{"id":1450,"date":"2025-11-06T22:46:07","date_gmt":"2025-11-06T19:46:07","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/"},"modified":"2025-11-06T22:46:07","modified_gmt":"2025-11-06T19:46:07","slug":"nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/","title":{"rendered":"Nginx\u2019te TLS 1.3, OCSP Stapling ve Brotli Nas\u0131l Kurulur? H\u0131zl\u0131 ve G\u00fcvenli HTTPS\u2019nin S\u0131cac\u0131k Rehberi"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Kucuk_Bir_Gece_Macerasi_Neden_Bu_Ayarlarla_Ugrasiyoruz\"><span class=\"toc_number toc_depth_1\">1<\/span> K\u00fc\u00e7\u00fck Bir Gece Maceras\u0131: Neden Bu Ayarlarla U\u011fra\u015f\u0131yoruz?<\/a><\/li><li><a href=\"#TLS_13_Neden_Onemli_Nasil_Etkinlestiririz\"><span class=\"toc_number toc_depth_1\">2<\/span> TLS 1.3 Neden \u00d6nemli? Nas\u0131l Etkinle\u015ftiririz?<\/a><\/li><li><a href=\"#Sertifika_Zinciri_Kucuk_Hatalar_ve_HSTSin_Incelikleri\"><span class=\"toc_number toc_depth_1\">3<\/span> Sertifika Zinciri, K\u00fc\u00e7\u00fck Hatalar ve HSTS\u2019in \u0130ncelikleri<\/a><\/li><li><a href=\"#OCSP_Stapling_Tarayiciya_Bak_Ben_Temizim_Demenin_Hizli_Yolu\"><span class=\"toc_number toc_depth_1\">4<\/span> OCSP Stapling: Taray\u0131c\u0131ya \u201cBak Ben Temizim\u201d Demenin H\u0131zl\u0131 Yolu<\/a><\/li><li><a href=\"#Brotli_ile_Sikistirma_Asfalt_Gibi_Puruzsuz_Hafif_ve_Hizli\"><span class=\"toc_number toc_depth_1\">5<\/span> Brotli ile S\u0131k\u0131\u015ft\u0131rma: Asfalt Gibi P\u00fcr\u00fczs\u00fcz, Hafif ve H\u0131zl\u0131<\/a><\/li><li><a href=\"#HTTP2_ALPN_ve_Kucuk_Dokunuslar\"><span class=\"toc_number toc_depth_1\">6<\/span> HTTP\/2, ALPN ve K\u00fc\u00e7\u00fck Dokunu\u015flar<\/a><\/li><li><a href=\"#OCSP_ve_Brotliyi_Dogrulamak_Gercekten_Calisiyor_mu\"><span class=\"toc_number toc_depth_1\">7<\/span> OCSP ve Brotli\u2019yi Do\u011frulamak: \u201cGer\u00e7ekten \u00c7al\u0131\u015f\u0131yor mu?\u201d<\/a><\/li><li><a href=\"#Sertifika_Yenileme_Otomasyon_ve_Kucuk_Tuzaklar\"><span class=\"toc_number toc_depth_1\">8<\/span> Sertifika Yenileme, Otomasyon ve K\u00fc\u00e7\u00fck Tuzaklar<\/a><\/li><li><a href=\"#Onbellek_Sikistirma_ve_Nginxin_Renkli_Dunyasi\"><span class=\"toc_number toc_depth_1\">9<\/span> \u00d6nbellek, S\u0131k\u0131\u015ft\u0131rma ve Nginx\u2019in Renkli D\u00fcnyas\u0131<\/a><\/li><li><a href=\"#Adim_Adim_Ozet_Akis_Temiz_Kurulumun_Kisa_Hikayesi\"><span class=\"toc_number toc_depth_1\">10<\/span> Ad\u0131m Ad\u0131m \u00d6zet Ak\u0131\u015f: Temiz Kurulumun K\u0131sa Hik\u00e2yesi<\/a><ul><li><a href=\"#1_TLS_13_ve_Temel_Guvenlik_Ayarlari\"><span class=\"toc_number toc_depth_2\">10.1<\/span> 1) TLS 1.3 ve Temel G\u00fcvenlik Ayarlar\u0131<\/a><\/li><li><a href=\"#2_OCSP_Stapling_ile_Hafifleyen_Dogrulama\"><span class=\"toc_number toc_depth_2\">10.2<\/span> 2) OCSP Stapling ile Hafifleyen Do\u011frulama<\/a><\/li><li><a href=\"#3_Brotli_ile_Akici_Yuklemeler\"><span class=\"toc_number toc_depth_2\">10.3<\/span> 3) Brotli ile Ak\u0131c\u0131 Y\u00fcklemeler<\/a><\/li><li><a href=\"#4_Olc_Gozle_Minik_Dokunuslar\"><span class=\"toc_number toc_depth_2\">10.4<\/span> 4) \u00d6l\u00e7, G\u00f6zle, Minik Dokunu\u015flar<\/a><\/li><\/ul><\/li><li><a href=\"#Sahadan_Kucuk_Deneyimler_Nerede_Takilabiliriz\"><span class=\"toc_number toc_depth_1\">11<\/span> Sahadan K\u00fc\u00e7\u00fck Deneyimler: Nerede Tak\u0131labiliriz?<\/a><\/li><li><a href=\"#Dis_Kaynaklarla_Ufak_Bir_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">12<\/span> D\u0131\u015f Kaynaklarla Ufak Bir Yol Haritas\u0131<\/a><\/li><li><a href=\"#Kapanis_Hiz_ve_Guvenlik_Ayni_Masada_Oturabilir\"><span class=\"toc_number toc_depth_1\">13<\/span> Kapan\u0131\u015f: H\u0131z ve G\u00fcvenlik Ayn\u0131 Masada Oturabilir<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Kucuk_Bir_Gece_Macerasi_Neden_Bu_Ayarlarla_Ugrasiyoruz\">K\u00fc\u00e7\u00fck Bir Gece Maceras\u0131: Neden Bu Ayarlarla U\u011fra\u015f\u0131yoruz?