SSL_STAPLING when network is unreachable

Maxim Dounin mdounin at
Wed Feb 26 17:26:34 UTC 2014


On Wed, Feb 26, 2014 at 11:39:31AM -0500, mastercan wrote:

> Hello,
> I've encountered a problem with nginx 1.5.10.
> I'm running nginx on a highly available system (2 cluster node).
> When node1 fails, node2 is automatically coming into play. A few days ago
> the internet connection was bad - on both nodes. They could ping the gateway
> only sporadically.
> Node2 became the active one and tried to start nginx. Nginx did not even
> come up.
> I replayed the whole scenario (switchover) with a working internet
> connection. Everything is running perfect then.
> But with a broken internet connection nginx does not start up. It's
> hanging.
> The reason is ssl_stapling I found out. Even when I set resolver_timeout to
> 5 seconds, nginx won't come up within 5 seconds with an internet connection
> with high packet loss.

On startup, nginx does name resolution of various names in a 
configuration files, using system resolver.  This includes initial 
resolution of OCSP responders if stapling is used.  If your system 
resolver doesn't have internet access and blocks trying to resolve 
names - so nginx will do.

Traditional approach to the problem is to use local caching DNS 
server (which is less likely to fail than external services), and 
to use IP addresses or /etc/hosts for critical things.

It's also a good idea to have nginx _running_ instead of trying to 
start it in an emergency conditions.  While nginx usually starts 
just fine, it is designed to keep things running by all means, not 
to start by all means.  Startup may fail, e.g., due to failed DNS 
resolution or a listen socket grabbed by some other process.  In 
contrast, if nginx was already started - it will keep running by 
all means.

Maxim Dounin

More information about the nginx mailing list