We have a Setup, where a Tomcat-Server is running on a DMZ Host. When I access the host direcly from that VLAN, the software runs as expected.
To publish that application, I used the NGINX reverse proxy, that actually is working, but the performace is awful. The Login, for example, takes abaut 3 minutes.
After that, I tried to access the application directly from an other VLAN or from a connected OpenVPN roadwarrior, the performance is also extremly slow.
In the past, we used a Sophos SG230 in the same way, we had no issue.
I did a wireshark capture on the DMZ VLAN for all traffice going to that tomcat and saw, that during the website is loading, there are a lot of "TCP PDU reassemble" packages and a few "TCP retransmissions".
Othere Services on that machine works without problems. For example, I access the machine through RDP, from my OpenVPN Client.
The tomcat proviedes a SOAP service. Is there maybe an issue with this type of data stream?
Best regards and thanks in andvance for helping.
Maybe websocket? Try Caddy instead of Nginx. It automatically supports websocket.
@Patrick: Thanks for the reply!
I found the reason, why the access from the VPN was so bad. During the migration I needed to use outbount NAT on the LAN interface for the VPN Clients, because at this time, the default gw on the servers still pointed to the old firewall. After removing the outbound NAT rule, the direct access to the tomcat is working.
I tried Caddy, too ... but the behavior is like with nginx. Awfull slow ... and there are only a few options to play with ...
It is a bit frustrating! I hat a look into the old Sophos fiewall, that uses apache as reverse proxy ... but that was not very helpful ...