<\/span><\/h2>\n<p>Bir gece yar\u0131s\u0131yd\u0131. Sunucular\u0131 g\u00fcncelliyorum, kabinde bir kahve, ekranda ye\u015fil loglar ak\u0131yor. O s\u0131rada bir dostum yazd\u0131: \u201cSitede \u00f6deme sayfas\u0131 biraz yava\u015f gibi, ama g\u00fcvenli g\u00f6r\u00fcn\u00fcyor, de\u011fil mi?\u201d Bir elimle kahveyi al\u0131p \u00f6b\u00fcr elimle <strong>curl<\/strong> \u00e7ektim, \u00fcst\u00fcne bir de <strong>SSL test<\/strong>. Sayfa fena de\u011fil ama g\u00f6z k\u0131rpan birka\u00e7 ayr\u0131nt\u0131 var: eski protokol izleri temizlenmemi\u015f, <strong>OCSP stapling<\/strong> kapal\u0131, <strong>Brotli<\/strong> yok. K\u00fc\u00e7\u00fck gibi duran bu detaylar, trafi\u011fin yo\u011funla\u015ft\u0131\u011f\u0131 anlarda b\u0131\u00e7ak gibi kesiyor performans\u0131.<\/p>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? \u201cHer \u015fey \u00e7al\u0131\u015f\u0131yor\u201d dedi\u011finiz bir anda, k\u00fc\u00e7\u00fck ayarlar\u0131n ne kadar fark yaratt\u0131\u011f\u0131n\u0131 fark etti\u011finiz o an. Ben o gece d\u00fc\u015f\u00fcnd\u00fcm: gelin bu konuyu birlikte, sakin sakin ele alal\u0131m. Bug\u00fcn <strong>Nginx\u2019te TLS 1.3<\/strong>\u2019\u00fc d\u00fczg\u00fcnce a\u00e7aca\u011f\u0131z, <strong>OCSP Stapling<\/strong> ile sertifika do\u011frulamay\u0131 h\u0131zland\u0131raca\u011f\u0131z ve <strong>Brotli<\/strong> ile dosyalar\u0131 cillop gibi s\u0131k\u0131\u015ft\u0131raca\u011f\u0131z. Ama bunu kuru teknik anlat\u0131mla de\u011fil, akl\u0131m\u0131zda kalacak k\u00fc\u00e7\u00fck hik\u00e2yeler ve pratik \u00f6rneklerle yapal\u0131m. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: T\u00fcm bunlar, sitenizi g\u00fcvenli tutarken kullan\u0131c\u0131ya hissedilir bir h\u0131z arma\u011fan etmek i\u00e7in. Hadi ad\u0131m ad\u0131m ba\u015flayal\u0131m.<\/p>\n<h2 id=\"section-2\"><span id=\"TLS_13_Neden_Onemli_Nasil_Etkinlestiririz\">TLS 1.3 Neden \u00d6nemli? Nas\u0131l Etkinle\u015ftiririz?<\/span><\/h2>\n<p>G\u00fcvenlikte en g\u00fczel duygu huzurdur. <strong>TLS 1.3<\/strong> bu huzurun pratik hali. El s\u0131k\u0131\u015fma daha k\u0131sa, kafa kar\u0131\u015ft\u0131ran eski \u015fifre k\u00fcmeleri yok, modern taray\u0131c\u0131larla p\u00fcr\u00fczs\u00fcz \u00e7al\u0131\u015f\u0131yor. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: bir kap\u0131dan i\u00e7eri gireceksiniz, g\u00f6revliler sizi tan\u0131yor, kart\u0131n\u0131z\u0131 h\u0131zl\u0131ca okuyor ve buyurun diyor. TLS 1.3\u2019\u00fcn hissi bu. K\u0131sac\u0131k bir merasim ve i\u00e7eri hop diye ge\u00e7i\u015f.<\/p>\n<p>Nginx taraf\u0131nda yapaca\u011f\u0131m\u0131z i\u015f asl\u0131nda basit. Ama \u00f6nce minik bir temizlik: \u201cEskiyi at, yeniyi tak\u201d gibi d\u00fc\u015f\u00fcn\u00fcn. TLS 1.0 ve 1.1 devrini kapat\u0131p, 1.2 ve 1.3\u2019\u00fc yan yana a\u00e7aca\u011f\u0131z. 1.2, eski ama hala i\u015f g\u00f6ren bir dost; 1.3 ise az s\u00f6zle \u00e7ok i\u015f yapan yeni arkada\u015f.<\/p>\n<p>A\u015fa\u011f\u0131da temel bir \u00f6rnek var. Kendi dizin yollar\u0131n\u0131z\u0131 ve alan ad\u0131n\u0131z\u0131 uyarlay\u0131n. <strong>fullchain<\/strong> ve <strong>private key<\/strong> yollar\u0131, kulland\u0131\u011f\u0131n\u0131z sertifikaya g\u00f6re de\u011fi\u015fecek.<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name \u00f6rnek.com www.