Home > front end >  Are all backends affected by performance penalty when ingress-nginx has ssl passtrough enabled? Shou
Are all backends affected by performance penalty when ingress-nginx has ssl passtrough enabled? Shou

Time:12-09

As ingress-nginx docs state enabling ssl passthrough (--enable-ssl-passthrough) "bypasses NGINX completely and introduces a non-negligible performance penalty."

Does this mean that all backends are affected by this performance penalty, or only those whose ingress has the annotation nginx.ingress.kubernetes.io/ssl-passthrough?

In my case, I'd like to proxy a Kafka cluster behind an nginx ingress, and Kafka demands ssl passthrough to be enabled. So would it be advisable to install two ingresses, one without ssl passthrough/performance penalty for the usual http traffic to the web application, and a second one with ssl passthrough solely for Kafka?

CodePudding user response:

Does this mean that all backends are affected by this performance penalty, or only those whose ingress has the annoation "nginx.ingress.kubernetes.io/ssl-passthrough"?

To answer this question, I will quote the entire warning:

This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.

It follows that all traffic that is directed to your HTTPS port (all pods with HTTPS traffic) will have a slight performance penalty as this bypasses NGINX itself. It shouldn't affect your HTTP traffic. So you shouldn't need to run a second ingress, but you can always do so to separate rules in two separate ingresses.

  • Related