Balancing NGINX reverse proxy

Alex Samad alex at
Sun Mar 5 23:00:17 UTC 2017


Firstly, I am fairly new to nginx.

>From what I understand you have a standard sort of setup.

2 nodes (vm's) with haproxy, allowing nginx to be active / passive.

You have SSL requests which once nginx terminates the SSL, it injects a
security header / token and then I presume it passes this on to a back end,
i presume that the nginx to application server is non SSL.

You are having performance issue with the SSL + header inject part, which
seems to be limiting you to approx 60req per sec before you hit 100% cpu..
This seems very very low to me looking at my prod setup - similar to yours
I am seeing 600 connections and req/s ranging from 8-400 / sec.  all whilst
the cpu stay very very low.

We try and use long lived TCP / SSL sessions, but we also use a thick
client as well so have more control.

Not sure about KEMP loadmaster.

What I describe to you was our potential plans for when the load gets too
much on the active/passive setup.

It would allow you to take your 60 session ? and distributed it between 2
or upto 16 (I believe this is the max for pacemaker). an active / active

The 2 node setup would be the same as yours

router -> vlan with the 2 nodes > Node A would only process node a data and
node B would only process node b data.  This in theory would have the
potential to double your req / sec.


On 3 March 2017 at 19:33, polder_trash <nginx-forum at> wrote:

> Alexsamad,
> I might not have been clear, allow me to try again:
> * currently 2 NGINX revproxy nodes, 1 active the other on standby in case
> node 1 fails.
> * Since I am injecting an authentication header into the request, the HTTPS
> request has to be offloaded at the node and introduces additional load
> compared to injecting into non-encrypted requests.
> * Current peak load ~60 concurrent requests, ~100% load on CPU. Concurrent
> requests expected to more than double, so revproxy will be bottleneck.
> The NGINX revproxies run as a VM and I can ramp up the machine specs a
> little bit, but I do not expect this to completely solve the issue here.
> Therefore I am looking for some method of spreading the requests over
> multiple backend revproxies, without the load balancer frontend having to
> deal with SSL offloading.
> From the KEMP LoadMaster documentation I found that this technique is
> called
> SSL Passthrough. I am currently looking if that is also supported by NGINX.
> What do you think? Will this solve my issue? Am I on the wrong track?
> Posted at Nginx Forum:
> php?2,272713,272729#msg-272729
> _______________________________________________
> nginx mailing list
> nginx at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list