret by the server to the client's IP address, generating an
authentication tag that is difficult for third parties to spoof, even
if they can forge a source IP address or make two-way connections to
the same server from other IP addresses. Although it uses
cryptographic techniques to generate the cookie, TFO is not intended
to provide more security than the three-way handshake it replaces, and
does not give any form of cryptographic protection to the resulting
TCP connection, or provide identity assurance about either endpoint.
It also is not intended to be resistant to man-in-the-middle attacks.

The TFO proposal was originally presented in 2011 and was, as of
February 2012, an IETF Internet Draft. The specification was published
as RFC 7413 in December 2014. TCP Fast Open shares the goal of
bypassing the three-way handshake of TCP with an earlier proposal from
1994, called T/TCP (RFC 1644). In contrast to TCP Fast Open, T/TCP
paid no attention to security, opening a path for vulnerabilities and
failing to gain traction.

TFO implementations include the following:

IPv4 support for TFO was merged into the Linux kernel mainline in
kernel versions 3.6 (support for clients) and 3.7 (support for
servers), and was turned on by default in kernel version 3.13. TFO
support for IPv6 servers was merged in kernel version 3.16. Google
Chrome and Chromium browsers have support for TFO on Linux, including
Chrome OS and Android. As of 2015, Apple Inc. has announced that iOS 9
and OS X 10.11, its next operating system versions, will both support
TCP Fast Open, but it will not be enabled for individual connections
by default. Microsoft Edge supports TCP Fast Open since Windows 10
Preview build 14352.

简单来说就是TCP Fast Open是对tcp的一个增强,用于支持在3次握手的时候也用来交换数据。

目前Windows平台下Chrome暂时还不支持Fast Open (如图)
QQ截图20160704145408.jpg
据说Win10的Edge浏览器支持Fast Open,不过试了一下也感觉不到多大变化【估计IE内核的蜗牛速度把TFO优化的时间都耗没了

因为CentOS 6.7的内核是2.6,TFO至少需要3.7内核,所以折腾前要升级kernel【怎么升级就不说了,网上一搜一大堆】
编辑/etc/sysctl.conf加入net.ipv4.tcp_fastopen = 3,保存后执行sysctl -p
接下来,重新编译nginx,在原编译参数的后面加上--with-cc-opt=-DTCP_FASTOPEN=23
之后在 nginx.conf 的 listen 项后面加上fastopen=3
保存后执行nginx -s reload
在这里注意一下,同一个端口只可以有一个站点开启TFO
如果有多个站点打开TFO的话nginx会报无法监听错误
配置的时候被坑了好长时间
最后想到一个折中办法【Tengine和Nginx不一样,reuseport是加在event里面不是在listen里面

server {
    listen  80 fastopen=3;
    charset utf-8;
    
    set $root_name "/etc/nginx/html";
    if ($host ~* "hitoapi.cc"){set $root_name "█████████████████";}
    if ($host ~* "bilibibi.me"){set $root_name "█████████████";}
    if ($host ~* "music.bilibibi.me"){set $root_name "████████████";}
    root $root_name;
    location / {
        index  index.php;
        if (!-e $request_filename) {
          rewrite (.*) /index.php last;
        }
    }
    
    location ~ \.php$ {
        if (!-e $request_filename) {
          rewrite (.*) /index.php break;
        }
        include fastcgi.conf;
    }
}

虽然说这样效率不咋地,暂时没想到更好的方法

标签: none

已有 2 条评论

  1. your dad
    your dad

    你个逗逼,人家不懂的人按照内核的代码就弄了个错误的 fastopen=3,你们这些国内的傻狗就知道瞎抄都不 Google 一下是不是正确的就在这相互传播误导,让我来告诉你!
    Enabling TFO for NGINX

    - Update the kernel settings to support TFO;
    - Compile NGINX from source with TFO support;
    - Modify NGINX configuration to accept TFO connections.

    Kernel

    /etc/sysctl.conf

    net.ipv4.tcp_fastopen = 3
    sysctl -p

    # Checking

    cat /proc/sys/net/ipv4/tcp_fastopen

    # A zero value indicates it’s disabled;
    # bit 0 corresponds to client operations (enabled on outgoing connections)
    # bit 1 corresponds to server operations (available on listening sockets)
    # Setting tcp_fastopen to 3 enables both (bit: 11)

    Nginx

    ./configure ... --with-cc-opt='-DTCP_FASTOPEN=23' \

    make

    Checking

    ./objs/nginx -V |& grep DTCP_FASTOPEN

    Setting

    # limits the maximum length for the queue of connections that have not yet completed the three-way handshake.

    listen 80 fastopen=64;
    fastopen=number

    enables “TCP Fast Open”
    number: maximum length for the queue of connections that have not yet completed the three-way handshake.

    Test

    grep '^TcpExt:' /proc/net/netstat | cut -d ' ' -f 87-92 | column -t

    TCPOFOMerge TCPChallengeACK TCPSYNChallenge TCPFastOpenActive TCPFastOpenPassive TCPFastOpenPassiveFail
    7 166 0 0 0 0

    1. 感谢指正,很抱歉当时没有仔细研究,为了防止继续误导他人,已经将文章设置为隐藏。

添加新评论