因此,我们在内部使用 nginx 代理作为生产站点的前端。此 nginx 代理会自动为我们的站点提供 LetsEncrypt 证书。
但是,当我们从办公室访问我们的网站时,或者当有两台或更多台计算机访问我们网站的任何地点时,第二台计算机对 HTTPS(443)网站的响应速度会非常慢(端口打开需要 > 30 秒)。
HTTP(端口 80)站点运行良好,没有任何性能下降。
我说的慢的意思是,如果我从第二台计算机执行操作telnet nubela.co 443
,TCP 连接将需要 30 多秒才能被接受。
但是,如果我这样做telnet nubela.co 80
,它会立即返回(带有 302 状态代码到 HTTPS)
第 N 台(其中 N >= 2)计算机是指任何处于活动状态的计算机,而第 1 台计算机也处于活动状态。计算机 1 无需主动浏览我们的生产站点即可发生此问题。
要复制此情况,您可以尝试https://nubela.co
在一台计算机上访问,然后使用另一台计算机(来自同一网络)访问该网站。第一台计算机将快速加载,第二台计算机将遇到性能问题。
我不知道为什么会发生这种情况。你能帮助我吗?
这是我的nginx.conf
# See: https://github.com/h5bp/server-configs-nginx/ for reference
worker_processes auto;
# worker_rlimit_nofile 100000;
events {
worker_connections 10240;
multi_accept on;
}
http {
# Send TCP fast
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
tcp_nodelay on;
# Timeouts
client_body_timeout 30s;
client_header_timeout 15s;
keepalive_timeout 20; # overwrite this to be higher if over HTTPS
keepalive_requests 5;
reset_timedout_connection on;
# Extra security
server_tokens off; # disable exposing server details in headers
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
add_header "X-UA-Compatible" "IE=Edge"; # force latest IE
# Content Types
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
# Client request buffer sizes
client_header_buffer_size 2k;
client_body_buffer_size 2m;
client_body_in_single_buffer on;
client_max_body_size 1g;
large_client_header_buffers 8 128k; # Will return 414/400 if request line or field is too large
# For other backends
proxy_buffers 64 32k; # 2mb total
proxy_buffer_size 32k; # initial
proxy_busy_buffers_size 512k; # allow 1/4 busy
# File descriptor metadata cache
open_file_cache off; # max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# For websockets support
map $http_upgrade $connection_upgrade {
default Upgrade;
'' keep-alive;
}
# Gzip compression config
gzip on;
gzip_http_version 1.1;
gzip_disable "msie6";
gzip_proxied no_etag no_last_modified;
gzip_comp_level 5;
gzip_min_length 256;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed by HttpGzipModule
# SSL config
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:100m;
ssl_session_tickets off;
ssl_buffer_size 1400;
ssl_dhparam /opt/autossl/data/dhparam.pem;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
include /opt/autossl/sites/*.conf;
}
这是我们的 vhost 文件
server {
server_name {{ SERVER_NAMES }};
listen 443 ssl;
ssl_certificate /opt/autossl/data/certs/{{ DOMAIN_NAME }}.crt;
ssl_certificate_key /opt/autossl/data/certs/{{ DOMAIN_NAME }}.key;
add_header Strict-Transport-Security "max-age=2592000; preload";
location /.well-known/acme-challenge/ {
default_type text/plain;
alias /opt/autossl/challenges/;
try_files $uri =404;
}
location / {
proxy_pass http://{{ UPSTREAM_ADDRESS }};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
port_in_redirect off;
proxy_connect_timeout 300;
}
}
server {
listen 80;
server_name {{ SERVER_NAMES }};
return 302 https://$host$request_uri;
}
我想补充一点,这个 nginx 部署是通过 Ansible 作为 Docker 实例部署的
- name: run autossl server
docker:
name: autossl
image: "nubelacorp/nubela-autossl"
state: reloaded
pull: always
restart_policy: always
ports:
- 0.0.0.0:80:80
- 0.0.0.0:443:443
volumes:
- '/opt/autossl/data:/opt/autossl/data'
log_driver: 'json-file'
log_opt:
max-size: '50m'
max-file: '2'
答案1
@Nubela 我已在同一网络上使用两个不同的系统(Mac Books Pro)进行了测试,您的网站加载速度与第一个系统一样快。
您的 nginx 配置也看起来不错。检查您的 ISP 或本地缓存设置可能有助于您解决此问题。