\u00f6rnek.com;\n\n    ssl_certificate \/etc\/letsencrypt\/live\/ornek.com\/fullchain.pem;\n    ssl_certificate_key \/etc\/letsencrypt\/live\/ornek.com\/privkey.pem;\n\n    ssl_protocols TLSv1.2 TLSv1.3;\n    ssl_prefer_server_ciphers off;\n\n    # TLS 1.2 i\u00e7in mant\u0131kl\u0131 bir set; TLS 1.3 kendi i\u00e7inde modern gelir\n    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:\n                 ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\n                 ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';\n\n    ssl_session_cache shared:SSL:50m;\n    ssl_session_timeout 1d;\n    ssl_session_tickets off;\n\n    # HTTP Strict Transport Security (temkinli ba\u015fla)\n    add_header Strict-Transport-Security &quot;max-age=31536000&quot; always;\n\n    root \/var\/www\/ornek;\n    index index.html;\n}\n<\/code><\/pre>\n<p>Burada sihirli say\u0131 \u00e7ok yok. TLS 1.3 zaten sade geliyor. \u015eifre seti, a\u011f\u0131rl\u0131kl\u0131 olarak TLS 1.2 taraf\u0131n\u0131 d\u00fczeltiyor. <strong>ssl_session_tickets off<\/strong> diyerek bilet anahtarlar\u0131n\u0131 y\u00f6netme derdini azalt\u0131yoruz. HSTS\u2019i hemen \u201cincludeSubDomains; preload\u201d ile aban\u0131p a\u00e7mak yerine, \u00f6nce bir nefes al\u0131p sadece <strong>max-age<\/strong> ile ba\u015flamak iyi fikir. \u00c7\u00fcnk\u00fc HSTS\u2019i geni\u015fletince geri d\u00f6n\u00fc\u015f biraz daha me\u015fakkatli olabiliyor.<\/p>\n<p>\u201cPeki do\u011fru mu yapt\u0131m?\u201d diye i\u00e7inizden ge\u00e7iyorsa, <a href=\"https:\/\/ssl-config.mozilla.org\/\" target=\"_blank\" rel=\"noopener nofollow\">Mozilla\u2019n\u0131n SSL yap\u0131land\u0131rma rehberi<\/a> h\u0131zla bir hat\u0131rlatma kart\u0131 gibi i\u015f g\u00f6r\u00fcr. Orada profilli ayarlar var; kendi trafi\u011finize g\u00f6re tart\u0131p bi\u00e7ebilirsiniz.<\/p>\n<h2 id=\"section-3\"><span id=\"Sertifika_Zinciri_Kucuk_Hatalar_ve_HSTSin_Incelikleri\">Sertifika Zinciri, K\u00fc\u00e7\u00fck Hatalar ve HSTS\u2019in \u0130ncelikleri<\/span><\/h2>\n<p>Bir m\u00fc\u015fterinin sitesinde bir g\u00fcn sayfa durup durup \u201csertifika hatas\u0131\u201d veriyordu. Sorun basit \u00e7\u0131kt\u0131: yanl\u0131\u015f dosyay\u0131 g\u00f6stermi\u015fiz, <strong>fullchain<\/strong> yerine sadece leaf sertifika konmu\u015f. Zincirin eksik halkas\u0131 gibi d\u00fc\u015f\u00fcn\u00fcn. Taray\u0131c\u0131 bu eksikli\u011fi hisseder ve naz yapar. E\u011fer <strong>Let\u2019s Encrypt<\/strong> kullan\u0131yorsan\u0131z, genellikle <em>fullchain.pem<\/em> ve <em>privkey.pem<\/em> ikilisi yeterli olur. Ama birazdan <strong>OCSP Stapling<\/strong> i\u00e7in ayr\u0131ca \u201cg\u00fcvenilen zinciri\u201d g\u00f6sterece\u011fiz, orada <em>chain<\/em> dosyalar\u0131 i\u015fimize yarayacak.<\/p>\n<p>HSTS taraf\u0131nda ise yava\u015f ad\u0131m atmak en g\u00fczeli. \u00d6nce ana alan ad\u0131nda deneyin, sonra alt alan adlar\u0131na yayars\u0131n\u0131z. \u201cpreload\u201d konusuna ise acele etmeyin; bir kez listeye girince d\u00f6n\u00fc\u015f\u00fc zaman al\u0131r. Ufak bir pilot d\u00f6nem, g\u00f6zlem, log\u2019lara h\u0131zl\u0131 bir bak\u0131\u015f, sonra geni\u015fletme\u2026 Hem g\u00fcvenli hem sakin bir ge\u00e7i\u015f olur.<\/p>\n<h2 id=\"section-4\"><span id=\"OCSP_Stapling_Tarayiciya_Bak_Ben_Temizim_Demenin_Hizli_Yolu\">OCSP Stapling: Taray\u0131c\u0131ya \u201cBak Ben Temizim\u201d Demenin H\u0131zl\u0131 Yolu<\/span><\/h2>\n<p>\u015eimdi geldik sevdi\u011fim sihirlerden birine: <strong>OCSP Stapling<\/strong>. Basit\u00e7e anlatay\u0131m. Taray\u0131c\u0131 normalde sertifikan\u0131z\u0131n iptal edilip edilmedi\u011fini sormak i\u00e7in d\u0131\u015far\u0131yla konu\u015fur. Yani kullan\u0131c\u0131 ile sunucunuz aras\u0131na, bir de \u201csertifika sa\u011flay\u0131c\u0131s\u0131na giden ayr\u0131 yol\u201d girer. Bu k\u00fc\u00e7\u00fck yolculuk, \u00f6zellikle yava\u015f a\u011flarda hissedilir. <strong>Stapling<\/strong> ile bunu siz yap\u0131p, g\u00fcncel sonucu kap\u0131n\u0131za asars\u0131n\u0131z. Taray\u0131c\u0131 gelir, bakar ve \u201ctamamd\u0131r\u201d deyip ge\u00e7er.