Welcome! Log In Create A New Profile

Advanced

Slow SSL Handshake

Posted by MacPrawn 
Slow SSL Handshake
June 18, 2010 07:39AM
Good morning all,

I'm a new nginx user - so far very pleased with it, overall... We use ngingx as a load-balancer in front of 2 Apache web servers, works very, very good.

However, something is puzzling me: it looks like the SSL negotiation is pretty slow. We use http://www.webpagetest.org to test our performance and notice that the SSL negotiation typically takes over 450ms... Which seems to be about twice the time SSL negotiation of other files on other domains...

So I went to my nginx logs, and I see that most of the request time is on nginx (comparing upstream time with request time) so I assume it's the SSL part that does this. I have hunted the web for solutions, found a few and tried them out, but to no avail... Any help or ideas on what to check next would be very much appreciated.

Thanks!


user nginx nginx;
worker_processes 4;
worker_rlimit_nofile 16384;

error_log /var/log/nginx/error.log error;

pid /var/run/nginx.pid;

events {
worker_connections 16384;
use epoll;
}

http {
server_names_hash_bucket_size 64;

include /etc/nginx/mime.types;
default_type application/octet-stream;

client_body_temp_path /var/spool/nginx-client-body 1 2;
client_max_body_size 32m;
client_body_buffer_size 128k;

sendfile on;
tcp_nopush on;
tcp_nodelay off;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA;

keepalive_timeout 1;
keepalive_requests 10;

gzip on;
gzip_comp_level 1;
gzip_disable msie6;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

upstream farm {
server <...>:80 fail_timeout=60s;
server <...>:80 fail_timeout=60s;
}

proxy_cache_path /var/www/nginx_cache levels=1:2 keys_zone=cache:8m max_size=1000m inactive=600m;
proxy_temp_path /tmp/nginx;
proxy_cache_key "$scheme://$host$request_uri";

server {
listen <...>:443;
server_name <...>;
keepalive_timeout 5;
keepalive_requests 20;

ssl on;
ssl_certificate <...>.crt;
ssl_certificate_key <...>.key;

access_log <...>.access.log main;
error_log <...>error.log;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://farm;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;

proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_temp_file_write_size 8k;
}
location ~* "images|scripts" {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;
proxy_pass http://farm;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 120;

proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_temp_file_write_size 8k;
proxy_cache_key "$scheme://$host$request_uri";
proxy_cache cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
}
}
}
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 112
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready