Massive slowdown adding ssl to my nginx configuration (running Ubuntu 12.04)

May 1, 2014 3.2k views
rb
By:
rb
As the title says, I recently added ssl to my website and have noticed a massive slow down in response time. I used to average about 250-400ms response time, now it is about 1000ms. Most of this is due to the ssl handshake and an unknown amount of waiting period. The website in question is asianessentials.co.uk. I am currently on the $5 package from digital ocean, does this problem require a hardware upgrade to rectify? Or is it something I can fix from my configuration? Any help would be much appreciated.
Log In to Comment
6 Answers
sianios May 1, 2014
You are fine with the package but if you get more traffic in your website definitely you will need a bigger DO package. Here the website loads in a second, try clearing your browser history, cache etc.
Reply
rb May 1, 2014
Hi Marinos,

I am actually benchmarking using pingdom's tools. They ping my server every minute, so my average values are over a few days and there is definitely an increase in time.

Do you have any tips for how I could reduce the response time without going for a bigger DO package?
Reply
UKn0Me May 1, 2014
Give something like this a try (customizing to suit your setup)

server {
listen 80;
listen 443 ssl spdy;
server_name example.com;
root /path/to/files;
index index.html index.htm index.php;

location / {
try_files $uri $uri/ /index.php?$args;
expires max;
}

if ($https != "on") {
return 301 https://$host$uri;
}

ssl on;
spdy_headers_comp 9;
ssl_stapling on;
resolver 8.8.8.8
8.8.4.4 valid=3600s;
resolver_timeout 4s;
ssl_stapling_verify on;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:60m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000";
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;

ssl_certificate /path/to/certificate.crt;
ssl_trusted_certificate /path/to/ca.crt;
ssl_certificate_key /path/to/key.key;
}
Reply
asb MOD May 1, 2014
I think Aidhan is pointing you in the right direction. Using spdy is probably your best bet.
Reply
rb May 12, 2014
Hi Aidhan,

Do you mind going through what about that config is customised to suit my setup?

Currently I can see two immediate problems: the default build of nginx on ubuntu 12.04 doesn't support spdy or ssl_stapling.
Reply
jonathan May 17, 2014
@rb: sudo apt-get install nginx-extras
Reply
Have another answer? Share your knowledge.