SSL proxy slow....

Igor Clark igor at pokelondon.com
Mon Sep 15 21:11:12 MSD 2008 

Only just saw this - vpn might be a neat solution, you might try www.openvpn.net 
  if you're still thinking about it

bests
Igor

On 9 Sep 2008, at 05:08, James wrote:

> I was thinking about that, maybe an ssh tunnel between the 2  
> servers, but I don't have time to try that theory tonight.  I'll try  
> it again later this week.
>
> James
>
>
> On Sep 8, 2008, at 11:59 PM, Gabriel Ramuglia wrote:
>
>> gotcha. maybe a vpn connection between the front end and back ends
>> would be more appropriate than ssl?
>>
>> On Mon, Sep 8, 2008 at 11:43 PM, James <thenetimp at gmail.com> wrote:
>>> we're sending credit card data, as the back end of the proxy is  
>>> still on
>>> public network interface, and since it's EC2 I can't change that.
>>>
>>> James
>>>
>>> On Sep 8, 2008, at 11:24 PM, Gabriel Ramuglia wrote:
>>>
>>>> If the http version is identical to the https version, what  
>>>> difference
>>>> does it make if the connection between the frontend and backend is
>>>> encrypted?
>>>>
>>>> On Mon, Sep 8, 2008 at 11:06 PM, James <thenetimp at gmail.com> wrote:
>>>>>
>>>>> we've decided for the time being to go round robin DNS for now.   
>>>>> It's got
>>>>> it's disadvantages, but since the site launches in the morning,  
>>>>> I don't
>>>>> have
>>>>> time to play with it before the launch, too many other things to  
>>>>> do.
>>>>> Kind
>>>>> of sucks, I was really excited about using nginx.
>>>>>
>>>>> James
>>>>>
>>>>>
>>>>> On Sep 8, 2008, at 10:41 PM, Gabriel Ramuglia wrote:
>>>>>
>>>>>> varnish can't act as an ssl server, not sure about being an ssl  
>>>>>> client.
>>>>>>
>>>>>> On Mon, Sep 8, 2008 at 9:41 PM, James <thenetimp at gmail.com>  
>>>>>> wrote:
>>>>>>>
>>>>>>> Thanks Dave.  I'll look into both of those.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> James
>>>>>>>
>>>>>>>
>>>>>>> On Sep 8, 2008, at 9:05 PM, Dave Cheney wrote:
>>>>>>>
>>>>>>>> The the dog slowness you are seeing is probably nginx  
>>>>>>>> renegitiation
>>>>>>>> SSL
>>>>>>>> on
>>>>>>>> every backend request. At the moment nginx will issue a  
>>>>>>>> connection
>>>>>>>> close
>>>>>>>> after each request.
>>>>>>>>
>>>>>>>> If you are using nginx as an SSL load balancer you might need  
>>>>>>>> to use
>>>>>>>> something else (varnish? squid?) that can maintain persistant
>>>>>>>> connections
>>>>>>>> to your backend, this might help, a bit.
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Dave
>>>>>>>>
>>>>>>>> On Mon, 8 Sep 2008 20:36:04 -0400, James  
>>>>>>>> <thenetimp at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> I do need to pass SSL back to my app from the front nginx  
>>>>>>>>> server,
>>>>>>>>> because we are using EC2 forour servers, so I do need to  
>>>>>>>>> encrypt them
>>>>>>>>> back to the 2 front end servers, as it's on a public  
>>>>>>>>> network, and the
>>>>>>>>> network is public.
>>>>>>>>>
>>>>>>>>> James
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sep 8, 2008, at 8:05 PM, Dave Cheney wrote:
>>>>>>>>>
>>>>>>>>>> Hi James,
>>>>>>>>>>
>>>>>>>>>> If nginx is acting as your SSL handler then you don't need  
>>>>>>>>>> to pass
>>>>>>>>>> SSL back
>>>>>>>>>> to your app. This should be sufficient.
>>>>>>>>>>
>>>>>>>>>> location / {
>>>>>>>>>> proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>>>> proxy_pass https://givvymain;
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> Cheers
>>>>>>>>>>
>>>>>>>>>> Dave
>>>>>>>>>>
>>>>>>>>>> On Mon, 8 Sep 2008 19:50:30 -0400, James  
>>>>>>>>>> <thenetimp at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Here is my server config.  When I go to http://prod.givvy.com 
>>>>>>>>>>>   the
>>>>>>>>>>> result is normal.  When I go to https://prod.givvy.com  
>>>>>>>>>>> it's dog
>>>>>>>>>>> slow.
>>>>>>>>>>>
>>>>>>>>>>> Any idea as to how to speed up the SSL side of it?  (right  
>>>>>>>>>>> now I am
>>>>>>>>>>> using a local host change to point to the right IP address  
>>>>>>>>>>> as
>>>>>>>>>>> prod.givvy.com points to a maintenance page.  We want to  
>>>>>>>>>>> launch the
>>>>>>>>>>> site tomorrow, but this is a huge problem for us.  I'd  
>>>>>>>>>>> hate to
>>>>>>>>>>> launch
>>>>>>>>>>> it with one server.
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> James
>>>>>>>>>>>
>>>>>>>>>>> http {
>>>>>>>>>>>
>>>>>>>>>>> upstream givvymain {
>>>>>>>>>>> server 75.101.150.160:80        max_fails=1
>>>>>>>>>>> fail_timeout=30s;
>>>>>>>>>>> server 67.202.3.21:80           max_fails=1
>>>>>>>>>>> fail_timeout=30s;
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> upstream givvymainssl {
>>>>>>>>>>> server 75.101.150.160:443       max_fails=1
>>>>>>>>>>> fail_timeout=30s;
>>>>>>>>>>> server 67.202.3.21:443          max_fails=1
>>>>>>>>>>> fail_timeout=30s;
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> server {
>>>>>>>>>>> listen 80;
>>>>>>>>>>> server_name prod.givvy.com;
>>>>>>>>>>> location / {
>>>>>>>>>>>     proxy_pass http://givvymain;
>>>>>>>>>>>     proxy_next_upstream error timeout;
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> server {
>>>>>>>>>>> listen 443;
>>>>>>>>>>> server_name prod.givvy.com;
>>>>>>>>>>>
>>>>>>>>>>> ssl on;
>>>>>>>>>>> ssl_certificate /####PATH TO CERT###/
>>>>>>>>>>> ssl_certificate_key /####PATH TO KEY###/
>>>>>>>>>>> keepalive_timeout 70;
>>>>>>>>>>>
>>>>>>>>>>> location / {
>>>>>>>>>>>     proxy_set_header X-FORWARDED_PROTO https;
>>>>>>>>>>>     proxy_pass https://givvymainssl;
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>

--
Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20 7749 5355  
• www.pokelondon.com

More information about the nginx mailing list