您可以使用gzip over SSL吗?和连接:Keep-Alive标头 [英] Can you use gzip over SSL? And Connection: Keep-Alive headers
问题描述
我正在评估一个安全(SSL)网络应用程序的工作前端性能,我想知道是否可以通过SSL压缩文本文件(html / css / javascript)。我已经做了一些搜索,但没有发现任何与SSL特别相关。如果可能,是否甚至值得额外的CPU周期,因为响应也在加密?压缩响应会损害性能吗?
I'm evaluating the front end performance of a secure (SSL) web app here at work and I'm wondering if it's possible to compress text files (html/css/javascript) over SSL. I've done some googling around but haven't found anything specifically related to SSL. If it's possible, is it even worth the extra CPU cycles since responses are also being encrypted? Would compressing responses hurt performance?
此外,我想确保我们保持SSL连接活动,所以我们不会反复进行SSL握手。我在响应标头中看不到连接:Keep-Alive 。我在请求标头中看到Keep-Alive:115,但这只是保持连接活动115毫秒(似乎应用程序服务器在处理一个请求后关闭连接)。不会您希望服务器设置响应标头,只要会话不活动超时为?
Also, I'm wanting to make sure we're keeping the SSL connection alive so we're not making SSL handshakes over and over. I'm not seeing Connection: Keep-Alive in the response headers. I do see Keep-Alive: 115 in the request headers but that's only keeping the connection alive for 115 milliseconds (seems like the app server is closing the connection after a single request is processed?) Wouldn't you want the server to be setting that response header for as long as the session inactivity timeout is?
我理解浏览器不缓存SSL内容到磁盘,所以我们在后续访问中一次又一次地提供相同的文件,即使没有更改。主要的优化建议是减少http请求的数量,缩小,移动脚本到底,图像优化,可能的域分片(虽然需要权衡另一个SSL握手的成本)。这种事情。
I understand browsers don't cache SSL content to disk so we're serving the same files over and over and over on subsequent visits even though nothing has changed. The main optimization recommendations are reducing the number of http requests, minification, moving scripts to bottom, image optimization, possible domain sharding (though need to weigh the cost of another SSL handshake), things of that nature.
推荐答案
是的,压缩可以通过SSL使用;它发生在数据被加密之前,所以可以帮助缓慢的链接。应该注意,这是一个坏主意:这也会打开一个漏洞 。
Yes, compression can be used over SSL; it takes place before the data is encrypted so can help over slow links. It should be noted that this is a bad idea: this also opens a vulnerability.
在初始握手之后,SSL比许多人认为的开销要小* - 即使客户端重新连接,也有一种机制继续现有会话,而无需重新协商密钥
After the initial handshake, SSL is less of an overhead than many people think* - even if the client reconnects, there's a mechanism to continue existing sessions without renegotiating keys, resulting in less CPU usage and fewer round-trips.
负载均衡器可能与延续机制相矛盾,但是:如果请求在服务器之间交替,则需要更多的完整握手,这可以具有显着的影响(每个请求约几百毫秒)。配置您的负载均衡器将来自同一个IP的所有请求转发到同一个应用服务器。
Load balancers can screw with the continuation mechanism, though: if requests alternate between servers then more full handshakes are required, which can have a noticeable impact (~few hundred ms per request). Configure your load balancer to forward all requests from the same IP to the same app server.
您使用的是哪个应用服务器?如果它不能被配置为使用keep-alive,压缩文件等等,然后考虑将它放在一个反向代理,可以(并且当你在它,放宽缓存头发送与静态内容 - HttpWatchSupport的链接文章在这方面有一些有用的提示。)
Which app server are you using? If it can't be configured to use keep-alive, compress files and so on then consider putting it behind a reverse proxy that can (and while you're at it, relax the cache headers sent with static content - HttpWatchSupport's linked article has some useful hints on that front).
(* SSL硬件供应商会说多达5倍的CPU a href =http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html>来自Google的问题报告说,当Gmail默认情况下转为SSL时,它仅占约1 %CPU负载)
(*SSL hardware vendors will say things like "up to 5 times more CPU" but some chaps from Google reported that when Gmail went to SSL by default, it only accounted for ~1% CPU load)
这篇关于您可以使用gzip over SSL吗?和连接:Keep-Alive标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