<\/p>\n<p>Nginx\u2019te iki ufak dokunu\u015f gerekiyor: birincisi <strong>stapling<\/strong>\u2019i a\u00e7mak, ikincisi \u00e7\u00f6z\u00fcmleyici (resolver) ve g\u00fcvenilen zinciri g\u00f6stermek. \u00c7\u00f6z\u00fcmleyici \u015fart, yoksa Nginx OCSP sunucusunun adresini \u00e7\u00f6zemeyebilir. \u00d6rnek ayar \u015f\u00f6yle:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name \u00f6rnek.com;\n\n    ssl_certificate \/etc\/letsencrypt\/live\/ornek.com\/fullchain.pem;\n    ssl_certificate_key \/etc\/letsencrypt\/live\/ornek.com\/privkey.pem;\n\n    ssl_protocols TLSv1.2 TLSv1.3;\n\n    # OCSP Stapling\n    ssl_stapling on;\n    ssl_stapling_verify on;\n    resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;\n    ssl_trusted_certificate \/etc\/letsencrypt\/live\/ornek.com\/chain.pem;\n\n    # Di\u011fer ayarlar...\n}\n<\/code><\/pre>\n<p>Minik not: G\u00fcvenilen zincir i\u00e7in \u00e7o\u011fu durumda <em>chain.pem<\/em> ya da sertifika sa\u011flay\u0131c\u0131n\u0131z\u0131n verdi\u011fi <em>ca-bundle<\/em> dosyas\u0131 kullan\u0131l\u0131r. Ayr\u0131ca, firewall d\u0131\u015far\u0131ya giden ba\u011flant\u0131lar\u0131 \u00e7ok k\u0131s\u0131tl\u0131ysa Nginx\u2019in OCSP sunucusuna ula\u015fabildi\u011finden emin olun. \u201cBir \u015fey eksik ama ne?\u201d dedi\u011fimiz anlar\u0131n yar\u0131s\u0131 firewall\u2019dur.<\/p>\n<p>Do\u011frulama i\u00e7in \u015funa benzer bir komut kullanabilirsiniz. \u00c7\u0131kt\u0131da <strong>OCSP Response Status: successful<\/strong> g\u00f6r\u00fcrseniz i\u00e7iniz rahatlar:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">openssl s_client -connect \u00f6rnek.com:443 -servername \u00f6rnek.com -tls1_3 -status &lt; \/dev\/null | grep -E &quot;OCSP|Verify&quot; -A3\n<\/code><\/pre>\n<p>Let\u2019s Encrypt kullan\u0131yorsan\u0131z, stapling i\u00e7in ufak davran\u0131\u015f notlar\u0131 ve s\u0131k sorulanlar\u0131 \u015fu sayfada derli toplu g\u00f6rebilirsiniz: <a href=\"https:\/\/letsencrypt.org\/docs\/stapling\/\" target=\"_blank\" rel=\"noopener nofollow\">Let\u2019s Encrypt\u2019in stapling notlar\u0131<\/a>. K\u0131sa ve \u00f6z; sorun ya\u015fad\u0131\u011f\u0131n\u0131zda hayat kurtar\u0131r.<\/p>\n<h2 id=\"section-5\"><span id=\"Brotli_ile_Sikistirma_Asfalt_Gibi_Puruzsuz_Hafif_ve_Hizli\">Brotli ile S\u0131k\u0131\u015ft\u0131rma: Asfalt Gibi P\u00fcr\u00fczs\u00fcz, Hafif ve H\u0131zl\u0131<\/span><\/h2>\n<p>Bir projede dosyalar\u0131 s\u0131k\u0131\u015ft\u0131rmay\u0131 a\u00e7t\u0131k, ama ger\u00e7ek h\u0131z kazan\u0131m\u0131 bir t\u00fcrl\u00fc gelmiyordu. Sonra fark ettik: <strong>Brotli<\/strong> yok, sadece klasik gzip var. Gzip k\u00f6t\u00fc de\u011fil, ama Brotli baz\u0131 dosya t\u00fcrlerinde \u00e7ok daha iyi bir sonu\u00e7 veriyor. \u00d6zellikle CSS ve JS gibi metin a\u011f\u0131rl\u0131kl\u0131 i\u00e7eriklerde fark\u0131 g\u00f6zle g\u00f6r\u00fcr gibi olursunuz. Yine listeye girmeden s\u00f6yleyeyim: her zaman de\u011fil, \u00e7o\u011fu durumda daha iyi. Bu c\u00fcmleyi hissetmeniz yeterli.<\/p>\n<p>Nginx\u2019te Brotli dahili gelmez; mod\u00fcl olarak y\u00fcklemek gerekir. Baz\u0131 da\u011f\u0131t\u0131mlarda haz\u0131r paket vard\u0131r, baz\u0131lar\u0131nda mod\u00fcl\u00fc ayr\u0131ca kurman\u0131z gerekir. Kurduktan sonra genellikle iki mod\u00fcl dosyas\u0131 y\u00fcklersiniz ve ayarlar \u015f\u00f6yle g\u00f6r\u00fcn\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># \/etc\/nginx\/nginx.conf ya da en ba\u015fta y\u00fcklenen bir conf dosyas\u0131nda\nload_module modules\/ngx_http_brotli_filter_module.so;\nload_module modules\/ngx_http_brotli_static_module.so;\n\nhttp {\n    brotli on;\n    brotli_comp_level 5;            # 4-6 \u00e7o\u011fu site i\u00e7in tatl\u0131 