App behind reverse proxy very slow

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +70 frameworks worldwide with auto-mapping: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber, NCSC, ECC, SCF and so much more

https://intuitem.com

Other

1.17k stars 163 forks source link

App behind reverse proxy very slow #803

Open EvoXCX opened 2 months ago

EvoXCX commented 2 months ago

Describe the bug Hello, I still have a problem with reverse proxy, I opened a ticket a while ago about Nginx #432 but it was closed without resolution.

I changed Reverse Proxy using Traefik and the problem is still there, so I can say that the problem comes from the application and not the reverse proxy.

Directly I have an almost instantaneous response time, but via the reverse proxy (Nginx or Traefik) it takes a considerable time to use it ergonomically.

To Reproduce Steps to reproduce the behavior:

Up a reverse proxy other than Caddy
Access to the application
Slow response time

Expected behavior Response time to be acceptable

Environment (please complete the following information):

Device: VM (VMWare ESXi)
OS: Debian 12
Browser: Firefox, Edge
Version: Latest for both

ab-smith commented 2 months ago

sorry to hear that @EvoXCX , the previous ticket was closed after a first batch of backend optimisations. I'm guessing that there are some default settings on these proxies interfering with the setup. Are you running the reverse proxy in Docker mode as well? any specific config worth mentioning? Let me get back to you once we are able to create an equivalent lab to yours :)

EvoXCX commented 2 months ago

Hello @ab-smith,

I used NGINX as barebone install and also tested in docker but I had the same problem, recently tested Traefik (docker) and same problem occur so I don't know where it can come from.

No specific config getting a base config from here https://ssl-config.mozilla.org/ for NGINX and for Traefik it's standard configuration to point on the correct container, pretty same as caddy but with personal TLS certs.

I do not work anymore in the enterprise that I setup infra for, but I can try to reproduce the problem on my side under KVM only because not using VMWare personally.

Sorry for late response.

stijnpieters commented 2 months ago

not having that many issues here, below my reverse proxy snippet:

Most notable/impactful difference to me seem proxy buffer sizes, these were required for some requests to even be able to respond.

server {
        listen 80;
        server_name ciso-assistant.my.domain;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl;
        server_name ciso-assistant.my.domain;
        ssl_certificate /opt/ssl/certs/ciso-assistant.my.domain.crt;
        ssl_certificate_key /opt/ssl/keys/ciso-assistant.my.domain.key;

        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_busy_buffers_size 512k;
        proxy_buffers   4       512k;
        proxy_buffer_size       256k;

        location /api/iam/sso/redirect/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location /api/accounts/saml/0/acs/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location /api/accounts/saml/0/acs/finish/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location / {
                proxy_pass http://127.0.0.1:3001;
        }
}