SSL proxy slow....

James thenetimp at gmail.com
Tue Sep 9 07:43:19 MSD 2008 

we're sending credit card data, as the back end of the proxy is still  
on public network interface, and since it's EC2 I can't change that.

James

On Sep 8, 2008, at 11:24 PM, Gabriel Ramuglia wrote:

> If the http version is identical to the https version, what difference
> does it make if the connection between the frontend and backend is
> encrypted?
>
> On Mon, Sep 8, 2008 at 11:06 PM, James <thenetimp at gmail.com> wrote:
>> we've decided for the time being to go round robin DNS for now.   
>> It's got
>> it's disadvantages, but since the site launches in the morning, I  
>> don't have
>> time to play with it before the launch, too many other things to  
>> do.  Kind
>> of sucks, I was really excited about using nginx.
>>
>> James
>>
>>
>> On Sep 8, 2008, at 10:41 PM, Gabriel Ramuglia wrote:
>>
>>> varnish can't act as an ssl server, not sure about being an ssl  
>>> client.
>>>
>>> On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com> wrote:
>>>>
>>>> Thanks Dave.  I'll look into both of those.
>>>>
>>>> Thanks,
>>>> James
>>>>
>>>>
>>>> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>>>>
>>>>> The the dog slowness you are seeing is probably nginx  
>>>>> renegitiation SSL
>>>>> on
>>>>> every backend request. At the moment nginx will issue a  
>>>>> connection close
>>>>> after each request.
>>>>>
>>>>> If you are using nginx as an SSL load balancer you might need to  
>>>>> use
>>>>> something else (varnish? squid?) that can maintain persistant
>>>>> connections
>>>>> to your backend, this might help, a bit.
>>>>>
>>>>> Cheers
>>>>>
>>>>> Dave
>>>>>
>>>>> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com>  
>>>>> wrote:
>>>>>>
>>>>>> I do need to pass SSL back to my app from the front nginx server,
>>>>>> because we are using EC2 forour servers, so I do need to  
>>>>>> encrypt them
>>>>>> back to the 2 front end servers, as it's on a public network,  
>>>>>> and the
>>>>>> network is public.
>>>>>>
>>>>>> James
>>>>>>
>>>>>>
>>>>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>>>>
>>>>>>> Hi James,
>>>>>>>
>>>>>>> If nginx is acting as your SSL handler then you don't need to  
>>>>>>> pass
>>>>>>> SSL back
>>>>>>> to your app. This should be sufficient.
>>>>>>>
>>>>>>> location / {
>>>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>>>> proxy_pass https://givvymain;
>>>>>>> }
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Dave
>>>>>>>
>>>>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com>  
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Here is my server config.  When I go to http:// 
>>>>>>>> prod.givvy.com  the
>>>>>>>> result is normal.  When I go to https://prod.givvy.com it's  
>>>>>>>> dog slow.
>>>>>>>>
>>>>>>>> Any idea as to how to speed up the SSL side of it?  (right  
>>>>>>>> now I am
>>>>>>>> using a local host change to point to the right IP address as
>>>>>>>> prod.givvy.com points to a maintenance page.  We want to  
>>>>>>>> launch the
>>>>>>>> site tomorrow, but this is a huge problem for us.  I'd hate  
>>>>>>>> to launch
>>>>>>>> it with one server.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> James
>>>>>>>>
>>>>>>>> http {
>>>>>>>>
>>>>>>>> upstream givvymain {
>>>>>>>>    server 75.101.150.160:80        max_fails=1
>>>>>>>> fail_timeout=30s;
>>>>>>>>    server 67.202.3.21:80           max_fails=1
>>>>>>>> fail_timeout=30s;
>>>>>>>> }
>>>>>>>>
>>>>>>>> upstream givvymainssl {
>>>>>>>>    server 75.101.150.160:443       max_fails=1
>>>>>>>> fail_timeout=30s;
>>>>>>>>    server 67.202.3.21:443          max_fails=1
>>>>>>>> fail_timeout=30s;
>>>>>>>> }
>>>>>>>>
>>>>>>>> server {
>>>>>>>>    listen 80;
>>>>>>>>    server_name prod.givvy.com;
>>>>>>>>    location / {
>>>>>>>>        proxy_pass http://givvymain;
>>>>>>>>        proxy_next_upstream error timeout;
>>>>>>>>    }
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> server {
>>>>>>>>    listen 443;
>>>>>>>>    server_name prod.givvy.com;
>>>>>>>>
>>>>>>>>    ssl on;
>>>>>>>>    ssl_certificate /####PATH TO CERT###/
>>>>>>>>    ssl_certificate_key /####PATH TO KEY###/
>>>>>>>>    keepalive_timeout 70;
>>>>>>>>
>>>>>>>>    location / {
>>>>>>>>        proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>>        proxy_pass https://givvymainssl;
>>>>>>>>    }
>>>>>>>> }
>>>>>>>> }
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>

More information about the nginx mailing list