noktad\u0131r\n    brotli_static on;               # .br haz\u0131rsa direkt onu servis et\n    brotli_types text\/plain text\/css text\/xml application\/javascript \n                 application\/json application\/xml+rss application\/xhtml+xml \n                 application\/ld+json image\/svg+xml;\n\n    gzip on;                        # Eski taray\u0131c\u0131lar i\u00e7in nazik bir yedek\n    gzip_types text\/plain text\/css application\/javascript application\/json \n               image\/svg+xml;\n\n    # ... di\u011fer http ayarlar\u0131n\u0131z\n}\n<\/code><\/pre>\n<p><strong>brotli_static on<\/strong> derseniz, Nginx dosyan\u0131n yan\u0131nda <em>.br<\/em> uzant\u0131l\u0131 \u00f6nceden s\u0131k\u0131\u015ft\u0131r\u0131lm\u0131\u015f bir versiyon bulursa onu do\u011frudan sunar. Bu, \u00f6zellikle yo\u011fun trafi\u011fi olan sitelerde CPU t\u00fcketimini azalt\u0131r. Statik dosyalar\u0131n\u0131z i\u00e7in da\u011f\u0131t\u0131m pipeline\u2019\u0131n\u0131za bir k\u00fc\u00e7\u00fck g\u00f6rev ekleyin: derlenen CSS\/JS \u00e7\u0131kt\u0131lar\u0131n\u0131n <strong>Brotli<\/strong> versiyonlar\u0131n\u0131 da \u00fcretin. Komut sat\u0131r\u0131nda tek seferlik denemek isterseniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">brotli -Z -o app.min.js.br app.min.js\nbrotli -Z -o app.min.css.br app.min.css\n<\/code><\/pre>\n<p>Bu arada istemci \u201cBrotli destekliyorum\u201d demiyorsa, <strong>gzip<\/strong> h\u00e2l\u00e2 yan\u0131nda dursun. B\u00f6ylece herkese eli bo\u015f d\u00f6nmeyen bir sunucu olur. Daha sonra log\u2019lardan hangi oranda Brotli kullan\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcr, ayar\u0131 ince ayar \u00e7ekersiniz.<\/p>\n<h2 id=\"section-6\"><span id=\"HTTP2_ALPN_ve_Kucuk_Dokunuslar\">HTTP\/2, ALPN ve K\u00fc\u00e7\u00fck Dokunu\u015flar<\/span><\/h2>\n<p>\u201chttp2\u201d parametresini g\u00f6rd\u00fcn\u00fcz ya, i\u015fte o g\u00fczel bir h\u0131zlanma hissi verir. \u00c7ok say\u0131da k\u00fc\u00e7\u00fck dosyay\u0131 daha ak\u0131ll\u0131 \u015fekilde ta\u015f\u0131man\u0131za yard\u0131mc\u0131 olur. Bunun yan\u0131nda <strong>ALPN<\/strong> dedi\u011fimiz k\u00fc\u00e7\u00fck bir protokol tan\u0131\u015fmas\u0131 var; \u00f6zetle taray\u0131c\u0131 \u201cHTTP\/2 konu\u015fal\u0131m m\u0131?\u201d diye nazik\u00e7e sorar, Nginx de \u201celbette\u201d der. Bu konu\u015fman\u0131n olmas\u0131 i\u00e7in TLS taraf\u0131n\u0131n temiz olmas\u0131 \u00f6nemli; o y\u00fczden TLS 1.3 ile uyumlu ayarlar\u0131 yapmak sadece g\u00fcvenlik de\u011fil, h\u0131z i\u00e7in de kritik.<\/p>\n<p>Benim k\u00fc\u00e7\u00fck rutinim \u015f\u00f6yle: \u00f6nce staging veya az trafikli bir site \u00fczerinde denerim. Nginx\u2019i <em>config test<\/em> ile kontrol ederim, sonra yumu\u015fak bir <em>reload<\/em>. Hi\u00e7bir ba\u011flant\u0131y\u0131 zedelemeden ge\u00e7i\u015f olur. Birka\u00e7 saat g\u00f6zlerimle izler, log\u2019lara bakar\u0131m. Tak\u0131l\u0131rsa geri almak bir komut. Tak\u0131lmazsa, ana siteye ayn\u0131 ayarlar\u0131 ta\u015f\u0131r\u0131m. Gece vakti yapt\u0131\u011f\u0131m o k\u00fc\u00e7\u00fck ayarlar\u0131n sabah kullan\u0131c\u0131 deneyimine d\u00f6n\u00fc\u015fmesini izlemek epey keyifli.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">nginx -t &amp;&amp; systemctl reload nginx\n<\/code><\/pre>\n<h2 id=\"section-7\"><span id=\"OCSP_ve_Brotliyi_Dogrulamak_Gercekten_Calisiyor_mu\">OCSP ve Brotli\u2019yi Do\u011frulamak: \u201cGer\u00e7ekten \u00c7al\u0131\u015f\u0131yor mu?\u201d<\/span><\/h2>\n<p>\u0130\u015fin en g\u00fczel taraf\u0131 test etmesi. \u201cGer\u00e7ekten Brotli ile geliyor mu?