Balancing NGINX reverse proxy

Peter Booth peter_booth at me.com
Mon Mar 6 01:13:56 UTC 2017 

So I have a few different thoughts:

1. Yes nginx does support SSL pass through .  You can configure nginx to stream your request to your SSL backend. I do this when I don't have control of the backend and it has to be SSL. I don't think that's your situation.

2. I suspect that there's something wrong with your SSL configuration and/or your nginx VMs are underpowered. Can you test the throughput that you are requesting http static resources ? Check with webpagetest.org that the expense is only being paid on the first request.

3. It's generally better to terminate SSL as early as possible and have the bulk of your communication be unencrypted.
What spec are your VMs?

Sent from my iPhone

> On Mar 5, 2017, at 6:00 PM, Alex Samad <alex at samad.com.au> wrote:
> 
> Hi
> 
> Firstly, I am fairly new to nginx.
> 
> 
> From what I understand you have a standard sort of setup.
> 
> 
> 2 nodes (vm's) with haproxy, allowing nginx to be active / passive.
> 
> You have SSL requests which once nginx terminates the SSL, it injects a security header / token and then I presume it passes this on to a back end, i presume that the nginx to application server is non SSL.
> 
> You are having performance issue with the SSL + header inject part, which seems to be limiting you to approx 60req per sec before you hit 100% cpu..  This seems very very low to me looking at my prod setup - similar to yours I am seeing 600 connections and req/s ranging from 8-400 / sec.  all whilst the cpu stay very very low.
> 
> We try and use long lived TCP / SSL sessions, but we also use a thick client as well so have more control.
> 
> Not sure about KEMP loadmaster.
> 
> What I describe to you was our potential plans for when the load gets too much on the active/passive setup.
> 
> It would allow you to take your 60 session ? and distributed it between 2 or upto 16 (I believe this is the max for pacemaker). an active / active setup
> 
> The 2 node setup would be the same as yours
> 
> 
> router -> vlan with the 2 nodes > Node A would only process node a data and node B would only process node b data.  This in theory would have the potential to double your req / sec.
> 
> 
> 
> Alex
> 
> 
>> On 3 March 2017 at 19:33, polder_trash <nginx-forum at forum.nginx.org> wrote:
>> Alexsamad,
>> I might not have been clear, allow me to try again:
>> 
>> * currently 2 NGINX revproxy nodes, 1 active the other on standby in case
>> node 1 fails.
>> * Since I am injecting an authentication header into the request, the HTTPS
>> request has to be offloaded at the node and introduces additional load
>> compared to injecting into non-encrypted requests.
>> * Current peak load ~60 concurrent requests, ~100% load on CPU. Concurrent
>> requests expected to more than double, so revproxy will be bottleneck.
>> 
>> The NGINX revproxies run as a VM and I can ramp up the machine specs a
>> little bit, but I do not expect this to completely solve the issue here.
>> Therefore I am looking for some method of spreading the requests over
>> multiple backend revproxies, without the load balancer frontend having to
>> deal with SSL offloading.
>> 
>> From the KEMP LoadMaster documentation I found that this technique is called
>> SSL Passthrough. I am currently looking if that is also supported by NGINX.
>> 
>> What do you think? Will this solve my issue? Am I on the wrong track?
>> 
>> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272713,272729#msg-272729
>> 
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170305/6d325004/attachment.html>

More information about the nginx mailing list