snit (SNI Termination Library) to replace Nginx

Mikael Karlsson karlsson.rm@REDACTED
Sat Nov 9 03:58:48 CET 2019 

Hi,
Did you try with proxy_buffering set to on, and/or changing the
proxy_buffer_size?
Regards Mikael


Den lör 9 nov. 2019 00:14Frank Muller <frank.muller.erl@REDACTED> skrev:

> Hi guys
>
> Anyone familiar with snit?
> https://github.com/heroku/snit
>
> We’re facing a performance issue with Nginx used as TLS Termination.
> Nginx is in front of our two Erlang webapps. Both running on the same
> machine, and both based on Cowboy 2.7.0.
>
> The problem:
> [1] directly accessing the two webapps (plain HTTP) is fast enough for us,
> and Cowboy is doing just great.
> [2] accessing any of the two apps with Nginx (HTTPS) is 3x-5x slower than
> in [1]
>
> We selected Nginx for its ability to hide our apps, and be able to access
> them both on port 443 (default HTTPS).
>
> Our Nginx config is pretty simple, tuned for SSL/TLS.
> ______________________________________________
> server {
>         listen  443 ssl;
>
>         server_name  app1.acme.com; # the 2nd webapp is running on:
> app2.acme.com
>
>         ssl on;
>         ssl_certificate         /etc/nginx/certs/app1/crt.pem;
>         ssl_certificate_key /etc/nginx/certs/app1/key.pem;
>         ssl_dhparam         /etc/nginx/certs/app1/dh.pem;
>
>         ssl_protocols       TLSv1.2;
>
>         ssl_prefer_server_ciphers on;
>
>         ssl_ecdh_curve
>         secp384r1
>
>         ssl_session_cache shared:SSL:50m;
>         ssl_session_timeout  1d;
>         ssl_session_tickets off;
>
>         ssl_stapling on;
>         ssl_stapling_verify on;
>
>         resolver 8.8.8.8 8.8.4.4 valid=300s;
>         resolver_timeout 5s;
>
>         ssl_buffer_size 8k;
>
>         keepalive_timeout 0;
>
>
>         client_max_body_size 0;
>         client_body_buffer_size 4m;
>         client_header_timeout  300;
>         client_body_timeout    300;
>         client_header_buffer_size    1k;
>         large_client_header_buffers  4 4k;
>
>         location = /favicon.ico {
>            access_log off;
>            return 204;
>         }
>
>         location / {
>            send_timeout           5;
>
>            proxy_http_version 1.1;
>            proxy_buffering off;
>            proxy_request_buffering off;
>            proxy_ignore_headers "Cache-Control" "Expires";
>            proxy_max_temp_file_size 30m;
>            proxy_connect_timeout 300;
>            proxy_read_timeout 300;
>            proxy_send_timeout 300;
>            proxy_intercept_errors off;
>
>            proxy_set_header        X-Real-IP       $remote_addr;
>            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
>            proxy_pass http://127.0.0.1:2222; # the 2nd webapp has:
> proxy_pass http://127.0.0.1:3333;
>         }
> }
> ______________________________________________
>
> Can snit be used to replace Nginx?
> Help and suggestions appreciated.
>
> Best
> /Frank
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20191109/95f2dd82/attachment.htm>

More information about the erlang-questions mailing list