\u201d diye merak etti\u011finizde basit bir ba\u015fl\u0131k sorgusu bile yeter:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -I --compressed https:\/\/\u00f6rnek.com\/app.min.js\n# \u00c7\u0131kt\u0131da Content-Encoding: br g\u00f6r\u00fcyorsan\u0131z brotli devrede demektir\n<\/code><\/pre>\n<p>OCSP i\u00e7in az \u00f6nce bahsetti\u011fim <strong>openssl s_client<\/strong> komutunun \u00e7\u0131kt\u0131s\u0131 yol g\u00f6sterir. Ayr\u0131ca Nginx error log\u2019lar\u0131nda \u201cstapling\u201d ile ilgili sat\u0131rlar g\u00f6r\u00fcrseniz, k\u00fc\u00e7\u00fck uyar\u0131lar size sorunun y\u00f6n\u00fcn\u00fc s\u00f6yler. Bir keresinde sadece DNS \u00e7\u00f6z\u00fcmleyici eksik oldu\u011fundan stapling hi\u00e7 devreye girmemi\u015fti; <em>resolver<\/em> sat\u0131r\u0131 her \u015feyi \u00e7\u00f6zd\u00fc.<\/p>\n<p>\u201cHangi direktif ne yap\u0131yor, ba\u015fka neler var?\u201d derseniz, resmi d\u00f6k\u00fcmana bir g\u00f6z at\u0131n: <a href=\"https:\/\/nginx.org\/en\/docs\/http\/ngx_http_ssl_module.html\" target=\"_blank\" rel=\"noopener nofollow\">Nginx SSL mod\u00fcl\u00fc dok\u00fcmantasyonu<\/a>. De\u011ferlerin anlam\u0131n\u0131 sade \u015fekilde anlat\u0131r, kafadaki bo\u015fluklar\u0131 g\u00fczel doldurur.<\/p>\n<h2 id=\"section-8\"><span id=\"Sertifika_Yenileme_Otomasyon_ve_Kucuk_Tuzaklar\">Sertifika Yenileme, Otomasyon ve K\u00fc\u00e7\u00fck Tuzaklar<\/span><\/h2>\n<p>Sertifikalar yenilenir; hayat devam eder. <strong>certbot<\/strong> ya da kulland\u0131\u011f\u0131n\u0131z ara\u00e7 sertifikay\u0131 tazeledi\u011finde Nginx\u2019in bunu fark etmesi i\u00e7in bir <em>deploy hook<\/em> koymak iyi fikir. B\u00f6ylece \u201csertifika g\u00fcncellenmi\u015f ama Nginx eski dosyay\u0131 tutuyor\u201d gibi bir p\u00fcr\u00fcz ya\u015fanmaz.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">certbot renew --deploy-hook &quot;systemctl reload nginx&quot;\n<\/code><\/pre>\n<p>Bir de \u015fu var: baz\u0131 sertifika sa\u011flay\u0131c\u0131lar\u0131 zincirde k\u00fc\u00e7\u00fck de\u011fi\u015fiklikler yapabilir. O y\u00fczden <strong>ssl_trusted_certificate<\/strong> yolunu hard-code yazd\u0131ysan\u0131z, yenileme sonras\u0131 do\u011fru dosyay\u0131 i\u015faret etti\u011finizden emin olun. Bir m\u00fc\u015fteride \u201cher \u015fey tamam\u201d dedi\u011fimiz halde stapling kaybolmu\u015ftu; me\u011fer chain dosyas\u0131 yolu de\u011fi\u015fmi\u015f.<\/p>\n<p>Firewall taraf\u0131 da sakince g\u00f6zden ge\u00e7irilmeli. D\u0131\u015far\u0131ya giden 80\/443 ve DNS sorgular\u0131n\u0131n izinli olmas\u0131, Nginx\u2019in OCSP sunucular\u0131na ula\u015fmas\u0131 i\u00e7in gerekli. DNS-over-HTTPS kullanan bir ortamdaysan\u0131z, ek bir katman daha devreye giriyor; burada da sistemin genel DNS yolculu\u011funu netle\u015ftirmek i\u015finizi kolayla\u015ft\u0131r\u0131r.<\/p>\n<h2 id=\"section-9\"><span id=\"Onbellek_Sikistirma_ve_Nginxin_Renkli_Dunyasi\">\u00d6nbellek, S\u0131k\u0131\u015ft\u0131rma ve Nginx\u2019in Renkli D\u00fcnyas\u0131<\/span><\/h2>\n<p>S\u0131k\u0131\u015ft\u0131rma performans\u0131 tek ba\u015f\u0131na kalm\u0131yor; cache ile yan yana y\u00fcr\u00fcy\u00fcnce g\u00fczelle\u015fiyor. Statik dosyalar\u0131 uzun s\u00fcreli \u00f6nbelle\u011fe b\u0131rakmak, Brotli\u2019nin etkisini katlar. Yine \u201caz laf, \u00e7ok i\u015f\u201d mant\u0131\u011f\u0131. E\u011fer WordPress gibi dinamik bir yap\u0131n\u0131z varsa, <a href=\"https:\/\/www.dchost.com\/blog\/wordpresste-tam-sayfa-onbellekleme-nasil-kurulur-nginx-fastcgi-cache-varnish-ve-litespeed-cache-ile-woocommercee-nazikce-dokunmak\/\" target=\"_blank\" rel=\"noopener\">tam sayfa \u00f6nbellekleme \u00fczerine \u015fu rehber<\/a> kafan\u0131zda resmin tamam\u0131n\u0131 netle\u015ftirebilir. S\u0131k\u0131\u015ft\u0131rma, \u00f6nbellek ve protokol ayarlar\u0131 el ele y\u00fcr\u00fcy\u00fcnce, kullan\u0131c\u0131 taraf\u0131nda bekleme yerine ak\u0131\u015f hissi do\u011fuyor.