SSL_STAPLING when network is unreachable
Maxim Dounin
mdounin at mdounin.ru
Wed Feb 26 17:26:34 UTC 2014
Hello!
On Wed, Feb 26, 2014 at 11:39:31AM -0500, mastercan wrote:
> Hello,
>
> I've encountered a problem with nginx 1.5.10.
> I'm running nginx on a highly available system (2 cluster node).
>
> When node1 fails, node2 is automatically coming into play. A few days ago
> the internet connection was bad - on both nodes. They could ping the gateway
> only sporadically.
> Node2 became the active one and tried to start nginx. Nginx did not even
> come up.
>
> I replayed the whole scenario (switchover) with a working internet
> connection. Everything is running perfect then.
> But with a broken internet connection nginx does not start up. It's
> hanging.
>
> The reason is ssl_stapling I found out. Even when I set resolver_timeout to
> 5 seconds, nginx won't come up within 5 seconds with an internet connection
> with high packet loss.
On startup, nginx does name resolution of various names in a
configuration files, using system resolver. This includes initial
resolution of OCSP responders if stapling is used. If your system
resolver doesn't have internet access and blocks trying to resolve
names - so nginx will do.
Traditional approach to the problem is to use local caching DNS
server (which is less likely to fail than external services), and
to use IP addresses or /etc/hosts for critical things.
It's also a good idea to have nginx _running_ instead of trying to
start it in an emergency conditions. While nginx usually starts
just fine, it is designed to keep things running by all means, not
to start by all means. Startup may fail, e.g., due to failed DNS
resolution or a listen socket grabbed by some other process. In
contrast, if nginx was already started - it will keep running by
all means.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list