Tuning client request buffering in ngx_http_proxy_module

Jeffrey Walton noloader at gmail.com
Fri Feb 4 04:00:28 UTC 2022


On Wed, Feb 2, 2022 at 12:45 PM bengalih <nginx-forum at forum.nginx.org> wrote:
>
> > Note that SSL is likely the most important contributor to CPU
> > utilization in this setup.  It might be a good idea to carefully
> > tune ciphers used.
>
> I believe I have set this fairly appropriately.  If you know of a resource
> that would explain this in more detail I would appreciate it.

Key exchange is the expensive part of a TLS connection. Once the key
exchange is complete, the bulk encryption using AES or ChaCha is
relatively fast.

Key exchange will be measured in hundreds of connections per second.
Once the connection is established thousands of clients can be
serviced. But the key exchange is the hard part.

If you use an integer field for key exchange, then DH-2048 and DH-3072
will bog the machine down. You can make key exchange easier by using
elliptic curves.

Also see articles like https://en.wikipedia.org/wiki/TLS_acceleration

Jeff

Jeff



More information about the nginx mailing list