February 13, 2017 05:33PM
Hello All,

I am seeing an increase in the number of new TLS connections to my origin server when using NGINX as a reverse proxy. I am offloading TLS at NGINX and starting a new TLS connection to the origin.

The workflow is as follows:

client --> NGINX --> origin server

I would expect NGINX to either persist a handful of TLS connection or at a minimum re-use previously established TLS connections using TLS session tickets.
However, the behavior that we see is NGINX is apparently opening a new TLS connection to the origin for nearly every client request. This means going through the full asymmetric TLS handshake for nearly every request. This is not desirable for both the latency added and CPU performance hit for going through the full TLS handshake.
I have validated that my origin server supports TLS Session re-use by using the following openssl command.

echo | openssl s_client -tls1_2 -reconnect -state -prexit -connect <my origin server IP>:443 | grep -i session-id

Below is the output from "nginx -v"

nginx version: nginx/1.8.1

How can I either persist existing TLS connections or leverage TLS session tickets?

I found the following link that may be relevant.
http://hg.nginx.org/nginx/rev/1356a3b96924

Thanks!
Brooks

P.S. Below is the relevant proxy configs that I have for my origin server.

#proxy rules in place for the domain

proxy_redirect off;
proxy_connect_timeout 15;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffers 8 16k;
proxy_buffer_size 16k;
proxy_busy_buffers_size 64k;

proxy_cache XNXFILES;
proxy_cache_use_stale updating error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_cache_valid 301 302 0m;
proxy_cache_valid 200 60m;
proxy_cache_key $host$request_uri;
proxy_http_version 1.1;
proxy_set_header Connection "";

proxy_set_header Accept-Encoding 'gzip';

# The variable $host is sets the host request header to the origin server.
proxy_set_header Host $host;

#The variables REQUEST_PROTO and PROXY_TO are used when determining which origin to use.
proxy_pass $REQUEST_PROTO://$PROXY_TO;
Subject Author Posted

TLS Multiplexing to the Origin Server

brookscunningham February 13, 2017 05:33PM

Re: TLS Multiplexing to the Origin Server

Richard Stanway February 13, 2017 06:22PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 106
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready