SSL Strangeness

[Curtis Spencer]

forgot to mention that I am running nginx 0.5.33 with the following
use flags on Gentoo:
USE="pcre perl ssl zlib -debug -fastcgi -flv -imap -status -sub -webdav"


On Nov 28, 2007 6:53 PM, Curtis Spencer <thorin at gmail.com> wrote:
> Hi,
>
> I am running 4 mongrels behind nginx with two servers blocks (one ssl
> enabled).  I have a public facing app that 20-30 users go through each
> day (non ssl) and administrative SSL controllers in the app that
> people at my office use. I am noticing that by the end of day after a
> lot of use of the SSL version of the app, that some requests are
> hanging for certain people in the office (Mac OSX and Windows Firefox
> 2.0.0.5-10).  It very rarely hangs on my machine (Linux), but it
> happens every now and then.  I don't think the mongrels are dying
> because usually when these people encounter the hangs we can go to
> other computers (Linux Windows OSX) in the office and hammer on the
> SSL portion of site with no problems.  Also, the non SSL version of
> the site never has any hanging AFAIK.
>
> My server settings look like this (which is mainly Ezra's Default conf
> for mongrels):
>
> server {
>   server_name www.mydomain.com;
>   listen 443;
>
>   ssl on;
>   ssl_certificate /var/keys/www.mydomain.com.pem;
>   ssl_certificate_key /var/keys/www.mydomain.com.np.pem;
>
>   client_max_body_size 50M;
>
> # doc root
>   root /var/www/www.mydomain.com/current/public;
>
> # vhost specific access log
>   access_log  /var/log/nginx/ssl.www.mydomain.com.access.log  main;
>
> # this rewrites all the requests to the maintenance.html
> # page if it exists in the doc root. This is for capistrano's
> # disable web task
>   if (-f $document_root/system/maintenance.html) {
>     rewrite  ^(.*)$  /system/maintenance.html last;
>     break;
>   }
>
>   location / {
> # needed to forward user's IP address to rails
>     proxy_set_header  X-Real-IP  $remote_addr;
>
> # needed for HTTPS
>     proxy_set_header X-FORWARDED_PROTO https;
>     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
>     proxy_set_header Host $http_host;
>     proxy_max_temp_file_size 0;
>     proxy_redirect false;# If the file exists as a static file serve
> it directly without
> # running all the other rewite tests on it
>     if (-f $request_filename) {
>       break;
>     }
>
> # check for index.html for directory index
> # if its there on the filesystem then rewite
> # the url to add /index.html to the end of it
> # and then break to send it to the next config rules.
>     if (-f $request_filename/index.html) {
>       rewrite (.*) $1/index.html break;
>     }
>
> # this is the meat of the rails page caching config
> # it adds .html to the end of the url and then checks
> # the filesystem for that file. If it exists, then we
> # rewite the url to have explicit .html on the end
> # and then send it on its way to the next config rule.
> # if there is no file on the fs then it sets all the
> # necessary headers and proxies to our upstream mongrels
>     if (-f $request_filename.html) {
>       rewrite (.*) $1.html break;
>     }
>
>     if (!-f $request_filename) {
>       proxy_pass http://mongrel;
>       break;
>     }
>   }
>
>   error_page   500 502 503 504  /500.html;
>   error_page   413 /413.html;
>   location = /500.html {
>     root /var/www/www.mydomain.com/current/public;
>   }
> }
>
> One thing I did happen to notice as well, is if I do performance
> testing on SSL with httperf, at first it is decently fast, but on many
> sequential runs it consistently degrades until httperf can barely do
> any requests.  However, even while I do an httperf I can use the SSL
> version of the site with different computers.  It just hangs on some,
> usually towards the end of the day.
>
> Any ideas?
>
> Thanks,
> Curtis
>