Today I switched from nginx 1.19 to traefik 2.4.7 as a reverse proxy in front of our applications running as Docker containers. I'm using Let's Encrypt for both setups to handle the SSL certificates.
After the switch I checked my monitoring dashboards and saw an increase in connection duration for tls from 10ms to around 65ms.
Is this known issue, or something related to my configuration? The same increase in duration occurs with a single Host() rule.
In the configuration below host1.nl and host2.net are not the actual hostnames.
Container labels
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.app-prd-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.app-prd-redirect.redirectscheme.permanent=true"
- "traefik.http.routers.app-prd.rule=Host(`host1.nl`) || Host(`host2.net`)"
- "traefik.http.routers.app-prd.middlewares=app-prd-redirect"
- "traefik.http.routers.app-prd-secure.rule=Host(`host1.nl`) || Host(`host2.net`)"
- "traefik.http.routers.app-prd-secure.tls=true"
- "traefik.http.routers.app-prd-secure.tls.certresolver=myresolver"
- "traefik.http.services.app-prd.loadbalancer.server.port=8080"
tls.options (dynamic.toml)
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256"
]
curvePreferences = ["CurveP521", "CurveP384"]
sniStrict = true
Main configuration
[api]
insecure = true
[metrics]
[metrics.prometheus]
[providers.docker]
exposedByDefault = false
network = "shared_default"
[providers.file]
filename = "/etc/traefik/dynamic.toml"
[log]
[accessLog]
filePath = "/var/log/traefik/access.log"
bufferingSize = 100
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.acme]
email = "hosting@host1.nl"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"