1

I have a server with some subdomains publicly accessible while on one subdomain a client side certificate is required. Not only that, paths on that subdomain point to different applications. I.e that sub domain protects a load of different web apps from public accessibility. Each of these domains has their own nginx configuration. here are my nginx configuration file for the client cert protected applications.

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}
server {
    listen 80;
    server_name private.domain.com;

    location / {
        rewrite ^(.*) https://private.domain.com$1 permanent;
    }
}
server {
    listen 443;
    ssl on;
    server_name private.domain.com

    ### Disable ssl v.3 ###
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;

    ### SSL cert files ###
    ssl_certificate         /srv/ssl/wildcard.domain.com.crt.combined;
    ssl_certificate_key     /srv/ssl/wildcard.domain.com.key;

    ssl_client_certificate  /etc/nginx/certs/domain.pem;
    ssl_verify_client       on;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    ssl_dhparam  /srv/ssl/dhparams.pem;

    rewrite ^([^.]*[^/])$ $1/ permanent;
    include /home/user/labs/current/config/private/*.conf;
}

That then loads the correct nginx files at the path mentioned in the last line of that configuration. There are about 20 or so of those, and they look like this:

location /some/app {
  rewrite ^/some/app/?(.*)$ /$1 break;
  proxy_pass https://subdomain.anotherDomain.com;
}

So by the time nginx compiles and runs, there are multiple location blocks depending on the path that was specified.

The user then has to provide a client certificate and once that is authenticated the correct location is passed back to the user.

This process is extremely slow, firstly how long it takes for nginx server to ask for the certificate and then how long it takes to return the page.

Any help would be loved! Below is an image of the times for the page to load. This is consistent across devices and across networks. Sometimes it has taken over 3 seconds. Please see:

chrome timings

amlwwalker
  • 111
  • 2
  • You whole connection time is 2.48s if you remove everything before nginx is even involved you are left with 0.34s. That isn't very slow – Drifter104 Apr 05 '16 at 15:40
  • So, when Chrome says stalling that is happening in the browser only? For some reason this massive delay only occurs on the subdomain urls that I control with the above nginx? – amlwwalker Apr 05 '16 at 17:25
  • Well if you think about it this way - Chrome doesn't know what server to connect to until the DNS lookup has completed – Drifter104 Apr 05 '16 at 19:31
  • Btw, you've missed semicolon after server name – Alexey Ten Apr 06 '16 at 04:17

0 Answers0