SSL proxy slow....

Tue Sep 9 07:06:17 MSD 2008

we've decided for the time being to go round robin DNS for now.  It's  
got it's disadvantages, but since the site launches in the morning, I  
don't have time to play with it before the launch, too many other  
things to do.  Kind of sucks, I was really excited about using nginx.

James

On Sep 8, 2008, at 10:41 PM, Gabriel Ramuglia wrote:

> varnish can't act as an ssl server, not sure about being an ssl  
> client.
>
> On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com> wrote:
>> Thanks Dave.  I'll look into both of those.
>>
>> Thanks,
>> James
>>
>>
>> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>>
>>> The the dog slowness you are seeing is probably nginx  
>>> renegitiation SSL on
>>> every backend request. At the moment nginx will issue a connection  
>>> close
>>> after each request.
>>>
>>> If you are using nginx as an SSL load balancer you might need to use
>>> something else (varnish? squid?) that can maintain persistant  
>>> connections
>>> to your backend, this might help, a bit.
>>>
>>> Cheers
>>>
>>> Dave
>>>
>>> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com>  
>>> wrote:
>>>>
>>>> I do need to pass SSL back to my app from the front nginx server,
>>>> because we are using EC2 forour servers, so I do need to encrypt  
>>>> them
>>>> back to the 2 front end servers, as it's on a public network, and  
>>>> the
>>>> network is public.
>>>>
>>>> James
>>>>
>>>>
>>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>>
>>>>> Hi James,
>>>>>
>>>>> If nginx is acting as your SSL handler then you don't need to pass
>>>>> SSL back
>>>>> to your app. This should be sufficient.
>>>>>
>>>>> location / {
>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>> proxy_pass https://givvymain;
>>>>> }
>>>>>
>>>>> Cheers
>>>>>
>>>>> Dave
>>>>>
>>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com>  
>>>>> wrote:
>>>>>>
>>>>>> Here is my server config.  When I go to http://prod.givvy.com   
>>>>>> the
>>>>>> result is normal.  When I go to https://prod.givvy.com it's dog  
>>>>>> slow.
>>>>>>
>>>>>> Any idea as to how to speed up the SSL side of it?  (right now  
>>>>>> I am
>>>>>> using a local host change to point to the right IP address as
>>>>>> prod.givvy.com points to a maintenance page.  We want to launch  
>>>>>> the
>>>>>> site tomorrow, but this is a huge problem for us.  I'd hate to  
>>>>>> launch
>>>>>> it with one server.
>>>>>>
>>>>>> Thanks
>>>>>> James
>>>>>>
>>>>>> http {
>>>>>>
>>>>>>  upstream givvymain {
>>>>>>      server 75.101.150.160:80        max_fails=1
>>>>>> fail_timeout=30s;
>>>>>>      server 67.202.3.21:80           max_fails=1
>>>>>> fail_timeout=30s;
>>>>>>  }
>>>>>>
>>>>>>  upstream givvymainssl {
>>>>>>      server 75.101.150.160:443       max_fails=1
>>>>>> fail_timeout=30s;
>>>>>>      server 67.202.3.21:443          max_fails=1
>>>>>> fail_timeout=30s;
>>>>>>  }
>>>>>>
>>>>>>  server {
>>>>>>      listen 80;
>>>>>>      server_name prod.givvy.com;
>>>>>>      location / {
>>>>>>          proxy_pass http://givvymain;
>>>>>>          proxy_next_upstream error timeout;
>>>>>>      }
>>>>>>  }
>>>>>>
>>>>>>
>>>>>>  server {
>>>>>>      listen 443;
>>>>>>      server_name prod.givvy.com;
>>>>>>
>>>>>>      ssl on;
>>>>>>      ssl_certificate /####PATH TO CERT###/
>>>>>>      ssl_certificate_key /####PATH TO KEY###/
>>>>>>      keepalive_timeout 70;
>>>>>>
>>>>>>      location / {
>>>>>>          proxy_set_header X-FORWARDED_PROTO https;
>>>>>>          proxy_pass https://givvymainssl;
>>>>>>      }
>>>>>>  }
>>>>>> }
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>>
>