<\/p>\n<p>Bu arada \u201c0-RTT\u201d gibi TLS 1.3\u2019\u00fcn daha ileri \u00f6zelliklerine girmek istemiyorum, \u00e7\u00fcnk\u00fc orada ba\u015fka hassas tart\u0131\u015fmalar var. \u00d6nce sa\u011flam bir temel atal\u0131m: protokol d\u00fczg\u00fcn, stapling aktif, Brotli \u00e7al\u0131\u015f\u0131yor. Sonra yava\u015f yava\u015f di\u011fer \u015feritlere ge\u00e7eriz. Bu yakla\u015f\u0131mda geri d\u00f6n\u00fc\u015fler de kolay olur.<\/p>\n<h2 id=\"section-10\"><span id=\"Adim_Adim_Ozet_Akis_Temiz_Kurulumun_Kisa_Hikayesi\">Ad\u0131m Ad\u0131m \u00d6zet Ak\u0131\u015f: Temiz Kurulumun K\u0131sa Hik\u00e2yesi<\/span><\/h2>\n<h3><span id=\"1_TLS_13_ve_Temel_Guvenlik_Ayarlari\">1) TLS 1.3 ve Temel G\u00fcvenlik Ayarlar\u0131<\/span><\/h3>\n<p>\u00d6nce TLS 1.3 ve 1.2\u2019yi birlikte a\u00e7\u0131n. Eski protokolleri kapat\u0131n. \u015eifre k\u00fcmelerini sade tutun, biletleri devre d\u0131\u015f\u0131 b\u0131rak\u0131p HSTS\u2019i \u00f6l\u00e7\u00fcl\u00fc a\u00e7\u0131n. Bir nefes al\u0131p <em>nginx -t<\/em> ile do\u011frulay\u0131n, ard\u0131ndan yumu\u015fak bir <em>reload<\/em>. Taray\u0131c\u0131yla el s\u0131k\u0131\u015fma k\u0131sa ve net olsun.<\/p>\n<h3><span id=\"2_OCSP_Stapling_ile_Hafifleyen_Dogrulama\">2) OCSP Stapling ile Hafifleyen Do\u011frulama<\/span><\/h3>\n<p>Stapling\u2019i a\u00e7\u0131n, <strong>resolver<\/strong> ayarlay\u0131n, g\u00fcvenilen zinciri g\u00f6sterin. Firewall d\u0131\u015far\u0131 \u00e7\u0131k\u0131\u015fa izin veriyor mu bak\u0131n. <em>openssl s_client<\/em> ile durumunuzu kontrol edin. Sakin bir log taramas\u0131, birka\u00e7 kullan\u0131c\u0131 testi, sonra as\u0131l siteye ge\u00e7i\u015f.<\/p>\n<h3><span id=\"3_Brotli_ile_Akici_Yuklemeler\">3) Brotli ile Ak\u0131c\u0131 Y\u00fcklemeler<\/span><\/h3>\n<p>Mod\u00fcl\u00fc y\u00fckleyin, seviyeyi makul ayarlay\u0131n, <strong>brotli_static<\/strong> ile build pipeline\u2019a <em>.br<\/em> \u00fcretimini ekleyin. Gzip\u2019i yedekte tutun. <em>curl &#8211;compressed<\/em> ile ba\u015fl\u0131klarda Brotli\u2019yi g\u00f6r\u00fcn. Dosya boyutlar\u0131 k\u00fc\u00e7\u00fcld\u00fck\u00e7e hissedilen ak\u0131c\u0131l\u0131k artar.<\/p>\n<h3><span id=\"4_Olc_Gozle_Minik_Dokunuslar\">4) \u00d6l\u00e7, G\u00f6zle, Minik Dokunu\u015flar<\/span><\/h3>\n<p>CDN kullan\u0131yorsan\u0131z \u00fcst katmandaki \u00f6nbellekle konu\u015fsun bu ayarlar. Log\u2019lardan i\u00e7erik kodlamalar\u0131n\u0131, durumlar\u0131, bekleme s\u00fcrelerini izleyin. K\u00fc\u00e7\u00fck ayarlar b\u00fcy\u00fck etkiler yapar; bu y\u00fczden acele etmeyin. Gerekirse geri almak bir komutla m\u00fcmk\u00fcn.<\/p>\n<h2 id=\"section-11\"><span id=\"Sahadan_Kucuk_Deneyimler_Nerede_Takilabiliriz\">Sahadan K\u00fc\u00e7\u00fck Deneyimler: Nerede Tak\u0131labiliriz?<\/span><\/h2>\n<p>Bir keresinde Nginx her \u015feyi do\u011fru yap\u0131yor gibi g\u00f6r\u00fcn\u00fcyordu ama taray\u0131c\u0131 hala OCSP iste\u011fi at\u0131yordu. Sorun, sertifika sa\u011flay\u0131c\u0131s\u0131n\u0131n OCSP sunucusuna giden yolun DNS\u2019te tak\u0131lmas\u0131yd\u0131. <strong>resolver<\/strong> sat\u0131r\u0131n\u0131 ekleyince bir anda i\u015flemler \u0131\u015f\u0131k h\u0131z\u0131nda d\u00fczeldi. Ba\u015fka bir sefer, Brotli statik dosyalar\u0131 servis etmiyordu; me\u011fer dosyalar\u0131 CI pipeline \u00fcretmemi\u015f, prod sunucu da real-time s\u0131k\u0131\u015ft\u0131rmada CPU\u2019yu yoruyordu. <em>.br<\/em> dosyalar\u0131 gelince her \u015fey s\u00fct liman oldu.<\/p>\n<p>En sevdi\u011fim derslerden biri de \u015fu: \u00f6nce k\u00fc\u00e7\u00fck bir alan\u0131 d\u00f6n\u00fc\u015ft\u00fcrmek. Bir alt alan ad\u0131, ayr\u0131 bir sunucu, hatta gizli bir rota. \u201cCanary\u201d gibi d\u00fc\u015f\u00fcn\u00fcn. Orada p\u00fcr\u00fczleri g\u00f6r\u00fcp toparlay\u0131nca ana siteye ge\u00e7i\u015f hem risksiz hem de \u00e7ok daha h\u0131zl\u0131 oluyor. \u00dcstelik ekibin geri kalan\u0131n\u0131 da ikna etmek kolayla\u015f\u0131yor; sonu\u00e7 ortada \u00e7\u00fcnk\u00fc.