Ssl proxys https web server is very slow

jason_sam · June 20, 2014, 10:51am

Hi, It’s my first time using NGINX to proxy other web servers. I set a
variable in location, this variable may be gotten in cookie or args. if
I use it directly likes “proxy_pass https://$nodeIp2;”, it will get the
response for a long time. but if I hardcode likes “proxy_pass
https://147.128.22.152:8443” it works normally. Do I need to set more
cofiguration parameters to solve this problem.Below is the segment of my
windows https configuration.

http {
…
server {
listen 443 ssl;
server_name localhost;

   ssl_certificate      server.crt;
   ssl_certificate_key  server.key;

   location /pau6000lct/ {
        set $nodeIp 147.128.22.152:8443;
        proxy_pass https://$nodeIp;

  proxy_set_header   Host               $http_host;
  proxy_set_header   X-Real-IP          $remote_addr;
  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header   X-Forwarded-Proto  https;
    }
}

}

erick812 · June 20, 2014, 2:20pm

Hello!

On Fri, Jun 20, 2014 at 10:51:38AM +0200, Yifeng Wang wrote:

server {
   listen       443 ssl;
   server_name  localhost;

   ssl_certificate      server.crt;
   ssl_certificate_key  server.key;

   location /pau6000lct/ {
        set $nodeIp 147.128.22.152:8443;
        proxy_pass https://$nodeIp;

Use of variables in the proxy_pass, in particular, implies that
SSL sessions will not be reused (as upstream address is not known
in advance, and there is no associated storage for an SSL
session). This means that each connection will have to do full
SSL handshake, and this is likely the reason for the performance
problems you see.

Solution is to use proxy_pass without variables, or use
preconfigured upstream{} blocks instead of ip addresses if you
have to use variables.

–
Maxim D.
http://nginx.org/

erick812 · June 20, 2014, 7:15pm

On Fri, Jun 20, 2014 at 5:20 AM, Maxim D. [email protected]
wrote:

windows https configuration.
location /pau6000lct/ {
Solution is to use proxy_pass without variables, or use
preconfigured upstream{} blocks instead of ip addresses if you
have to use variables.

So to prevent the heart attack I almost just had, can you confirm how I
interpret that last statement:

If you define your upstream using “upstream upstream_name etc” and then
use
a variable indicating the name of the upstream in proxy_pass statement,
that will not cause SSL sessions to not be reused. I.e. proxy_pass
with a
variable indicating upstream would not cause a performance issue.

Is that correct?

erick812 · June 20, 2014, 9:13pm

Hello!

On Fri, Jun 20, 2014 at 10:14:54AM -0700, Mark M. wrote:

https://147.128.22.152:8443" it works normally. Do I need to set more
ssl_certificate_key server.key;
problems you see.
a variable indicating the name of the upstream in proxy_pass statement,
that will not cause SSL sessions to not be reused. I.e. proxy_pass with a
variable indicating upstream would not cause a performance issue.

Is that correct?

Yes. If there is an upstream{} block, SSL sessions with upstream
servers will be reused regardless of use of variables in the
proxy_pass directive.

–
Maxim D.
http://nginx.org/

erick812 · June 23, 2014, 3:55am

Hi, I do not use upstream, because the web server is added dynamically.
I must get address from the cookie or args, then NGINX will proxy using
this address.
I found that if I removed some security configuration in “web.xml” file
of my project.

CLIENT-CERT Client Cert Users-only Area SSL /* CONFIDENTIAL

Oh, it worked faster than before.
Maybe I guess this is the reason why it runs slowly.
Thanks, guys.