Hi,

I’m trying to find answers to a problem that I’m currently experiencing
in
all my servers. Downloads offered over HTTPS are at least 4 times slower
than those delivered over HTTP. All these servers are running
nginx/1.6.2.
Here is my nginx.conf in case someone have experienced something similar
and
could give me a hint. By the way, when I say 4 x slower I’m being
optimistic… I can download 4-5MB/s over HTTP while https download are
600-700kb/s the fastest I’ve seen.

user www-data;
worker_processes 2;
pid /run/nginx.pid;
worker_rlimit_nofile 4096;

events {
worker_connections 1024;
multi_accept on;
use epoll;
}

http {

SSL Configuration

###################
ssl_buffer_size 8k;
ssl_session_cache shared:SSL_CACHE:20m;
ssl_session_timeout 4h;
ssl_session_tickets on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

Custom Settings

#################

open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
charset UTF-8;

client_body_buffer_size 128K;
client_header_buffer_size 1k;
client_max_body_size 25m;
large_client_header_buffers 4 8k;

fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 120s;

client_body_timeout 20;
client_header_timeout 20;
keepalive_timeout 25;
send_timeout 20;
reset_timedout_connection on;

Basic Settings

################

sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off;

server_names_hash_bucket_size 64;
server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

Logging Settings

##################

access_log off;
error_log /var/log/nginx/error.log;

Gzip Settings

###############

gzip on;
#gzip_disable “msie6”;
gzip_disable “MSIE [1-6].(?!.*SV1)”;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json
application/x-javascript
text/xml application/xml application/xml+rss text/javascript
application/javascript;

Virtual Host Configs

######################

include /etc/nginx/conf.d/.conf;
include /etc/nginx/sites-enabled/;
}

Posted at Nginx Forum:

Your config snippet does not say a thing about how your server(s) handle
HTTP and HTTPS.
Do they serve the same content the same way?
Where are performance details (including network trace)?

B. R.

Which algorithm you use?

jtan,

The connection is encrypted using AES_256_CBC, with SHA1 for message
authentication and ECDHE_RSA as the key exchange mechanism.

Posted at Nginx Forum:

B.R.

They are serving exactly the same resources at the same time… My vhost
points to the same folders for each domain. Files are accessible over
HTTP
and HTTPS. The slow down comes when downloading (the same resource) from
HTTPS. For example:

http://webmail.domain.tld/test.zip (30MB file can be downloaded at
4-5MB/s)
https://webmail.domain.tld/test.zip (30MB file can be downloaded at
300-700kb/s)

I enabled SPDY to see if that would’ve made a difference but it didn’t.
I do
have SPDY currently enabled.

Posted at Nginx Forum:

Nothing in the configuration part you provided rings any bell to me on
why
this is going on.
I suggest you take a deeper look at the server level, see if there is
not
something that might have an impact there.

Also, the usual recommended process to seek for the source of the
trouble
is to find what triggers is either by:

• Starting from the minimal configuration serving your files over both
  protocols and, provided the problem disappeared, progressively add
  directives again until it triggers
• Starting from your current configuration, progressively remove
  tweaking
  directives until you reach the minimal configuration or the problem
  disappears

If you got a minimal working example still affected with that problem, I
suggest you provide us with it (after having anonymized what appears
sensitive to you). If it can be reproducted, then it might be something
we
missed or a bug.

Happy digging! :o)

B. R.

Make a pcap, check packet loss/mtu/window size.