snit (SNI Termination Library) to replace Nginx

Frank Muller frank.muller.erl@REDACTED
Sat Nov 9 00:14:24 CET 2019


Hi guys

Anyone familiar with snit?
https://github.com/heroku/snit

We’re facing a performance issue with Nginx used as TLS Termination.
Nginx is in front of our two Erlang webapps. Both running on the same
machine, and both based on Cowboy 2.7.0.

The problem:
[1] directly accessing the two webapps (plain HTTP) is fast enough for us,
and Cowboy is doing just great.
[2] accessing any of the two apps with Nginx (HTTPS) is 3x-5x slower than
in [1]

We selected Nginx for its ability to hide our apps, and be able to access
them both on port 443 (default HTTPS).

Our Nginx config is pretty simple, tuned for SSL/TLS.
______________________________________________
server {
        listen  443 ssl;

        server_name  app1.acme.com; # the 2nd webapp is running on:
app2.acme.com

        ssl on;
        ssl_certificate         /etc/nginx/certs/app1/crt.pem;
        ssl_certificate_key /etc/nginx/certs/app1/key.pem;
        ssl_dhparam         /etc/nginx/certs/app1/dh.pem;

        ssl_protocols       TLSv1.2;

        ssl_prefer_server_ciphers on;

        ssl_ecdh_curve
        secp384r1

        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout  1d;
        ssl_session_tickets off;

        ssl_stapling on;
        ssl_stapling_verify on;

        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        ssl_buffer_size 8k;

        keepalive_timeout 0;


        client_max_body_size 0;
        client_body_buffer_size 4m;
        client_header_timeout  300;
        client_body_timeout    300;
        client_header_buffer_size    1k;
        large_client_header_buffers  4 4k;

        location = /favicon.ico {
           access_log off;
           return 204;
        }

        location / {
           send_timeout           5;

           proxy_http_version 1.1;
           proxy_buffering off;
           proxy_request_buffering off;
           proxy_ignore_headers "Cache-Control" "Expires";
           proxy_max_temp_file_size 30m;
           proxy_connect_timeout 300;
           proxy_read_timeout 300;
           proxy_send_timeout 300;
           proxy_intercept_errors off;

           proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

           proxy_pass http://127.0.0.1:2222; # the 2nd webapp has:
proxy_pass http://127.0.0.1:3333;
        }
}
______________________________________________

Can snit be used to replace Nginx?
Help and suggestions appreciated.

Best
/Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191109/d641a3ed/attachment.htm>


More information about the erlang-questions mailing list