You'll want to proxy_pass to a named upstream with keepalive enabled. http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
On Mon, Feb 13, 2017 at 11:33 PM, brookscunningham < [email protected]> wrote: > Hello All, > > I am seeing an increase in the number of new TLS connections to my origin > server when using NGINX as a reverse proxy. I am offloading TLS at NGINX > and > starting a new TLS connection to the origin. > > The workflow is as follows: > > client --> NGINX --> origin server > > I would expect NGINX to either persist a handful of TLS connection or at a > minimum re-use previously established TLS connections using TLS session > tickets. > However, the behavior that we see is NGINX is apparently opening a new TLS > connection to the origin for nearly every client request. This means going > through the full asymmetric TLS handshake for nearly every request. This is > not desirable for both the latency added and CPU performance hit for going > through the full TLS handshake. > I have validated that my origin server supports TLS Session re-use by using > the following openssl command. > > echo | openssl s_client -tls1_2 -reconnect -state -prexit -connect <my > origin server IP>:443 | grep -i session-id > > Below is the output from "nginx -v" > > nginx version: nginx/1.8.1 > > How can I either persist existing TLS connections or leverage TLS session > tickets? > > I found the following link that may be relevant. > http://hg.nginx.org/nginx/rev/1356a3b96924 > > Thanks! > Brooks > > P.S. Below is the relevant proxy configs that I have for my origin server. > > #proxy rules in place for the domain > > proxy_redirect off; > proxy_connect_timeout 15; > proxy_send_timeout 60; > proxy_read_timeout 60; > proxy_buffers 8 16k; > proxy_buffer_size 16k; > proxy_busy_buffers_size 64k; > > proxy_cache XNXFILES; > proxy_cache_use_stale updating error timeout invalid_header > http_500 > http_502 http_503 http_504; > proxy_cache_valid 301 302 0m; > proxy_cache_valid 200 60m; > proxy_cache_key $host$request_uri; > proxy_http_version 1.1; > proxy_set_header Connection ""; > > proxy_set_header Accept-Encoding 'gzip'; > > # The variable $host is sets the host request header to the origin server. > proxy_set_header Host $host; > > #The variables REQUEST_PROTO and PROXY_TO are used when determining which > origin to use. > proxy_pass $REQUEST_PROTO://$PROXY_TO; > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272389,272389#msg-272389 > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
