Hi Maxim,
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Sun, Aug 19, 2012 at 11:06:22PM -0400, d2radio wrote:
>
> > Thanks Francis,
> >
> > Yes I suspected that it was somehow renegotiating the ssl handshake
> for each
> > request where as firefox/firebug was caching the handshake thus
> showing
> > quicker response times.
> >
> > Timing curl over https gave me an average of 80ms response time,
> timing curl
> > over http gave me an average of 10ms similar to what nginx was
> achieving
> > talking to the backend via http.
> >
> > I'm happy to annouce though that your were bang on the money with
> the
> > keepalive directive. As soon as I added that into my upstream
> declaration
> > the reponse times dropped considerably and I'm now getting
> performance
> > similar to as if I was requesting the content directly from the
> upstream
> > server.
> >
> > Thanks Francis your a legend :)
>
> Strange thing is that SSL session reuse doesn't work for you. It
> is on by default and should do more or less the same thing unless
> you've switched it off with proxy_ssl_session_reuse[1] directive or
> forgot to configure session cache on your backend server.
>
> (Another question to consider is whether you really need to spend
> resources on SSL between nginx and your backend.)
>
> [1] http://nginx.org/r/proxy_ssl_session_reuse
>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Thanks, Yes I thought it was strange that ssl session reuse didn't work either as I thought that had been enabled by default in a recent release.
I can confirm that we don't have the directive proxy_ssl_session_reuse set in any of the config files and we have left the upstream server caching settings at their defaults which I think for IIS 6.0 is 5 minutes if I remember correctly.
Yes your correct, I would agree that it's probably not the best approach to be talking to a upstream server via HTTPS but unfortunatly at the moment that's not an option due to how the upstream applications work which weren't written by me.
Thanks for your time.