SSL proxy slow....

Dave Cheney dave at cheney.net
Tue Sep 9 05:05:56 MSD 2008


The the dog slowness you are seeing is probably nginx renegitiation SSL on
every backend request. At the moment nginx will issue a connection close
after each request.

If you are using nginx as an SSL load balancer you might need to use
something else (varnish? squid?) that can maintain persistant connections
to your backend, this might help, a bit.

Cheers

Dave

On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com> wrote:
> I do need to pass SSL back to my app from the front nginx server,  
> because we are using EC2 forour servers, so I do need to encrypt them  
> back to the 2 front end servers, as it's on a public network, and the  
> network is public.
> 
> James
> 
> 
> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
> 
>> Hi James,
>>
>> If nginx is acting as your SSL handler then you don't need to pass  
>> SSL back
>> to your app. This should be sufficient.
>>
>> location / {
>>   proxy_set_header X-FORWARDED_PROTO https;
>>   proxy_pass https://givvymain;
>> }
>>
>> Cheers
>>
>> Dave
>>
>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com> wrote:
>>> Here is my server config.  When I go to http://prod.givvy.com  the
>>> result is normal.  When I go to https://prod.givvy.com it's dog slow.
>>>
>>> Any idea as to how to speed up the SSL side of it?  (right now I am
>>> using a local host change to point to the right IP address as
>>> prod.givvy.com points to a maintenance page.  We want to launch the
>>> site tomorrow, but this is a huge problem for us.  I'd hate to launch
>>> it with one server.
>>>
>>> Thanks
>>> James
>>>
>>> http {
>>>
>>>     upstream givvymain {
>>>         server 75.101.150.160:80        max_fails=1   
>>> fail_timeout=30s;
>>>         server 67.202.3.21:80           max_fails=1   
>>> fail_timeout=30s;
>>>     }
>>>
>>>     upstream givvymainssl {
>>>         server 75.101.150.160:443       max_fails=1   
>>> fail_timeout=30s;
>>>         server 67.202.3.21:443          max_fails=1   
>>> fail_timeout=30s;
>>>     }
>>>
>>>     server {
>>>         listen 80;
>>>         server_name prod.givvy.com;
>>>         location / {
>>>             proxy_pass http://givvymain;
>>>             proxy_next_upstream error timeout;
>>>         }
>>>     }
>>>
>>>
>>>     server {
>>>         listen 443;
>>>         server_name prod.givvy.com;
>>>
>>>         ssl on;
>>>         ssl_certificate /####PATH TO CERT###/
>>>         ssl_certificate_key /####PATH TO KEY###/
>>>         keepalive_timeout 70;
>>>
>>>         location / {
>>>             proxy_set_header X-FORWARDED_PROTO https;
>>>             proxy_pass https://givvymainssl;
>>>         }
>>>     }
>>> }
>>>
>>
> 





More information about the nginx mailing list