Forum: NGINX ssl proxys https web server is very slow

7d73dcf6c53c2ed6a3953ed6fb3c1602?d=identicon&s=25 Yifeng Wang (erick812)
on 2014-06-20 10:51
Hi, It's my first time using NGINX to proxy other web servers. I set a
variable in location, this variable may be gotten in cookie or args. if
I use it directly likes "proxy_pass https://$nodeIp2;", it will get the
response for a long time. but if I hardcode likes "proxy_pass
https://147.128.22.152:8443" it works normally. Do I need to set more
cofiguration parameters to solve this problem.Below is the segment of my
windows https configuration.

http {
    ...
    server {
       listen       443 ssl;
       server_name  localhost;

       ssl_certificate      server.crt;
       ssl_certificate_key  server.key;

       location /pau6000lct/ {
            set $nodeIp 147.128.22.152:8443;
            proxy_pass https://$nodeIp;

      proxy_set_header   Host               $http_host;
      proxy_set_header   X-Real-IP          $remote_addr;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Proto  https;
        }
    }
}
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-06-20 14:20
(Received via mailing list)
Hello!

On Fri, Jun 20, 2014 at 10:51:38AM +0200, Yifeng Wang wrote:

>     server {
>        listen       443 ssl;
>        server_name  localhost;
>
>        ssl_certificate      server.crt;
>        ssl_certificate_key  server.key;
>
>        location /pau6000lct/ {
>             set $nodeIp 147.128.22.152:8443;
>             proxy_pass https://$nodeIp;

Use of variables in the proxy_pass, in particular, implies that
SSL sessions will not be reused (as upstream address is not known
in advance, and there is no associated storage for an SSL
session).  This means that each connection will have to do full
SSL handshake, and this is likely the reason for the performance
problems you see.

Solution is to use proxy_pass without variables, or use
preconfigured upstream{} blocks instead of ip addresses if you
have to use variables.

--
Maxim Dounin
http://nginx.org/
C0fd9fb1bc344c14b46da145b457ff87?d=identicon&s=25 Mark Moseley (Guest)
on 2014-06-20 19:15
(Received via mailing list)
On Fri, Jun 20, 2014 at 5:20 AM, Maxim Dounin <mdounin@mdounin.ru>
wrote:

> > windows https configuration.
> >        location /pau6000lct/ {
> Solution is to use proxy_pass without variables, or use
> preconfigured upstream{} blocks instead of ip addresses if you
> have to use variables.
>

So to prevent the heart attack I almost just had, can you confirm how I
interpret that last statement:

If you define your upstream using "upstream upstream_name etc" and then
use
a variable indicating the name of the upstream in proxy_pass statement,
that will *not* cause SSL sessions to not be reused. I.e. proxy_pass
with a
variable indicating upstream would not cause a performance issue.

Is that correct?
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-06-20 21:13
(Received via mailing list)
Hello!

On Fri, Jun 20, 2014 at 10:14:54AM -0700, Mark Moseley wrote:

> > > https://147.128.22.152:8443" it works normally. Do I need to set more
> > >        ssl_certificate_key  server.key;
> > problems you see.
> a variable indicating the name of the upstream in proxy_pass statement,
> that will *not* cause SSL sessions to not be reused. I.e. proxy_pass with a
> variable indicating upstream would not cause a performance issue.
>
> Is that correct?

Yes.  If there is an upstream{} block, SSL sessions with upstream
servers will be reused regardless of use of variables in the
proxy_pass directive.

--
Maxim Dounin
http://nginx.org/
7d73dcf6c53c2ed6a3953ed6fb3c1602?d=identicon&s=25 Yifeng Wang (erick812)
on 2014-06-23 03:55
Hi, I do not use upstream, because the web server is added dynamically.
I must get address from the cookie or args, then NGINX will proxy using
this address.
I found that if I removed some security configuration in "web.xml" file
of my project.

  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Client Cert Users-only Area</realm-name>
  </login-config>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SSL</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Oh, it worked faster than before.
Maybe I guess this is the reason why it runs slowly.
Thanks, guys.
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.