<\/p>\n<h2 id=\"section-12\"><span id=\"Dis_Kaynaklarla_Ufak_Bir_Yol_Haritasi\">D\u0131\u015f Kaynaklarla Ufak Bir Yol Haritas\u0131<\/span><\/h2>\n<p>Bu yaz\u0131y\u0131 bitirmeden, k\u0131sa bir kaynak notu b\u0131rakay\u0131m. Ayarlar\u0131 derinle\u015ftirmek isterseniz, <a href=\"https:\/\/nginx.org\/en\/docs\/http\/ngx_http_ssl_module.html\" target=\"_blank\" rel=\"noopener nofollow\">Nginx SSL mod\u00fcl\u00fc dok\u00fcmantasyonu<\/a> net ve g\u00fcncel. Sertifika taraf\u0131nda stapling davran\u0131\u015flar\u0131n\u0131 merak ederseniz, <a href=\"https:\/\/letsencrypt.org\/docs\/stapling\/\" target=\"_blank\" rel=\"noopener nofollow\">Let\u2019s Encrypt\u2019in stapling notlar\u0131<\/a> iyi bir rehber. Ayar setlerini tartmak ve h\u0131zl\u0131ca denemek i\u00e7in de <a href=\"https:\/\/ssl-config.mozilla.org\/\" target=\"_blank\" rel=\"noopener nofollow\">Mozilla\u2019n\u0131n SSL yap\u0131land\u0131rma rehberi<\/a> pratik bir k\u0131lavuz gibi.<\/p>\n<h2 id=\"section-13\"><span id=\"Kapanis_Hiz_ve_Guvenlik_Ayni_Masada_Oturabilir\">Kapan\u0131\u015f: H\u0131z ve G\u00fcvenlik Ayn\u0131 Masada Oturabilir<\/span><\/h2>\n<p>Toparlayal\u0131m. TLS 1.3 ile el s\u0131k\u0131\u015fmay\u0131 k\u0131saltt\u0131k, OCSP Stapling ile taray\u0131c\u0131n\u0131n \u00fcst\u00fcne d\u00fc\u015fen ekstra i\u015fi g\u00fcne\u015fli bir pazar y\u00fcr\u00fcy\u00fc\u015f\u00fcne \u00e7evirdik, Brotli ile nefes alan s\u0131k\u0131\u015ft\u0131rma ekledik. Hepsi bir araya geldi\u011finde ortaya hem g\u00fcvenli hem ak\u0131c\u0131 bir deneyim \u00e7\u0131k\u0131yor. Kullan\u0131c\u0131 \u201cbu site bir ferah ya\u201d diyor, siz de log\u2019larda g\u00fczel rakamlar g\u00f6r\u00fcyorsunuz. Ama bence daha \u00f6nemli olan \u015fu: i\u00e7imiz rahat ediyor. Sunucu taraf\u0131nda do\u011fru \u015feyleri, do\u011fru s\u0131rayla yapman\u0131n huzuru.<\/p>\n<p>E\u011fer yeni ba\u015fl\u0131yorsan\u0131z, k\u00fc\u00e7\u00fck ad\u0131mlarla ilerleyin. \u00d6nce TLS ve temel g\u00fcvenlik, sonra stapling, ard\u0131ndan Brotli. Her ad\u0131mdan sonra k\u0131sa bir test, minik bir g\u00f6zlem. Tak\u0131ld\u0131\u011f\u0131n\u0131z yerde karanl\u0131kta kalmay\u0131n; log\u2019lar, k\u00fc\u00e7\u00fck komutlar ve minik geri d\u00f6n\u00fc\u015fler en iyi dostunuz. Umar\u0131m bu rehber, masan\u0131zdaki kahveyi so\u011futmadan i\u015finizi kolayla\u015ft\u0131r\u0131r. Bir ba\u015fka yaz\u0131da, bu ayarlar\u0131n CDN ve HTTP\/3 taraf\u0131ndaki tatl\u0131 detaylar\u0131na da de\u011finiriz. G\u00f6r\u00fc\u015fmek \u00fczere!<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 K\u00fc\u00e7\u00fck Bir Gece Maceras\u0131: Neden Bu Ayarlarla U\u011fra\u015f\u0131yoruz?2 TLS 1.3 Neden \u00d6nemli? Nas\u0131l Etkinle\u015ftiririz?3 Sertifika Zinciri, K\u00fc\u00e7\u00fck Hatalar ve HSTS\u2019in \u0130ncelikleri4 OCSP Stapling: Taray\u0131c\u0131ya \u201cBak Ben Temizim\u201d Demenin H\u0131zl\u0131 Yolu5 Brotli ile S\u0131k\u0131\u015ft\u0131rma: Asfalt Gibi P\u00fcr\u00fczs\u00fcz, Hafif ve H\u0131zl\u01316 HTTP\/2, ALPN ve K\u00fc\u00e7\u00fck Dokunu\u015flar7 OCSP ve Brotli\u2019yi Do\u011frulamak: \u201cGer\u00e7ekten \u00c7al\u0131\u015f\u0131yor mu?\u201d8 Sertifika Yenileme, Otomasyon [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1451,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1450","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1450"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1450\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1451"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}