I'm considering the possibility of using a content delivery network for my websites. Because I'm such a cheapskate, I am trying to reduce the cost of doing so.
There is a fantastic CDN that is extremely low cost, but only supports browsers and operating systems that support SNI and ECDSA key exchange. (Bonus points for those who guess which one it is!)
I am therefore thinking of using ngx_pagespeed to rewrite resources to the CDN for web browsers that support ECDSA key exchange, and either not use a CDN or use a more expensive (but compatible) CDN for those who don't.
Unfortunately, I could not find a way to have nginx detect ECDSA support of browsers. Here is what I have considered so far:
- User-agent sniffing - this is generally a bad idea, and would not be able to detect those behind bad corporate proxies
- Use JavaScript to detect support and set a cookie - this would make the client download resources twice after the first pageview, and would not work if the user has JavaScript or cookies disabled.
- Serve a blank interstitial page containing detection JavaScript - this would again not work without JavaScript or cookies, and would be harmful to SEO. Additionally, this would be slow, and even slower if detection takes a long time behind some strange proxies.
I see that it is possible for a server to read the cipher suites, such as in Qualys SSL Labs or this FREAK attack testing tool. How could I read the list of client supported cipher suites in nginx?
