Request time of 60s when denying SSL requests?
JB Hobbs
hobbsjb at yahoo.com
Fri Jan 11 15:37:04 UTC 2013
Thank you Maxim. I have a few follow up points and questions please:
1. I should have mentioned that I was doing this on Nginx 0.6.x. I just tried the same test on Nginx 1.2.6. With 1.2.6 it does return the 403 to the browser as expected.
The following applies to my testing on Nginx 1.2.6:
2. I understand (and verfied by closing the browser sooner) from your response that the browser (Chrome in this case) is keeping the connection open with Nginx for 60 seconds when it is HTTPS (and about 10 seconds with http). However, if a browser makes a request to the root, I want to tell Nginx to force the connection closed immediately after retuning the 403. This is a high volume web service and I do not want browsers keeping requests open.
Is there some sort of directive or option I can set within my location=/ block to tell nginx to drop the connection immediately upon returning the 403? This is highly desirable so I hope there is a way to do it.
3. On a related note - as I mentioned nginx is serving as a front-end to Jetty. The way our web service makes, a browser should only make a single request for one html page and never make another request until 24 hours later, when the cache period expires. With this in mind, even for the legitimate requests, I am wondering if it would be more efficient for the server if I turned off keep-alive because there will just be this single request. What do you think? Are there any other optimizations I can make to this or other settings to use considering nginx will be serving just one single request per 24 hour per unique browser?
4. I have a access_log directive that points to main.log outside of the "location" blocks so it serves as the default location for where Nginx should log requests to. Inside my "location=/" block I have another access_log directive that points to forbidden.log. When the above http and https request are made to "/", I do get a log entry in the forbidden.log as desired. However I also get this log entry in my main.log file as well. What do I need to do so that nginx only logs this to the forbidden.log, without (hopefully) removing the main.log entry defined outside of the location blocks (since I use this as a default from many other location blocks).
Thank you so much for the excellent support!! :)
============================================
I would suggest that what you see in logs is actually empty
connection (without any request sent) opened by your browser in
addition to one which actually did a request. These are expected
to show up as 400 if client closes connection, but 408 if it's
closed by nginx, and the exact code might depend on browser
behaviour.
The odd thing is that 408 page is displayed in the browser. Could
you please double check and provide full sample configuration to
reproduce?
I've just checked with the following config:
daemon off;
error_log /dev/stderr notice;
events {
}
http {
server {
listen 8443 ssl;
ssl_certificate test-ssl.crt;
ssl_certificate_key test-ssl-nopasswd.key;
access_log /dev/stderr combined;
location / {
deny all;
}
}
}
and it returns 403 Forbidden as expected.
--
Maxim Dounin
http://nginx.com/support.html
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130111/717cab52/attachment.html>
More information about the nginx
mailing list