My Debian/Ubuntu Repository

I use nginx a lot, including its openresty brother. I have my own package repository that comes with no warranties of whatever kind. I will do my best to keep the packages in working order, but they will always be upgraded to the latest versions if possible.

The following amd64 architecture release for Debian are supported:

And the following amd64 architecture release for Ubuntu are supported:

Other distributions are either too old, not LTS, or are simply too old to have a recent enough OpenSSL version. Debian 10 (buster) and Ubuntu 18.04 LTS (bionic) will be supported one nginx.org has packages for those distributions.

To use the repository

You will need:

An easy way to get them (as root) is:

apt-get install -y ca-certificates apt-transport-https lsb-release
apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x440403EDF9D1F6FBBB7D0ED1C40C5A6A835080D6 \
&& echo "deb [arch=amd64] https://finalx.org/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/finalx.list \
&& apt update

nginx

For my nginx-package, I fetch the latest package source from nginx.org and use their ruleset to build my own. The package is as identical as can be, but has extra things patched in:

TLS 1.3 (draft 18)

Many current browsers already support draft 18 of the TLS 1.3 protocol. It's much faster in the initial handshake, and it can reduce further going back and forth (down to 0 roundtrips) significantly, reducing latency and making your site even faster. I have statically linked my package against the tls1.3-draft-18 branch of the OpenSSL repository. Please note that I can not vouch for this repository receiving security updates in a regular fashion, for that reason, I might move this version to a seperate package.

In order to make use of it, you need to enable the TLSv1.3-protocol and some of its ciphers (1.3 has new ciphers, and only works with those):

  ssl_protocols  TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers    TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

Dynamic TLS Record Sizing

By default, nginx's TLS record size is 16k. This does not fit into 3 TCP packets, and will always incur multiple initial network roundtrips. CloudFlare has made a patch to make it dynamic. They will start the TLS communication with record sizes that do fit within the first 3 TCP packets (more than 3 requires the first 3 to be ACK'd by the other end), and gradually scale up as more data is sent. This will significantly reduce initial TLS overhead, and thereby speed up TLS-connections over higher latency connections.

You can adjust its settings (I would leave the defaults), with these options:

  ssl_dyn_rec_size_hi      4229;
  ssl_dyn_rec_size_lo      1369;
  ssl_dyn_rec_threshold    40;
  ssl_dyn_rec_timeout      1s;

SPDY/3.1

Lets face it. HTTP/2 is awesome, but there's still millions of ancient Android devices out there that will never be updated to be able to use it. Many of those devices do have support for its draft protocol, however. Having SPDY/3.1 available is still better than not offering it, so CloudFlare has made a patch to get SPDY/3.1 back in.

To enable it, you can just use the same way it has always been:

server {
    listen 443 ssl http2 spdy;
}

Yes, you can have both HTTP/2 and SPDY/3.1 enabled at the same time, and HTTP/2 will take precedence for clients that support both!

openresty

Please be aware that OpenResty is NOT compatible with OpenSSL 1.1 or any other SSL-library other than OpenSSL 1.0 (which is therefore statically linked)!
Amongst other reasons, TLSv1.3 will not be available in this package until it is 1.1-compatible and thoroughly tested by the openresty-team first.