TLS Multiplexing to the Origin Server
r1ch+nginx at teamliquid.net
Mon Feb 13 23:21:06 UTC 2017
You'll want to proxy_pass to a named upstream with keepalive enabled.
On Mon, Feb 13, 2017 at 11:33 PM, brookscunningham <
nginx-forum at forum.nginx.org> wrote:
> Hello All,
> I am seeing an increase in the number of new TLS connections to my origin
> server when using NGINX as a reverse proxy. I am offloading TLS at NGINX
> starting a new TLS connection to the origin.
> The workflow is as follows:
> client --> NGINX --> origin server
> I would expect NGINX to either persist a handful of TLS connection or at a
> minimum re-use previously established TLS connections using TLS session
> However, the behavior that we see is NGINX is apparently opening a new TLS
> connection to the origin for nearly every client request. This means going
> through the full asymmetric TLS handshake for nearly every request. This is
> not desirable for both the latency added and CPU performance hit for going
> through the full TLS handshake.
> I have validated that my origin server supports TLS Session re-use by using
> the following openssl command.
> echo | openssl s_client -tls1_2 -reconnect -state -prexit -connect <my
> origin server IP>:443 | grep -i session-id
> Below is the output from "nginx -v"
> nginx version: nginx/1.8.1
> How can I either persist existing TLS connections or leverage TLS session
> I found the following link that may be relevant.
> P.S. Below is the relevant proxy configs that I have for my origin server.
> #proxy rules in place for the domain
> proxy_redirect off;
> proxy_connect_timeout 15;
> proxy_send_timeout 60;
> proxy_read_timeout 60;
> proxy_buffers 8 16k;
> proxy_buffer_size 16k;
> proxy_busy_buffers_size 64k;
> proxy_cache XNXFILES;
> proxy_cache_use_stale updating error timeout invalid_header
> http_502 http_503 http_504;
> proxy_cache_valid 301 302 0m;
> proxy_cache_valid 200 60m;
> proxy_cache_key $host$request_uri;
> proxy_http_version 1.1;
> proxy_set_header Connection "";
> proxy_set_header Accept-Encoding 'gzip';
> # The variable $host is sets the host request header to the origin server.
> proxy_set_header Host $host;
> #The variables REQUEST_PROTO and PROXY_TO are used when determining which
> origin to use.
> proxy_pass $REQUEST_PROTO://$PROXY_TO;
> Posted at Nginx Forum: https://forum.nginx.org/read.
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx