TLS Multiplexing to the Origin Server

brookscunningham nginx-forum at forum.nginx.org
Mon Feb 13 22:33:26 UTC 2017 

Hello All,

I am seeing an increase in the number of new TLS connections to my origin
server when using NGINX as a reverse proxy. I am offloading TLS at NGINX and
starting a new TLS connection to the origin.

The workflow is as follows:

client --> NGINX --> origin server

I would expect NGINX to either persist a handful of TLS connection or at a
minimum re-use previously established TLS connections using TLS session
tickets.
However, the behavior that we see is NGINX is apparently opening a new TLS
connection to the origin for nearly every client request. This means going
through the full asymmetric TLS handshake for nearly every request. This is
not desirable for both the latency added and CPU performance hit for going
through the full TLS handshake.
I have validated that my origin server supports TLS Session re-use by using
the following openssl command.

echo | openssl s_client -tls1_2 -reconnect -state -prexit -connect <my
origin server IP>:443 | grep -i session-id

Below is the output from "nginx -v"

nginx version: nginx/1.8.1

How can I either persist existing TLS connections or leverage TLS session
tickets?

I found the following link that may be relevant.
http://hg.nginx.org/nginx/rev/1356a3b96924

Thanks!
Brooks

P.S. Below is the relevant proxy configs that I have for my origin server.

#proxy rules in place for the domain

        proxy_redirect off;
        proxy_connect_timeout 15;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffers 8 16k;
        proxy_buffer_size 16k;
        proxy_busy_buffers_size 64k;

        proxy_cache XNXFILES;
        proxy_cache_use_stale updating error timeout invalid_header http_500
http_502 http_503 http_504;
        proxy_cache_valid 301 302 0m;
        proxy_cache_valid 200 60m;
        proxy_cache_key $host$request_uri;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_set_header Accept-Encoding 'gzip';

# The variable $host is sets the host request header to the origin server.
        proxy_set_header Host $host;

#The variables REQUEST_PROTO and PROXY_TO are used when determining which
origin to use.
        proxy_pass $REQUEST_PROTO://$PROXY_TO;

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272389,272389#msg-272389

More information about the nginx mailing list