SSL proxy slow....

Gabriel Ramuglia gabe at vtunnel.com
Tue Sep 9 07:24:39 MSD 2008


If the http version is identical to the https version, what difference
does it make if the connection between the frontend and backend is
encrypted?

On Mon, Sep 8, 2008 at 11:06 PM, James <thenetimp at gmail.com> wrote:
> we've decided for the time being to go round robin DNS for now.  It's got
> it's disadvantages, but since the site launches in the morning, I don't have
> time to play with it before the launch, too many other things to do.  Kind
> of sucks, I was really excited about using nginx.
>
> James
>
>
> On Sep 8, 2008, at 10:41 PM, Gabriel Ramuglia wrote:
>
>> varnish can't act as an ssl server, not sure about being an ssl client.
>>
>> On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com> wrote:
>>>
>>> Thanks Dave.  I'll look into both of those.
>>>
>>> Thanks,
>>> James
>>>
>>>
>>> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>>>
>>>> The the dog slowness you are seeing is probably nginx renegitiation SSL
>>>> on
>>>> every backend request. At the moment nginx will issue a connection close
>>>> after each request.
>>>>
>>>> If you are using nginx as an SSL load balancer you might need to use
>>>> something else (varnish? squid?) that can maintain persistant
>>>> connections
>>>> to your backend, this might help, a bit.
>>>>
>>>> Cheers
>>>>
>>>> Dave
>>>>
>>>> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com> wrote:
>>>>>
>>>>> I do need to pass SSL back to my app from the front nginx server,
>>>>> because we are using EC2 forour servers, so I do need to encrypt them
>>>>> back to the 2 front end servers, as it's on a public network, and the
>>>>> network is public.
>>>>>
>>>>> James
>>>>>
>>>>>
>>>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>>>
>>>>>> Hi James,
>>>>>>
>>>>>> If nginx is acting as your SSL handler then you don't need to pass
>>>>>> SSL back
>>>>>> to your app. This should be sufficient.
>>>>>>
>>>>>> location / {
>>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>>> proxy_pass https://givvymain;
>>>>>> }
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Dave
>>>>>>
>>>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com> wrote:
>>>>>>>
>>>>>>> Here is my server config.  When I go to http://prod.givvy.com  the
>>>>>>> result is normal.  When I go to https://prod.givvy.com it's dog slow.
>>>>>>>
>>>>>>> Any idea as to how to speed up the SSL side of it?  (right now I am
>>>>>>> using a local host change to point to the right IP address as
>>>>>>> prod.givvy.com points to a maintenance page.  We want to launch the
>>>>>>> site tomorrow, but this is a huge problem for us.  I'd hate to launch
>>>>>>> it with one server.
>>>>>>>
>>>>>>> Thanks
>>>>>>> James
>>>>>>>
>>>>>>> http {
>>>>>>>
>>>>>>>  upstream givvymain {
>>>>>>>     server 75.101.150.160:80        max_fails=1
>>>>>>> fail_timeout=30s;
>>>>>>>     server 67.202.3.21:80           max_fails=1
>>>>>>> fail_timeout=30s;
>>>>>>>  }
>>>>>>>
>>>>>>>  upstream givvymainssl {
>>>>>>>     server 75.101.150.160:443       max_fails=1
>>>>>>> fail_timeout=30s;
>>>>>>>     server 67.202.3.21:443          max_fails=1
>>>>>>> fail_timeout=30s;
>>>>>>>  }
>>>>>>>
>>>>>>>  server {
>>>>>>>     listen 80;
>>>>>>>     server_name prod.givvy.com;
>>>>>>>     location / {
>>>>>>>         proxy_pass http://givvymain;
>>>>>>>         proxy_next_upstream error timeout;
>>>>>>>     }
>>>>>>>  }
>>>>>>>
>>>>>>>
>>>>>>>  server {
>>>>>>>     listen 443;
>>>>>>>     server_name prod.givvy.com;
>>>>>>>
>>>>>>>     ssl on;
>>>>>>>     ssl_certificate /####PATH TO CERT###/
>>>>>>>     ssl_certificate_key /####PATH TO KEY###/
>>>>>>>     keepalive_timeout 70;
>>>>>>>
>>>>>>>     location / {
>>>>>>>         proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>         proxy_pass https://givvymainssl;
>>>>>>>     }
>>>>>>>  }
>>>>>>> }
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>





More information about the nginx mailing list