SSL proxy slow....
Gabriel Ramuglia
gabe at vtunnel.com
Tue Sep 9 06:41:59 MSD 2008
varnish can't act as an ssl server, not sure about being an ssl client.
On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com> wrote:
> Thanks Dave. I'll look into both of those.
>
> Thanks,
> James
>
>
> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>
>> The the dog slowness you are seeing is probably nginx renegitiation SSL on
>> every backend request. At the moment nginx will issue a connection close
>> after each request.
>>
>> If you are using nginx as an SSL load balancer you might need to use
>> something else (varnish? squid?) that can maintain persistant connections
>> to your backend, this might help, a bit.
>>
>> Cheers
>>
>> Dave
>>
>> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com> wrote:
>>>
>>> I do need to pass SSL back to my app from the front nginx server,
>>> because we are using EC2 forour servers, so I do need to encrypt them
>>> back to the 2 front end servers, as it's on a public network, and the
>>> network is public.
>>>
>>> James
>>>
>>>
>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>
>>>> Hi James,
>>>>
>>>> If nginx is acting as your SSL handler then you don't need to pass
>>>> SSL back
>>>> to your app. This should be sufficient.
>>>>
>>>> location / {
>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>> proxy_pass https://givvymain;
>>>> }
>>>>
>>>> Cheers
>>>>
>>>> Dave
>>>>
>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com> wrote:
>>>>>
>>>>> Here is my server config. When I go to http://prod.givvy.com the
>>>>> result is normal. When I go to https://prod.givvy.com it's dog slow.
>>>>>
>>>>> Any idea as to how to speed up the SSL side of it? (right now I am
>>>>> using a local host change to point to the right IP address as
>>>>> prod.givvy.com points to a maintenance page. We want to launch the
>>>>> site tomorrow, but this is a huge problem for us. I'd hate to launch
>>>>> it with one server.
>>>>>
>>>>> Thanks
>>>>> James
>>>>>
>>>>> http {
>>>>>
>>>>> upstream givvymain {
>>>>> server 75.101.150.160:80 max_fails=1
>>>>> fail_timeout=30s;
>>>>> server 67.202.3.21:80 max_fails=1
>>>>> fail_timeout=30s;
>>>>> }
>>>>>
>>>>> upstream givvymainssl {
>>>>> server 75.101.150.160:443 max_fails=1
>>>>> fail_timeout=30s;
>>>>> server 67.202.3.21:443 max_fails=1
>>>>> fail_timeout=30s;
>>>>> }
>>>>>
>>>>> server {
>>>>> listen 80;
>>>>> server_name prod.givvy.com;
>>>>> location / {
>>>>> proxy_pass http://givvymain;
>>>>> proxy_next_upstream error timeout;
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>> server {
>>>>> listen 443;
>>>>> server_name prod.givvy.com;
>>>>>
>>>>> ssl on;
>>>>> ssl_certificate /####PATH TO CERT###/
>>>>> ssl_certificate_key /####PATH TO KEY###/
>>>>> keepalive_timeout 70;
>>>>>
>>>>> location / {
>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>> proxy_pass https://givvymainssl;
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>
>>>
>>
>
>
>
More information about the nginx
mailing list