Enable SSL_sendfile support for nginx under CentOS

Linux's sendfile system call is the fastest way to send static files. By directly copying data in the kernel, it avoids the context switching between user mode and kernel mode caused by the use of read/write, and greatly improves the transmission efficiency. nginx also supports the use of sendfile

However, avoiding user mode and kernel mode switching means that sendfile can only send original unencrypted data. The OpenSSL encryption method used by nginx runs in user mode.

This creates a contradiction: you can't enable https if you want to use sendfile, and you can't use sendfile if you want to use https. Until the emergence of kTLS resolved this contradiction.

kTLS simply understood as the encryption algorithm running in the kernel, and data encryption can be done at the same time when copying data in the kernel mode. OpenSSL 3.0 added SSL_sendfile to support the use of , and nginx 161c979a0d3ac4 1.14.4 supports SSL_sendfile. All the conditions have been put together, everything is ready, but Dongfeng owes it. Next, let us compile a set of nginx versions that support SSL_sendfile.

1. kTLS is a kernel feature and requires a newer kernel version. Linux 3.x that comes with CentOS 7 is definitely not usable. First, you need to upgrade the Linux kernel. I use the elrepo , and directly sudo yum install kernel-ml kernel-ml-headers latest version 5.x 061c979a0d3b47 (note that OpenSSL's kTLS support requires the latest kernel header files, so kernel-ml-headers is also necessary)
2. Restart the system sudo reboot and enable the kTLS kernel module to support sudo modprobe tls . Note that this step is a command executed on the server running nginx. If you need to copy the compiled nginx to other servers, all servers need to enable kTLS. On the contrary, the machine on which nginx is compiled is not needed if it is not running.
3. Download the latest OpenSSL source code. The git version I use directly. git clone https://github.com/openssl/openssl.git
4. Compile nginx. configure command needs to add parameters --with-openssl=/path/to/openssl --with-openssl-opt="enable-ktls enable-zlib enable-ec_nistp_64_gcc_128"
5. Configure nginx. http block adds sendfile on; ssl_conf_command Options KTLS; . Of course other https configuration is also necessary

Restart nginx and enable debug log mode. Check the emergence of SSL_sendfile log all normal instructions