SSL support and setup

Hi guys,

From the SSL module documentation page:
http://wiki.codemongers.com/NginxHttpSslModule

it is recommended to run one worker process only and to enable
keep-alive connections.

However often for serving Rails applications, I see 3 to 5 (probably
more) worker processes in the configuration files. As this must be set
for an nginx process, does this mean, that it is better to have 2
running processes? One for normal HTTP listening on port80 with 5
worker processes, and another one listening on port 443 with 1 worker
process?

How do you setup your single server for SSL and non SSL requests?

Best regards,

PS: could it be possible to automatically add a [nginx] tag to all
mails sent to the mailing list? That way it is easier to search for
nginx only related mail in my account, as this account is also used
for other mailing-lists.

On Sat, Jan 26, 2008 at 04:53:04PM +0100, Thomas wrote:

running processes? One for normal HTTP listening on port80 with 5
worker processes, and another one listening on port 443 with 1 worker
process?

How do you setup your single server for SSL and non SSL requests?

Since introducing shared ssl_session_cache you should use
worker_processes
equals to CPU numbers. Also SSL keep-alive connections take about 100K
per idle connection, so you may disable them.

PS: could it be possible to automatically add a [nginx] tag to all
mails sent to the mailing list? That way it is easier to search for
nginx only related mail in my account, as this account is also used
for other mailing-lists.

Majordomo does not unescape correctly MIME-encoded Subjects so
eventually
a Subject line becomes:

[nginx] Re: [nginx] [nginx] …

You may filter messages using the field:
X-BeenThere: [email protected]

Hello,

On Jan 26, 2008 9:30 AM, Igor S. [email protected] wrote:

Since introducing shared ssl_session_cache you should use worker_processes
equals to CPU numbers. Also SSL keep-alive connections take about 100K
per idle connection, so you may disable them.

Given that ssl_session_cache is disabled by default in 0.6.xx, what kind
of negative performance can be expected? Is there any reason (stability
or
otherwise) not to make shared the default?

Thanks.

On Sat, Jan 26, 2008 at 12:51:02PM -0800, Adam Z. wrote:

On Jan 26, 2008 9:30 AM, Igor S. [email protected] wrote:

Since introducing shared ssl_session_cache you should use worker_processes
equals to CPU numbers. Also SSL keep-alive connections take about 100K
per idle connection, so you may disable them.

Given that ssl_session_cache is disabled by default in 0.6.xx, what kind
of negative performance can be expected? Is there any reason (stability or
otherwise) not to make shared the default?

The shared ssl_session_cache has no negative performance or stability
problems.

Initially builtin OpenSSL non-shared ssl_session_cache was enabled
only by default. Then it emerged that builtin cache leads to memory
fragmentation, so it should be disabled by default. Then I decided
to choose Apache’s mod_ssl default: off.