SSL proxy slow

Here is my server config. When I go to http://prod.givvy.com the
result is normal. When I go to https://prod.givvy.com it’s dog slow.

Any idea as to how to speed up the SSL side of it? (right now I am
using a local host change to point to the right IP address as
prod.givvy.com points to a maintenance page. We want to launch the
site tomorrow, but this is a huge problem for us. I’d hate to launch
it with one server.

Thanks
James

http {

 upstream givvymain {
     server 75.101.150.160:80        max_fails=1  fail_timeout=30s;
     server 67.202.3.21:80           max_fails=1  fail_timeout=30s;
 }

 upstream givvymainssl {
     server 75.101.150.160:443       max_fails=1  fail_timeout=30s;
     server 67.202.3.21:443          max_fails=1  fail_timeout=30s;
 }

 server {
     listen 80;
     server_name prod.givvy.com;
     location / {
         proxy_pass http://givvymain;
         proxy_next_upstream error timeout;
     }
 }


 server {
     listen 443;
     server_name prod.givvy.com;

     ssl on;
     ssl_certificate /####PATH TO CERT###/
     ssl_certificate_key /####PATH TO KEY###/
     keepalive_timeout 70;

     location / {
         proxy_set_header X-FORWARDED_PROTO https;
         proxy_pass https://givvymainssl;
     }
 }

}

Hi James,

If nginx is acting as your SSL handler then you don’t need to pass SSL
back
to your app. This should be sufficient.

location / {
proxy_set_header X-FORWARDED_PROTO https;
proxy_pass https://givvymain;
}

Cheers

Dave

I do need to pass SSL back to my app from the front nginx server,
because we are using EC2 forour servers, so I do need to encrypt them
back to the 2 front end servers, as it’s on a public network, and the
network is public.

James

The the dog slowness you are seeing is probably nginx renegitiation SSL
on
every backend request. At the moment nginx will issue a connection close
after each request.

If you are using nginx as an SSL load balancer you might need to use
something else (varnish? squid?) that can maintain persistant
connections
to your backend, this might help, a bit.

Cheers

Dave

Thanks Dave. I’ll look into both of those.

Thanks,
James

varnish can’t act as an ssl server, not sure about being an ssl client.

we’ve decided for the time being to go round robin DNS for now. It’s
got it’s disadvantages, but since the site launches in the morning, I
don’t have time to play with it before the launch, too many other
things to do. Kind of sucks, I was really excited about using nginx.

James

If the http version is identical to the https version, what difference
does it make if the connection between the frontend and backend is
encrypted?

I think apache support persistent connection and ssl to backend server

2008/9/9 James [email protected]:

gotcha. maybe a vpn connection between the front end and back ends
would be more appropriate than ssl?

we’re sending credit card data, as the back end of the proxy is still
on public network interface, and since it’s EC2 I can’t change that.

James

I was thinking about that, maybe an ssh tunnel between the 2 servers,
but I don’t have time to try that theory tonight. I’ll try it again
later this week.

James

Only just saw this - vpn might be a neat solution, you might try

if you’re still thinking about it

bests
Igor