www/nginx: add TLS 1.3 0-RTT handshake support (HTTPS performance) (o…

…pnsense#1112) * www/nginx: add TLS 1.3 0-RTT handshake support * www/nginx: model bug fix * www/nginx: Release note
lncsence · May 20, 2019 · b5aa5b3 · b5aa5b3
1 parent d5e94c7
commit b5aa5b3
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 2 deletions.
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	[email protected]

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
@@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.13
+
+* add support for 0-RTT (Early Data in TLS 1.3)
+
 1.12
 
 * add log to SYSLOG server support

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -104,6 +104,13 @@
     <advanced>true</advanced>
     <help><![CDATA[<ul><li>On: the certificate is requested and validated. Use this option to protect a service with TLS authentication.</li><li>Off: The certificate is not requested. Choose this option for a normal website.</li><li>Optional: The certificate is requested and validated if existing. Choose this option for websites, with TLS login support or mixed TLS protected API and web content.</li><li>Optional, don't verify: Do accept the certificate and let the application choose what to do. Choose this option, for the same reasons as optional but in this case, the request is passed to the backend without rejecting untrusted certificates.</li></ul>]]></help>
   </field>
+  <field>
+    <id>httpserver.zero_rtt</id>
+    <label>Zero RTT</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help><![CDATA[If you enable this feature, your website will may get vulnerable to replay attacks, but you gain a big performance boost. You can read <a href="https://tools.ietf.org/html/rfc8446#section-2.3" target="_blank">RFC 8446</a> for more information. The Backend will get a HTTP header "Early-Data" which can be used if a short handshake was used. If a response is too risky, answer with <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425" target="_blank">HTTP status code 425</a>.]]></help>
+  </field>
   <field>
     <id>httpserver.access_log_format</id>
     <label>Access Log Format</label>

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.8.0</version>
+  <version>1.13.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -749,6 +749,10 @@
         </OptionValues>
         <Required>N</Required>
       </satisfy>
+      <zero_rtt type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </zero_rtt>
     </http_server>
 
     <stream_server type="ArrayField">

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -93,6 +93,9 @@ server {
 {%     if server.ca is defined %}
     ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;
     ssl_verify_client {{ server.verify_client }};
+{%     endif %}
+{%     if server.zero_rtt == '1' %}
+    ssl_early_data on;
 {%     endif %}
     ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
     ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -87,6 +87,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     fastcgi_param TLS-Protocol $ssl_protocol;
     fastcgi_param TLS-SNI-Host $ssl_server_name;
     fastcgi_param TLS-Client-Intercepted $tls_intercepted;
+{% if server.zero_rtt == '1' %}
+    fastcgi_param Early-Data $ssl_early_data;
+{% endif %}
     fastcgi_intercept_errors off;
 {% if location.upstream is not defined %}
     fastcgi_pass  unix:/var/run/php-www.socket;
@@ -134,6 +137,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif %}
 {% if server.verify_client == 'optional_no_ca' %}
     proxy_set_header X-Client-Certificate $ssl_client_escaped_cert;
+{% endif %}
+{% if server.zero_rtt == '1' %}
+    proxy_set_header Early-Data $ssl_early_data;
 {% endif %}
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;