SSL proxy slow....

James thenetimp at gmail.com
Tue Sep 9 05:41:11 MSD 2008 

Thanks Dave.  I'll look into both of those.

Thanks,
James


On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:

> The the dog slowness you are seeing is probably nginx renegitiation  
> SSL on
> every backend request. At the moment nginx will issue a connection  
> close
> after each request.
>
> If you are using nginx as an SSL load balancer you might need to use
> something else (varnish? squid?) that can maintain persistant  
> connections
> to your backend, this might help, a bit.
>
> Cheers
>
> Dave
>
> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com> wrote:
>> I do need to pass SSL back to my app from the front nginx server,
>> because we are using EC2 forour servers, so I do need to encrypt them
>> back to the 2 front end servers, as it's on a public network, and the
>> network is public.
>>
>> James
>>
>>
>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>
>>> Hi James,
>>>
>>> If nginx is acting as your SSL handler then you don't need to pass
>>> SSL back
>>> to your app. This should be sufficient.
>>>
>>> location / {
>>>  proxy_set_header X-FORWARDED_PROTO https;
>>>  proxy_pass https://givvymain;
>>> }
>>>
>>> Cheers
>>>
>>> Dave
>>>
>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com>  
>>> wrote:
>>>> Here is my server config.  When I go to http://prod.givvy.com  the
>>>> result is normal.  When I go to https://prod.givvy.com it's dog  
>>>> slow.
>>>>
>>>> Any idea as to how to speed up the SSL side of it?  (right now I am
>>>> using a local host change to point to the right IP address as
>>>> prod.givvy.com points to a maintenance page.  We want to launch the
>>>> site tomorrow, but this is a huge problem for us.  I'd hate to  
>>>> launch
>>>> it with one server.
>>>>
>>>> Thanks
>>>> James
>>>>
>>>> http {
>>>>
>>>>    upstream givvymain {
>>>>        server 75.101.150.160:80        max_fails=1
>>>> fail_timeout=30s;
>>>>        server 67.202.3.21:80           max_fails=1
>>>> fail_timeout=30s;
>>>>    }
>>>>
>>>>    upstream givvymainssl {
>>>>        server 75.101.150.160:443       max_fails=1
>>>> fail_timeout=30s;
>>>>        server 67.202.3.21:443          max_fails=1
>>>> fail_timeout=30s;
>>>>    }
>>>>
>>>>    server {
>>>>        listen 80;
>>>>        server_name prod.givvy.com;
>>>>        location / {
>>>>            proxy_pass http://givvymain;
>>>>            proxy_next_upstream error timeout;
>>>>        }
>>>>    }
>>>>
>>>>
>>>>    server {
>>>>        listen 443;
>>>>        server_name prod.givvy.com;
>>>>
>>>>        ssl on;
>>>>        ssl_certificate /####PATH TO CERT###/
>>>>        ssl_certificate_key /####PATH TO KEY###/
>>>>        keepalive_timeout 70;
>>>>
>>>>        location / {
>>>>            proxy_set_header X-FORWARDED_PROTO https;
>>>>            proxy_pass https://givvymainssl;
>>>>        }
>>>>    }
>>>> }
>>>>
>>>
>>
>

More information about the nginx mailing list