ssl proxys https web server is very slow

Mark Moseley moseleymark at gmail.com
Fri Jun 20 17:14:54 UTC 2014 

On Fri, Jun 20, 2014 at 5:20 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Fri, Jun 20, 2014 at 10:51:38AM +0200, Yifeng Wang wrote:
>
> > Hi, It's my first time using NGINX to proxy other web servers. I set a
> > variable in location, this variable may be gotten in cookie or args. if
> > I use it directly likes "proxy_pass https://$nodeIp2;", it will get the
> > response for a long time. but if I hardcode likes "proxy_pass
> > https://147.128.22.152:8443" it works normally. Do I need to set more
> > cofiguration parameters to solve this problem.Below is the segment of my
> > windows https configuration.
> >
> > http {
> >     ...
> >     server {
> >        listen       443 ssl;
> >        server_name  localhost;
> >
> >        ssl_certificate      server.crt;
> >        ssl_certificate_key  server.key;
> >
> >        location /pau6000lct/ {
> >             set $nodeIp 147.128.22.152:8443;
> >             proxy_pass https://$nodeIp;
>
> Use of variables in the proxy_pass, in particular, implies that
> SSL sessions will not be reused (as upstream address is not known
> in advance, and there is no associated storage for an SSL
> session).  This means that each connection will have to do full
> SSL handshake, and this is likely the reason for the performance
> problems you see.
>
> Solution is to use proxy_pass without variables, or use
> preconfigured upstream{} blocks instead of ip addresses if you
> have to use variables.
>

So to prevent the heart attack I almost just had, can you confirm how I
interpret that last statement:

If you define your upstream using "upstream upstream_name etc" and then use
a variable indicating the name of the upstream in proxy_pass statement,
that will *not* cause SSL sessions to not be reused. I.e. proxy_pass with a
variable indicating upstream would not cause a performance issue.

Is that correct?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140620/1ec03d19/attachment.html>

More information about the nginx mailing list