ssl proxys https web server is very slow

Maxim Dounin mdounin at mdounin.ru
Fri Jun 20 19:13:07 UTC 2014 

Hello!

On Fri, Jun 20, 2014 at 10:14:54AM -0700, Mark Moseley wrote:

> On Fri, Jun 20, 2014 at 5:20 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > Hello!
> >
> > On Fri, Jun 20, 2014 at 10:51:38AM +0200, Yifeng Wang wrote:
> >
> > > Hi, It's my first time using NGINX to proxy other web servers. I set a
> > > variable in location, this variable may be gotten in cookie or args. if
> > > I use it directly likes "proxy_pass https://$nodeIp2;", it will get the
> > > response for a long time. but if I hardcode likes "proxy_pass
> > > https://147.128.22.152:8443" it works normally. Do I need to set more
> > > cofiguration parameters to solve this problem.Below is the segment of my
> > > windows https configuration.
> > >
> > > http {
> > >     ...
> > >     server {
> > >        listen       443 ssl;
> > >        server_name  localhost;
> > >
> > >        ssl_certificate      server.crt;
> > >        ssl_certificate_key  server.key;
> > >
> > >        location /pau6000lct/ {
> > >             set $nodeIp 147.128.22.152:8443;
> > >             proxy_pass https://$nodeIp;
> >
> > Use of variables in the proxy_pass, in particular, implies that
> > SSL sessions will not be reused (as upstream address is not known
> > in advance, and there is no associated storage for an SSL
> > session).  This means that each connection will have to do full
> > SSL handshake, and this is likely the reason for the performance
> > problems you see.
> >
> > Solution is to use proxy_pass without variables, or use
> > preconfigured upstream{} blocks instead of ip addresses if you
> > have to use variables.
> >
> 
> So to prevent the heart attack I almost just had, can you confirm how I
> interpret that last statement:
> 
> If you define your upstream using "upstream upstream_name etc" and then use
> a variable indicating the name of the upstream in proxy_pass statement,
> that will *not* cause SSL sessions to not be reused. I.e. proxy_pass with a
> variable indicating upstream would not cause a performance issue.
> 
> Is that correct?

Yes.  If there is an upstream{} block, SSL sessions with upstream 
servers will be reused regardless of use of variables in the 
proxy_pass directive.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list