SSL proxy slow....

Gabriel Ramuglia gabe at vtunnel.com
Tue Sep 9 07:59:25 MSD 2008 

gotcha. maybe a vpn connection between the front end and back ends
would be more appropriate than ssl?

On Mon, Sep 8, 2008 at 11:43 PM, James <thenetimp at gmail.com> wrote:
> we're sending credit card data, as the back end of the proxy is still on
> public network interface, and since it's EC2 I can't change that.
>
> James
>
> On Sep 8, 2008, at 11:24 PM, Gabriel Ramuglia wrote:
>
>> If the http version is identical to the https version, what difference
>> does it make if the connection between the frontend and backend is
>> encrypted?
>>
>> On Mon, Sep 8, 2008 at 11:06 PM, James <thenetimp at gmail.com> wrote:
>>>
>>> we've decided for the time being to go round robin DNS for now.  It's got
>>> it's disadvantages, but since the site launches in the morning, I don't
>>> have
>>> time to play with it before the launch, too many other things to do.
>>>  Kind
>>> of sucks, I was really excited about using nginx.
>>>
>>> James
>>>
>>>
>>> On Sep 8, 2008, at 10:41 PM, Gabriel Ramuglia wrote:
>>>
>>>> varnish can't act as an ssl server, not sure about being an ssl client.
>>>>
>>>> On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com> wrote:
>>>>>
>>>>> Thanks Dave.  I'll look into both of those.
>>>>>
>>>>> Thanks,
>>>>> James
>>>>>
>>>>>
>>>>> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>>>>>
>>>>>> The the dog slowness you are seeing is probably nginx renegitiation
>>>>>> SSL
>>>>>> on
>>>>>> every backend request. At the moment nginx will issue a connection
>>>>>> close
>>>>>> after each request.
>>>>>>
>>>>>> If you are using nginx as an SSL load balancer you might need to use
>>>>>> something else (varnish? squid?) that can maintain persistant
>>>>>> connections
>>>>>> to your backend, this might help, a bit.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Dave
>>>>>>
>>>>>> On Mon, 8 Sep 2008 20:36:04 -0400, James <thenetimp at gmail.com> wrote:
>>>>>>>
>>>>>>> I do need to pass SSL back to my app from the front nginx server,
>>>>>>> because we are using EC2 forour servers, so I do need to encrypt them
>>>>>>> back to the 2 front end servers, as it's on a public network, and the
>>>>>>> network is public.
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>>
>>>>>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>>>>>
>>>>>>>> Hi James,
>>>>>>>>
>>>>>>>> If nginx is acting as your SSL handler then you don't need to pass
>>>>>>>> SSL back
>>>>>>>> to your app. This should be sufficient.
>>>>>>>>
>>>>>>>> location / {
>>>>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>> proxy_pass https://givvymain;
>>>>>>>> }
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Dave
>>>>>>>>
>>>>>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James <thenetimp at gmail.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Here is my server config.  When I go to http://prod.givvy.com  the
>>>>>>>>> result is normal.  When I go to https://prod.givvy.com it's dog
>>>>>>>>> slow.
>>>>>>>>>
>>>>>>>>> Any idea as to how to speed up the SSL side of it?  (right now I am
>>>>>>>>> using a local host change to point to the right IP address as
>>>>>>>>> prod.givvy.com points to a maintenance page.  We want to launch the
>>>>>>>>> site tomorrow, but this is a huge problem for us.  I'd hate to
>>>>>>>>> launch
>>>>>>>>> it with one server.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> James
>>>>>>>>>
>>>>>>>>> http {
>>>>>>>>>
>>>>>>>>> upstream givvymain {
>>>>>>>>>   server 75.101.150.160:80        max_fails=1
>>>>>>>>> fail_timeout=30s;
>>>>>>>>>   server 67.202.3.21:80           max_fails=1
>>>>>>>>> fail_timeout=30s;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> upstream givvymainssl {
>>>>>>>>>   server 75.101.150.160:443       max_fails=1
>>>>>>>>> fail_timeout=30s;
>>>>>>>>>   server 67.202.3.21:443          max_fails=1
>>>>>>>>> fail_timeout=30s;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> server {
>>>>>>>>>   listen 80;
>>>>>>>>>   server_name prod.givvy.com;
>>>>>>>>>   location / {
>>>>>>>>>       proxy_pass http://givvymain;
>>>>>>>>>       proxy_next_upstream error timeout;
>>>>>>>>>   }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> server {
>>>>>>>>>   listen 443;
>>>>>>>>>   server_name prod.givvy.com;
>>>>>>>>>
>>>>>>>>>   ssl on;
>>>>>>>>>   ssl_certificate /####PATH TO CERT###/
>>>>>>>>>   ssl_certificate_key /####PATH TO KEY###/
>>>>>>>>>   keepalive_timeout 70;
>>>>>>>>>
>>>>>>>>>   location / {
>>>>>>>>>       proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>>>       proxy_pass https://givvymainssl;
>>>>>>>>>   }
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>

More information about the nginx mailing list