App behind reverse proxy very slow

[EvoXCX]

Describe the bug
Hello,
I still have a problem with reverse proxy, I opened a ticket a while ago about Nginx #432 but it was closed without resolution.

I changed Reverse Proxy using Traefik and the problem is still there, so I can say that the problem comes from the application and not the reverse proxy.

Directly I have an almost instantaneous response time, but via the reverse proxy (Nginx or Traefik) it takes a considerable time to use it ergonomically.

To Reproduce
Steps to reproduce the behavior:

1. Up a reverse proxy other than Caddy
2. Access to the application
3. Slow response time

Expected behavior
Response time to be acceptable

Environment (please complete the following information):

• Device: VM (VMWare ESXi)
• OS: Debian 12
• Browser: Firefox, Edge
• Version: Latest for both

[ab-smith]

sorry to hear that @EvoXCX , the previous ticket was closed after a first batch of backend optimisations.
I'm guessing that there are some default settings on these proxies interfering with the setup. Are you running the reverse proxy in Docker mode as well? any specific config worth mentioning?
Let me get back to you once we are able to create an equivalent lab to yours :)

[EvoXCX]

Hello @ab-smith,

I used NGINX as barebone install and also tested in docker but I had the same problem, recently tested Traefik (docker) and same problem occur so I don't know where it can come from.

No specific config getting a base config from here https://ssl-config.mozilla.org/ for NGINX and for Traefik it's standard configuration to point on the correct container, pretty same as caddy but with personal TLS certs.

I do not work anymore in the enterprise that I setup infra for, but I can try to reproduce the problem on my side under KVM only because not using VMWare personally.

Sorry for late response.

[stijnpieters]

not having that many issues here, below my reverse proxy snippet:

Most notable/impactful difference to me seem proxy buffer sizes, these were required for some requests to even be able to respond.

server {
        listen 80;
        server_name ciso-assistant.my.domain;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl;
        server_name ciso-assistant.my.domain;
        ssl_certificate /opt/ssl/certs/ciso-assistant.my.domain.crt;
        ssl_certificate_key /opt/ssl/keys/ciso-assistant.my.domain.key;

        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_busy_buffers_size 512k;
        proxy_buffers   4       512k;
        proxy_buffer_size       256k;

        location /api/iam/sso/redirect/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location /api/accounts/saml/0/acs/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location /api/accounts/saml/0/acs/finish/ {
                proxy_pass http://127.0.0.1:8001;
        }

        location / {
                proxy_pass http://127.0.0.1:3001;
        }
}