October 01, 2023 11:10AM
On 2023-09-30 15:09, Vijay Kumar Kamannavar wrote:
> I am using nginx reverse proxy for s3 presigned urls.

[Disclaimer: very limited experience with amazonaws, so will assume that
you comply fully with,
if not, maybe ask them?]


>     # HTTPS server block with SSL certificate and S3 reverse proxy
>     server {
>         listen 443 ssl;
>         ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;

nginx strongly suggested at removing SSLv3 nine years
ago. SSL Labs will also give you a rock bottom rating when you allow
TLSv1 and TLSv1.1 (although they might still be vaguely acceptable) and
the latest security standard TLSv1.3 (rfc8446, 2018) works extremely
well in nginx with e.g. CertBot certificates.

*Perhaps* if you updated your config. to basic industry standards
(probably required for compatibility with amazonaws?), then some of your
handshake caching timeouts and errors would be vastly attenuated or


> If I run 4K clients using a simulator,I will see 100% CPU in the nginx
> container.I believe if we cache SSL sessions then SSL handshake for
> every request will be avoided hence we may not have high CPU at nginx
> container.

"run 4k clients"? Over what period of time? Simultaneous, identical
connection requests? Even if your connectivity, router and firewall can
handle that, your "16 Core and 32GB" with potential security problems
could well be brought to its knees. As a rule of thumb for servers
(nginx and apache), I have always used 8 GiB memory per core. YMMV.

nginx mailing list
Subject Author Posted

SSL Reuse not happening in s3 presigned urls

Vijay Kumar Kamannavar September 30, 2023 03:10PM

Re: SSL Reuse not happening in s3 presigned urls

Paul October 01, 2023 11:10AM

Re: SSL Reuse not happening in s3 presigned urls

Maxim Dounin October 01, 2023 05:14PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 316
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready