TTFB slower on FULL over FLEXIBLE even using TLS 1.3

I read here that the fastest way to connect cloudflare to the origin server without railgun would be by FULL if the origin server supports TLS 1.3.

I have set my apache to use TLS 1.3 and also changed cloudflare settings to use FULL instead of FLEXIBLE.

But this setting is about 100 ms slower on TTFB.

What am I missing?

How are you testing TTFB ?

Page speed is relative to the testing site location and target site location geographically.

With Cloudflare enabled, TTFB isn’t as important when you compare to first paint, first contentful and meaningful paint and document load times. As those are metrics Google is looking for https://developers.google.com/web/fundamentals/performance/user-centric-performance-metrics and where Cloudflare will help you optimise for when it’s enabled.

webpagetest.org has advanced features you can use to reveal these additional Google focused pagespeed metrics i.e. Google Lighthouse Report

I wrote a guide for my users which maybe useful to you as well including enabling Google Lighthouse Report testing in WPT https://community.centminmod.com/threads/how-to-use-webpagetest-org-for-page-load-speed-testing.13859/

1 Like

I am testing with webpagetest.org.

The matter is not if TTFB is or is not important, but the fastest way to connect the origin server to cloudflare pops.

It was suppose to be using FULL and TLS 1.3 on the origin server. But in the real world, that’s not happening. I would like to know why, if there is any another test to check what could be the issue.

This is due to Cloudflare not caching HTML content by default (see below). So for optimal TTFB speed, you want your origin real web server to be hosted in a location closest to your majority traffic visitors and then put Cloudflare in front. For instance, my forums has 50% US visitors 40% Asian visitors and 10% Oceania. So my optimal geographic location for my origin is US West Coast as it sits in middle of US, Europe and Asian so equal round trip times for majority of visitors.

Cloudflare cache certain static content https://support.cloudflare.com/hc/en-us/articles/200172516-Which-file-extensions-does-Cloudflare-cache-for-static-content- but not dynamic/static generated html itself by default (which is what WPT TTFB is testing for). But you can tell Cloudflare to cache dynamic/static generated html content to some extent depending on Cloudflare plan you’re on via cache everything page rule but have to be careful to only do this for static html content and not dynamic html content (otherwise you would cache private logged in user content).

1 Like

Would be very nice to use railgun and bypass cache on cookie. But these features are only available for business plans.

Right now I would be happy to optimize the communication speed between cloudflare pops and the origin server on a Pro account.

I suppose that FLEXIBLE will be the way to go unless someone could confirm that FULL with TLS 1.3 is indeed the best way and there is some issue that I have to solve on my server.

Cloudflare FullSSL + TLSv1.3 is most optimal way in theory along with ensuring origin server uses ECC 256bit ECDSA SSL certificates/ciphers which are more performant than traditional RSA 2048bit SSL certificate/ciphers. I did a write up for my Centmin Mod LEMP stack users at https://community.centminmod.com/threads/improving-cloudflare-connections-to-origin-server-use-ecdsa-ssl-certs.14817/

However, for TTFB factors of geographic location distance between CF edge and your origin web server are still factors as is also how your web server implements HTTPS and TLSv1.3. This can vary between web servers as not all implementations are created equal for their performance for RSA 2048bit and/or ECDSA 256bit ciphers due to their specific cryptographic library used i.e. OpenSSL vs BoringSSL vs LibreSSL etc.

2 Likes

Our server is running CPANEL and the AUTOSSL provider is Sectigo. There are no details about being ECC 256bit ECDSA SSL or RSA 2048bit SSL.

Generally most folks and implementations including cPanel AutoSSL will default to traditional RSA 2048bit SSL certificates.

Some web servers can support dual SSL certs for RSA 2048bit + ECDSA 256bit so for browser clients that support ECDSA 256bit will get those and browsers that don’t support it will get normal RSA 2048bit. Cloudflare Pro and higher paid plans support dual RSA + ECDSA SSL certs.

Cloudflare.com’s SSL cert with ECC 256bit ECDSA SSL certificate in Opera/Chrome would show

I develop my own LEMP stack, Centmin Mod Nginx which has optional dual RSA + ECC SSL cert support too since Nginx 1.11+ or higher have dual SSL cert support https://community.centminmod.com/threads/nginx-1-11-0-introduces-dual-ecdsa-rsa-ssl-certificate-support.7449/

1 Like

If all you care about is raw speed and not security then flexible (no TLS) will always be faster than a secure connection Cloudflare or not. But speed alone is a poor thing to optimize for generally and I’d never recommend one of my customer use flexible for their Cloudflare Edge <–> Origin communications.

100ms is about 1/4 the blink of any eye. Sacrificing security to chase that seems like a sub-optimal design decision.

3 Likes

For now we will stack with FLEXIBLE, but as soon as we can we will consider de cloudflare’s certificate on origin for faster and more secure data transfer.