snit (SNI Termination Library) to replace Nginx

Fred Hebert mononcqc@REDACTED
Sun Nov 10 03:47:48 CET 2019

On 11/09, Frank Muller wrote:
>Anyone familiar with snit?

I'm one of the people who wrote it.

>We’re facing a performance issue with Nginx used as TLS Termination.
>Nginx is in front of our two Erlang webapps. Both running on the same
>machine, and both based on Cowboy 2.7.0.
>The problem:
>[1] directly accessing the two webapps (plain HTTP) is fast enough for us,
>and Cowboy is doing just great.
>[2] accessing any of the two apps with Nginx (HTTPS) is 3x-5x slower than
>in [1]

Chances are you might have some tuning issues regarding TLS,

If you nevertheless decide to benchmark snit and have it replace nginx, 
be aware that snit only handles TLS termination with SNI, and is not a 
general proxy; it was in fact a component that was used along with a 
router that was built on top of vegur ( 
at Heroku.

As such, it wouldn't replace what nginx does for you. If you decide to 
use snit, I would recommend using it to front the nginx instances you 
would have anyway, to see if it can terminate TLS faster. But nginx does 
other stuff, such as request buffering and offering forms of overload 
protection your app would no longer have without it (or another actual 
proxy server) offering protection.

Another thing you can do if you find that snit gives you good 
performance is look with tcpdump or wireshark and see what TLS options, 
extensions, ciphersuites, and elliptic curves are being chosen. Most of 
the heavy cryptographic lifting is done by underlying C libraries, and 
until you get similar priorities chosen by both servers, the comparison 
will not be equitable.

If the settings are the same, then you are starting to compare apples 
with apples and the higher-level code may be making a difference.


More information about the erlang-questions mailing list