snit (SNI Termination Library) to replace Nginx
Sun Nov 10 03:47:48 CET 2019
On 11/09, Frank Muller wrote:
>Anyone familiar with snit?
I'm one of the people who wrote it.
>We’re facing a performance issue with Nginx used as TLS Termination.
>Nginx is in front of our two Erlang webapps. Both running on the same
>machine, and both based on Cowboy 2.7.0.
> directly accessing the two webapps (plain HTTP) is fast enough for us,
>and Cowboy is doing just great.
> accessing any of the two apps with Nginx (HTTPS) is 3x-5x slower than
Chances are you might have some tuning issues regarding TLS,
If you nevertheless decide to benchmark snit and have it replace nginx,
be aware that snit only handles TLS termination with SNI, and is not a
general proxy; it was in fact a component that was used along with a
router that was built on top of vegur (https://github.com/heroku/vegur)
As such, it wouldn't replace what nginx does for you. If you decide to
use snit, I would recommend using it to front the nginx instances you
would have anyway, to see if it can terminate TLS faster. But nginx does
other stuff, such as request buffering and offering forms of overload
protection your app would no longer have without it (or another actual
proxy server) offering protection.
Another thing you can do if you find that snit gives you good
performance is look with tcpdump or wireshark and see what TLS options,
extensions, ciphersuites, and elliptic curves are being chosen. Most of
the heavy cryptographic lifting is done by underlying C libraries, and
until you get similar priorities chosen by both servers, the comparison
will not be equitable.
If the settings are the same, then you are starting to compare apples
with apples and the higher-level code may be making a difference.
More information about the erlang-questions