We like serving web pages, and now more than ever, we like serving them securely. We’ve been doing SSL with Apache and HAProxy for a while and it’s worked fine. There’s nothing really wrong with it other than the fact that it goes Apache to HAProxy to Apache to Passenger, which feels like way too many steps. We’ve tried using the dev branch of HAProxy and setting up SSL that way, and always ran into fatal bugs.
Enter nginx, which not only does SSL, but also implements the latest version of SPDY, which is awesome. We also need a way to deploy nginx that allows us to manage settings, customize back and front ends and do that consistently and repeatedly. Here comes moonshine_nginx_proxy!
We rolled it out on srch.io last week and other than missing a couple of the X-Forwarded headers, it’s been great (those bugs are now fixed in moonshine_nginx_haproxy). With SPDY, we get to the ready and onload events almost twice as fast as we did with vanilla SSL - which means happier users and happier me (because I love it when things are fast).
It also means one fewer step in the chain of things that can go wrong. Since nginx handles ports 80 and 443, there’s no need for Apache to be there just for SSL. That means less request queueing in our NewRelic graphs, which also means I’m happier.
We’re still using HAProxy to balance our MariaDB Galera Cluster and Elasticsearch servers, since it does a really good job of that, and has much better statistics than nginx on up/down servers and availability.
If you’re not running a load balancer (ie: you’re on a single server), moonshine_spdy works really well.