TLS Multiplexing to the Origin Server

Richard Stanway r1ch+nginx at teamliquid.net
Mon Feb 13 23:21:06 UTC 2017 

You'll want to proxy_pass to a named upstream with keepalive enabled.

http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive

On Mon, Feb 13, 2017 at 11:33 PM, brookscunningham <
nginx-forum at forum.nginx.org> wrote:

> Hello All,
>
> I am seeing an increase in the number of new TLS connections to my origin
> server when using NGINX as a reverse proxy. I am offloading TLS at NGINX
> and
> starting a new TLS connection to the origin.
>
> The workflow is as follows:
>
> client --> NGINX --> origin server
>
> I would expect NGINX to either persist a handful of TLS connection or at a
> minimum re-use previously established TLS connections using TLS session
> tickets.
> However, the behavior that we see is NGINX is apparently opening a new TLS
> connection to the origin for nearly every client request. This means going
> through the full asymmetric TLS handshake for nearly every request. This is
> not desirable for both the latency added and CPU performance hit for going
> through the full TLS handshake.
> I have validated that my origin server supports TLS Session re-use by using
> the following openssl command.
>
> echo | openssl s_client -tls1_2 -reconnect -state -prexit -connect <my
> origin server IP>:443 | grep -i session-id
>
> Below is the output from "nginx -v"
>
> nginx version: nginx/1.8.1
>
> How can I either persist existing TLS connections or leverage TLS session
> tickets?
>
> I found the following link that may be relevant.
> http://hg.nginx.org/nginx/rev/1356a3b96924
>
> Thanks!
> Brooks
>
> P.S. Below is the relevant proxy configs that I have for my origin server.
>
> #proxy rules in place for the domain
>
>         proxy_redirect off;
>         proxy_connect_timeout 15;
>         proxy_send_timeout 60;
>         proxy_read_timeout 60;
>         proxy_buffers 8 16k;
>         proxy_buffer_size 16k;
>         proxy_busy_buffers_size 64k;
>
>         proxy_cache XNXFILES;
>         proxy_cache_use_stale updating error timeout invalid_header
> http_500
> http_502 http_503 http_504;
>         proxy_cache_valid 301 302 0m;
>         proxy_cache_valid 200 60m;
>         proxy_cache_key $host$request_uri;
>         proxy_http_version 1.1;
>         proxy_set_header Connection "";
>
>         proxy_set_header Accept-Encoding 'gzip';
>
> # The variable $host is sets the host request header to the origin server.
>         proxy_set_header Host $host;
>
> #The variables REQUEST_PROTO and PROXY_TO are used when determining which
> origin to use.
>         proxy_pass $REQUEST_PROTO://$PROXY_TO;
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,272389,272389#msg-272389
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170214/968ab997/attachment.html>

More information about the nginx mailing list