Sript PHP with secure connection on all pages

1

I developed a small system in PHP that makes the registration of resumes. I stayed at Hostgator. In the contracted plan, I am entitled to a free Private SSL, then I requested the installation of the same in my domain. Configure in the htaccess file for it to force open links with secure connection (https).

I've noticed that loading pages and data takes longer from the secure connection. When it did not use https, it opened much faster. Now my question: Is it worth me to keep this encryption in my domain? Detail: The user must be logged in to be able to register or update his / her resume. That is, all your data is only accessed by another panel of exclusive use of the company. Does the secure connection actually slow down the load? Is there anything I can do to try to improve on speed?

    
asked by anonymous 13.07.2016 / 21:30

1 answer

2

You can change many things to try to improve performance, but you must have access to Root, or you can modify the Apache or NGinx configuration. As I started using Nginx I will use it as a base.

1. Enable keepalive:

keepalive_timeout 100

This will maintain / create a persistent, short-lived connection between the client and the server.

Time enough for the user to navigate to at least one next page, this REDUCES THE NEED FOR handshake , in other words less data (from the handshake itself) are transferred to every page loaded!

2. Enable SSL caching:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 200m;

Once a connection is made Nginx will cache for future requests, this will improve by almost 100%. In this example Nginx will store up to 10MB for 200 minutes.

In the Nginx documentation it is said that "one megabyte can store about 4000 sessions". So adjust it according to your needs. ;)

3. Disable SSL (and enable TLS: P)

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

This will disable SSLv2 and SSLv3 , reducing the number of protocols tends to improve the speed of enabled protocols. But, do not expect a significant improvement from this.

Remember that SSL v2 is already considered unsafe, so shutting it down is more of a performance issue!

  

Very old browsers (IE6) do not support TLS, but I do not think anyone cares about this.

4. Outsource the work

You can use third-party products like CloudFlare , Incapsulate , Sucuri and SiteLock (I've never used it this!), in addition to other services of the same type.

Their purpose is to serve as CDN. They make the proxying of your site's content, from breakage they can still redirect to HTTPS for you, meaning your server will not have the job of redirecting to HTTPS. : D

Cliente -> [Cloudflare/Incapsula/Sucuri] -> Servidor

So these services take care of delivering SSL, rather than your own server. So all this caching with the client will be done by CDN.

But my server will still have to serve SSL, how will it help?

Simple, CDN will not always consult your server! :)

Cliente = Requisição para site.com/img/um_byte.png, site.com/css/css.css...
Cliente -> [Cloudflare/Incapsula/Sucuri]
Cliente <- [Cloudflare/Incapsula/Sucuri]

Cliente = Requisição para site.com/index.php
Cliente -> [Cloudflare/Incapsula/Sucuri] -> Servidor
Cliente <- [Cloudflare/Incapsula/Sucuri] <- Servidor

The CDN already has some of the files, your server has saved 2 requests and spared all the work of processing the SSL of such two pages.

In addition it is possible to "fake" an SSL, not in the literal sense. All of these sites have "SSL Flexible" service, in other words ...

Cliente -> {HTTPS} -> [Cloudflare/Incapsula/Sucuri] -> {HTTP} -> Servidor
Cliente <- {HTTPS} <- [Cloudflare/Incapsula/Sucuri] <- {HTTP} <- Servidor
  

That's unsafe! Because half of the route will be using encryption, while another part will not! But if your goal is to just get the "padlock" in the browser, this will suffice. Although I do not consider this an ethical solution.

  

The use of "Flexible SSL", without detracting from actual security, comes down to distributing static images, CSS, JS, and content. Data of this type, in my opinion, do not carry "nothing too much." So in my sites such folders / domains use Flexible, while the rest (eg login.php) uses "Full SSL", in addition such content is cached by the CDN itself, so I do not believe it to be a security problem. / p>

CloudFlare and Incapsula offer free SSL, if you enable SSL will use the certificate generated by them. To use your own certificate (that is, use the certificate you already have, without being generated by them!) You need to shell out about $ 200 / month on CloudFlare or $ 299 / month on Incapsula or about $ 30 / month at Sucuri. I have no link with such sites or services mentioned here, I just used them all. Prices can be changed, check the website for the updated price, as well as the resources available for each plan.

    
14.07.2016 / 17:56