About server performance

jarod5001 · December 15, 2023, 9:54am

About server performance.

I’ve had my nextcloud instance responding very slowly, so I looked for nextcloud tuning Server tuning — Nextcloud latest Administration Manual latest documentation

Checked performance using both websites :

https://pagespeed.web.dev/ (from Google)
https://yellowlab.tools/ (open source and selfhosted)
https://www.webpagetest.org/ (open source and selfhosted)

The default installation settings did meet the nextcloud guide. So I removed some nextcloud apps that had alternatives in the yunohost catalog. There was a significant improvement. So I looked in the yellowlab tools report. It advised to enable compression (gzip or brotli).

I edited my main nginx config file according to this guide (I know, it’s not the correct way to do it, I’ll move it to a hook) :


gzip on;

gzip_disable "msie6";

gzip_vary on;

gzip_proxied any;

gzip_comp_level 6;

gzip_buffers 16 8k;

gzip_http_version 1.1;

gzip_min_length 1024;

Note that in the original file only the first line was uncommented.

And followed this guide for gzip_types :


gzip_types text/html text/css text/plain text/xml text/x-component text/javascript application/x-javascript application/javascript application/json application/manifest+json application/vnd.api+json application/xml application/xhtml+xml application/rss+xml application/atom+xml application/vnd.ms-fontobject application/x-font-ttf application/x-font-opentype application/x-font-truetype image/svg+xml image/x-icon image/vnd.microsoft.icon font/ttf font/eot font/otf font/opentype;

Then reloaded nginx. There was a noticeable performance improvement for the whole server. Even the yunohost portal loaded much faster. Nextcloud also benefited a little since it has a lot of css.

If you have any recommendations or know any other advices about performance, share them with us.

Lapineige · December 15, 2023, 12:44pm

I remember there were some advice regarding this setting not to activate it, because of a security issue it create.
I don’t know if that’s still valid ?

Aleks · December 15, 2023, 12:51pm

Yes, it’s called “BREACH”, as far as I know it’s very much still a thing and mitigations are not trivial : BREACH - Wikipedia

It’s pretty technical and it’s a weakness only in specific scenarios but that means we can’t really enable by default on YunoHost

However I’m reading:

Another suggested approach is to disable HTTP compression whenever the referrer header indicates a cross-site request, or when the header is not present. This approach allows effective mitigation of the attack without losing functionality, only incurring a performance penalty on affected requests.

which we could investigate to see if it’s easy to implement in nginx

jarod5001 · December 16, 2023, 7:47pm

But if I understand correctly, the default nginx configuration does not allow cross site requests and the headers are present as I see here in the following lines :

github.com

YunoHost/yunohost/blob/770fdb686138c9a05d63577e40f32343a5076e47/conf/nginx/security.conf.inc#L33


      
          
          
          # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
          # https://wiki.mozilla.org/Security/Guidelines/Web_Security
          # https://observatory.mozilla.org/
          {% if experimental == "True" %}
          more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob:;";
          {% else %}
          more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
          {% endif %}
          more_set_headers "X-Content-Type-Options : nosniff";
          more_set_headers "X-XSS-Protection : 1; mode=block";
          more_set_headers "X-Download-Options : noopen";
          more_set_headers "X-Permitted-Cross-Domain-Policies : none";
          more_set_headers "X-Frame-Options : SAMEORIGIN";
          
          # Disable the disaster privacy thing that is FLoC
          {% if experimental == "True" %}
          more_set_headers "Permissions-Policy : fullscreen=(), geolocation=(), payment=(), accelerometer=(), battery=(), magnetometer=(), usb=(), interest-cohort=()";
          # Force HTTPOnly and Secure for all cookies
          proxy_cookie_path ~$ "; HTTPOnly; Secure;";

It’s obvious that improving server performance should never be done at the price of risky security.

I’ve searched for some highly reputed security scan sites and they all reported good results for both my vps (with the altered nginx config) and my home server (with the original nginx config), except for https://securityheaders.com/ that was talking about “referrer-policy”

I’m not an expert at all in nginx, far from that. I’m learning as much as I can, like a lot of yunohost users. So I don’t know what is that, is it important and how to deal with it.

Among other sites I used for scanning : ssllabs.com, sucuri.net. They were all good.

And it’s a an occasion for thanking all of the working team behind yunohost for this amazing gem and all the users who help each other and contribute as much as they can.

wbk · December 17, 2023, 10:06am

Following the Wikipedia-link, it seems the BREACH-site has a recommended fix, and a list of alternative fixes.

Most recommended is HTB (“Heal the breach”), a change to the gzip binary. It adds some random bits to the definition of the filename (for what I undestand) in the header of the zipped data. The people that did the research, publicized code with unclear licensing.

Someone with a self-depreciative inclination wrote an alternative version as public domain.

The gzip-fix seems a drop-in replacement, with the caveat that someone has to drop it in from outside regular package management, and trust that it will be kept up to date.t