Basic auth is slow
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 30 13:12:10 UTC 2015
Hello!
On Sat, Nov 28, 2015 at 06:18:54PM +0100, Joó Ádám wrote:
> Hi,
>
> I just noticed that enabling basic authentication adds between 100 and
> 150 ms to my otherwise 30-40 ms page load time. Is this known
> behaviour? Is this somehow inherent or a design / implementation
> mistake?
Basic authentication checks user password on each request.
Depending on a password hash used for a particular user in the
user file, it may take significant time - as password hashes
are designed to be CPU-intensive to prevent password recovery
attacks. Some additional information can be found here:
https://en.wikipedia.org/wiki/Crypt_(C)
Depending on your particular setup and possible risks, you may
consider using something less CPU-intensive as your password hash
function if a hash calculation takes 100ms. All crypt(3) schemes
as supported by your system are understood by nginx, as well as
some additional schemes for portability and debugging. See here
for more details:
http://nginx.org/r/auth_basic_user_file
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list