Upstream SSL IIS Performance

d2radio nginx-forum at nginx.us
Tue Aug 21 03:14:20 UTC 2012 

Hi Maxim,

Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Sun, Aug 19, 2012 at 11:06:22PM -0400, d2radio wrote:
> 
> > Thanks Francis,
> > 
> > Yes I suspected that it was somehow renegotiating the ssl handshake
> for each
> > request where as firefox/firebug was caching the handshake thus
> showing
> > quicker response times. 
> > 
> > Timing curl over https gave me an average of 80ms response time,
> timing curl
> > over http gave me an average of 10ms similar to what nginx was
> achieving
> > talking to the backend via http.
> > 
> > I'm happy to annouce though that your were bang on the money with
> the
> > keepalive directive. As soon as I added that into my upstream
> declaration
> > the reponse times dropped considerably and I'm now getting
> performance
> > similar to as if I was requesting the content directly from the
> upstream
> > server.
> > 
> > Thanks Francis your a legend :)
> 
> Strange thing is that SSL session reuse doesn't work for you.  It 
> is on by default and should do more or less the same thing unless 
> you've switched it off with proxy_ssl_session_reuse[1] directive or 
> forgot to configure session cache on your backend server.
> 
> (Another question to consider is whether you really need to spend 
> resources on SSL between nginx and your backend.)
> 
> [1] http://nginx.org/r/proxy_ssl_session_reuse 
> 
> Maxim Dounin
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Thanks, Yes I thought it was strange that ssl session reuse didn't work
either as I thought that had been enabled by default in a recent release.

I can confirm that we don't have the directive proxy_ssl_session_reuse set
in any of the config files and we have left the upstream server caching
settings at their defaults which I think for IIS 6.0 is 5 minutes if I
remember correctly.

Yes your correct, I would agree that it's probably not the best approach to
be talking to a upstream server via HTTPS but unfortunatly at the moment
that's not an option due to how the upstream applications work which weren't
written by me.

Thanks for your time.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,229909,229936#msg-229936

More information about the nginx mailing list