1

So the setup for our website is 4 nodes running rails 3 and nginx 1 that all use the same GoDaddy certificate. Because we are a paid site, we have to maintain PCI-DSS compliance and thus have to use the more expensive SSL ciphers -- also we force SSL using Rack. I've recently switched over to Linode's NodeBalancer (which I've read is an HACluster), and we're not getting the performance we'd ideally like.

From what I've read, it looks like terminating the SSL on the nodes using the high cipher is what is causing the poor performance, but I'd like to be thorough. Is there anything I can do? I've read about other ways to terminate the SSL before the NodeBalancer (like using stud), but I don't know enough about these solutions. We certainly don't want to do anything experimental or anything that has a single point of failure.

If there really isn't anything I can do to speed up the SSL handshake, my alternative would be to support certain pages on Rails using a secure and insecure subdomain. I've found a few guides that walk through that, but my resulting question is in this situation, would it be better to have nginx handle forcing ssl on the secure subdomain instead of rails?

Thanks!

paulnsorensen
  • 135
  • 4
  • Are HTTP connections kept alive properly? How have you determined that the SSL is the issue - and is the issue slow responses to clients, or an actual resource bottleneck in the load balancer? – Shane Madden Apr 06 '12 at 02:29
  • I have the following two settings in my nginx.conf `keepalive_timeout 65;` `ssl_session_timeout 5m;` Is this correct? – paulnsorensen Apr 06 '12 at 21:40

1 Answers1

1

My tips for making SSL fast, having worked on sites that handle tens of thousands of SSL connections per second:

  1. Terminate SSL on the web machines, not in the load balancer. Putting it on the load balancer is a choke point.
  2. Tune your ciphers -- yes, there are high-security ciphers that don't suck the life out of you.
  3. Enable all the various forms of SSL session caching; this benefits both your CPU and your response times to clients. Ignore idiots who tell you to turn on session affinity, use a centralised SSL session store to allow all your frontend webservers the benefit of the cache.
womble
  • 96,255
  • 29
  • 175
  • 230
  • I've changed my ciphers to these: `ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;` but I haven't pushed it live yet. Per point #3, if I set up a couple servers as a memcached cluster and used [this](http://wiki.nginx.org/HttpMemcachedModule) on nginx, I would be able to turn off session stickiness? Is there something I'd need to configure in rails as well? – paulnsorensen Apr 06 '12 at 21:44
  • You *might* be able to turn off session affinity, if you don't need it for anything else (centrally stored sessions). – womble Apr 06 '12 at 23:41