Nginx use ssl slow than ELB

huakaibird nginx-forum at nginx.us
Tue Dec 8 14:03:52 UTC 2015 

Hi, 

I want to use nginx as LB to replace aws ELB, but found that it is much
slower, it affected web users, sometime user will encounter access web time
out.

this is my configuration, please help to check if something is wrong. I use
ssl.

user  nginx;
worker_processes  auto;
worker_rlimit_nofile 65535;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    use epoll;
    worker_connections  65535;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
'
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main buffer=1m flush=5s;

    sendfile        on;
    keepalive_timeout  60;
    client_max_body_size 0;

    server {
    listen 8080;
    root /usr/share/nginx/html;


    location = /nginx_status {
        stub_status on;
        access_log off;
    }

    location = /status.html {
    }
    }

    include /etc/nginx/test.d/test.conf;
}

test.conf: 
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 30m;
upstream backend {
      
        server x.x.x.x;
        server x.x.x.x;
        check interval=30000 rise=3 fall=5 timeout=5000 type=http;
        check_http_send "HEAD /healthcheck HTTP/1.0\r\n\r\n";

}


server {
    listen       80;
    listen       443 ssl;

    
     location / {
        proxy_pass http://backend;
        
    }
    keepalive_timeout   60;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffers 128 16k;
    client_body_buffer_size 2048k;
    underscores_in_headers on;
    ssl_certificate     ssl/chained.crt;
    ssl_certificate_key ssl/key.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DH:!EDH';
    #ssl_ciphers HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
    ssl_prefer_server_ciphers on;
    }

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263347,263347#msg-263347

More information about the nginx mailing list