Recommendations on using nginx as SSL proxy for everything

Rob Mueller robm at fastmail.fm
Thu Sep 4 16:00:14 MSD 2008


>  Is there any recommendation on using Nginx as a SSL accelerator for
> all 4 protocols ( http, smtp, imap/pop). Or if any one is doing this 
> already, can you share the experience on hardware / os configuration and 
> what kind of loading you are doing today.

We run it for http, imap & pop (not smtp). Partly due to legacy reasons, we 
run separate http and imap/pop instances but this still seems reasonable to 
allow starting/stopping of them separately.

We're using linux and two oldish (>2 years, netburst xeon) machines as 
frontends. We use DNS load balancing between them, and heartbeat to takeover 
an IP if one machine dies.

Performance is great. Machines also do a bunch of other things, and 
generally only see 10-20% CPU usage. Each machine has about 7000 IMAP SSL + 
3500 regular IMAP connections alive but has no problem taking double that 
when one machine is taken down.

You might want to look into tuning these variables.

net.ipv4.tcp_keepalive_time
net.ipv4.netfilter.ip_conntrack_max
fs.file-max
net.core.rmem_max
net.core.wmem_max
net.ipv4.tcp_rmem
net.ipv4.tcp_wmem

Rob






More information about the nginx mailing list