<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jun 20, 2014 at 5:20 AM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<div class=""><br>
On Fri, Jun 20, 2014 at 10:51:38AM +0200, Yifeng Wang wrote:<br>
<br>
> Hi, It's my first time using NGINX to proxy other web servers. I set a<br>
> variable in location, this variable may be gotten in cookie or args. if<br>
> I use it directly likes "proxy_pass https://$nodeIp2;", it will get the<br>
> response for a long time. but if I hardcode likes "proxy_pass<br>
> <a href="https://147.128.22.152:8443" target="_blank">https://147.128.22.152:8443</a>" it works normally. Do I need to set more<br>
> cofiguration parameters to solve this problem.Below is the segment of my<br>
> windows https configuration.<br>
><br>
> http {<br>
> ...<br>
> server {<br>
> listen 443 ssl;<br>
> server_name localhost;<br>
><br>
> ssl_certificate server.crt;<br>
> ssl_certificate_key server.key;<br>
><br>
> location /pau6000lct/ {<br>
> set $nodeIp <a href="http://147.128.22.152:8443" target="_blank">147.128.22.152:8443</a>;<br>
> proxy_pass https://$nodeIp;<br>
<br>
</div>Use of variables in the proxy_pass, in particular, implies that<br>
SSL sessions will not be reused (as upstream address is not known<br>
in advance, and there is no associated storage for an SSL<br>
session). This means that each connection will have to do full<br>
SSL handshake, and this is likely the reason for the performance<br>
problems you see.<br>
<br>
Solution is to use proxy_pass without variables, or use<br>
preconfigured upstream{} blocks instead of ip addresses if you<br>
have to use variables.<br></blockquote><div><br></div><div>So to prevent the heart attack I almost just had, can you confirm how I interpret that last statement:</div><div><br></div><div>If you define your upstream using "upstream upstream_name etc" and then use a variable indicating the name of the upstream in proxy_pass statement, that will *not* cause SSL sessions to not be reused. I.e. proxy_pass with a variable indicating upstream would not cause a performance issue.</div>
<div><br></div><div>Is that correct?</div></div></div></div>