> after applying tcp_nopush off, the test that we have in place is working as
> expected. The problem is that this improvement is not happening on production.
Our production environment is mainly a CDN -> NGinx -> Origin. We want to use
Nginx in order to control the eviction time of the content (
Hello!
On Tue, Feb 12, 2019 at 11:03:08AM -0600, Dusty Campbell wrote:
> Is there a way to force HTTP 1.0 for a location?
>
> I need to proxy a feature that depends on HTTP 1.0, not just between Nginx
> and the backend server, but also between the client and Nginx.
There is no way to force HTTP
Hi,
after applying tcp_nopush off, the test that we have in place is working as
expected. The problem is that this improvement is not happening on
production.
Our production environment is mainly a CDN -> NGinx -> Origin. We want to
use Nginx in order to control the eviction time of the content (o
Hello,
Is there a way to force HTTP 1.0 for a location?
I need to proxy a feature that depends on HTTP 1.0, not just between Nginx
and the backend server, but also between the client and Nginx.
Thanks,
Dusty Campbell
___
nginx mailing list
nginx@nginx.
Hi Richard. HAProxy defaults to reading all certs in a directory and
matching hosts names via SNI. Here is the top of my haproxy config, you
can see how i redirect LE requests to another server, which solely services
up responses to acme-challenges:
frontend http
mode http
bind 0.0.0.0:80
> X-MShield-Cache-Status: STALE
> 0.004329:0.00:0.004364:0.00:0.212526:0.212644
I see according to the timings you hit the 200ms tcp_nopush delay.
Try setting tcp_nopush off;
For more explanation you can read up
https://forum.nginx.org/read.php?2,280434,280462#msg-280462
rr
_
Hi Peter and Reinis,
I do have have a lot of cache, currently I have ~45 millions of keys and its
the beginning of our tests which I believe will get close to the 80 million
you say.
I will add some tests I have done, I set up flash (a python framework) that
delays a response for 5 second then I
And having looked at this further we would have to append the key to the end of
the certificate bundle after it was issued from LE as an extra step in the
processing so that this could work.
This still seems to be the best way forward, even if it requires an extra step
in this case.
Kind regar
Hi Lucas,
Well that looks great. I've not looked at HAproxy too much, as I've not used it
before other than during a switch over just prior to Christmas last year where
rinetd couldn't cope with the incoming traffic load and we had to cobble
together a quick HAProxy layer 4 configuration to red
Hi Anoop,
This is great and really valuable information, thank you. .
I'd heard that CloudFlare use a variant of Nginx for providing SSL termination
which was why I was hopefully that it would be able to manage our use case.
Kind regards,
Richard
On Tue, 2019-02-12 at 07:31 +0530, Anoop Alias
Hi Peter,
I'm sure that it's great and all, but I've just been to look at the
https://openresty.org/en/installation.html page for the installation again and
it's very much not friendly for configuration management unless you're on a
supported platform with packages available to you. I'm sure th
In haproxy, you simply specify a path where you have all your certificates.
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/certs/default-cert.pem crt
/etc/haproxy/certs alpn h2,http/1.1
This way, haproxy will read all certs, and when stuff comes in, it uses the
host header to deter
Am 2019-02-12 09:44, schrieb Richard Paul:
Hi Robert,
I've not looked in a while but I think that there where some large
assumptions in openresty that you are running on Linux. I'll have a
look again but it might not quite be a good fit for us.
Another problem with SAN certificates is that i
Hi Andreas,
Good to hear that this is scaling well for you at this level.
With regards to reload, you mean a reload rather than a restart I take it?
We'll be load balanced and building these from config and deployment management
systems so a long reload/restart is not the end of the world as we
Hi Jeff
That's interesting, how do you manage the progamming to load the right
certificate for the right domain coming in as the server name? We need to load
the right certificate for the incoming domain and the 12000 figure is the
number of unique vanity domains without the www. subdomains.
W
Hi Rainer,
We don't control all the DNS, so of our customers prefer to keep control in
house for that stuff. Also, wildcards don't work for us in this case, they have
individual vanity domains, sometimes more than one which are not wildcardable
unless I could get something like *.*.co.uk 😄.
Ki
Hi Robert,
I've not looked in a while but I think that there where some large assumptions
in openresty that you are running on Linux. I'll have a look again but it might
not quite be a good fit for us.
Kind regards,
Richard
On Mon, 2019-02-11 at 10:34 -0800, Robert Paprocki wrote:
FWIW, this k
17 matches
Mail list logo
