As ingress-nginx docs state enabling ssl passthrough (--enable-ssl-passthrough
) "bypasses NGINX completely and introduces a non-negligible performance penalty."
Does this mean that all backends are affected by this performance penalty, or only those whose ingress has the annotation nginx.ingress.kubernetes.io/ssl-passthrough
?
In my case, I'd like to proxy a Kafka cluster behind an nginx ingress, and Kafka demands ssl passthrough to be enabled. So would it be advisable to install two ingresses, one without ssl passthrough/performance penalty for the usual http traffic to the web application, and a second one with ssl passthrough solely for Kafka?
CodePudding user response:
Does this mean that all backends are affected by this performance penalty, or only those whose ingress has the annoation "nginx.ingress.kubernetes.io/ssl-passthrough"?
To answer this question, I will quote the entire warning:
This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.
It follows that all traffic that is directed to your HTTPS port (all pods with HTTPS traffic) will have a slight performance penalty as this bypasses NGINX itself. It shouldn't affect your HTTP traffic. So you shouldn't need to run a second ingress, but you can always do so to separate rules in two separate ingresses.