SSL Strangeness

Curtis Spencer thorin at
Thu Nov 29 05:53:04 MSK 2007


I am running 4 mongrels behind nginx with two servers blocks (one ssl
enabled).  I have a public facing app that 20-30 users go through each
day (non ssl) and administrative SSL controllers in the app that
people at my office use. I am noticing that by the end of day after a
lot of use of the SSL version of the app, that some requests are
hanging for certain people in the office (Mac OSX and Windows Firefox  It very rarely hangs on my machine (Linux), but it
happens every now and then.  I don't think the mongrels are dying
because usually when these people encounter the hangs we can go to
other computers (Linux Windows OSX) in the office and hammer on the
SSL portion of site with no problems.  Also, the non SSL version of
the site never has any hanging AFAIK.

My server settings look like this (which is mainly Ezra's Default conf
for mongrels):

server {
  listen 443;

  ssl on;
  ssl_certificate /var/keys/;
  ssl_certificate_key /var/keys/;

  client_max_body_size 50M;

# doc root
  root /var/www/;

# vhost specific access log
  access_log  /var/log/nginx/  main;

# this rewrites all the requests to the maintenance.html
# page if it exists in the doc root. This is for capistrano's
# disable web task
  if (-f $document_root/system/maintenance.html) {
    rewrite  ^(.*)$  /system/maintenance.html last;

  location / {
# needed to forward user's IP address to rails
    proxy_set_header  X-Real-IP  $remote_addr;

# needed for HTTPS
    proxy_set_header X-FORWARDED_PROTO https;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_max_temp_file_size 0;
    proxy_redirect false;# If the file exists as a static file serve
it directly without
# running all the other rewite tests on it
    if (-f $request_filename) {

# check for index.html for directory index
# if its there on the filesystem then rewite
# the url to add /index.html to the end of it
# and then break to send it to the next config rules.
    if (-f $request_filename/index.html) {
      rewrite (.*) $1/index.html break;

# this is the meat of the rails page caching config
# it adds .html to the end of the url and then checks
# the filesystem for that file. If it exists, then we
# rewite the url to have explicit .html on the end
# and then send it on its way to the next config rule.
# if there is no file on the fs then it sets all the
# necessary headers and proxies to our upstream mongrels
    if (-f $request_filename.html) {
      rewrite (.*) $1.html break;

    if (!-f $request_filename) {
      proxy_pass http://mongrel;

  error_page   500 502 503 504  /500.html;
  error_page   413 /413.html;
  location = /500.html {
    root /var/www/;

One thing I did happen to notice as well, is if I do performance
testing on SSL with httperf, at first it is decently fast, but on many
sequential runs it consistently degrades until httperf can barely do
any requests.  However, even while I do an httperf I can use the SSL
version of the site with different computers.  It just hangs on some,
usually towards the end of the day.

Any ideas?


More information about the nginx mailing list