SSL_STAPLING when network is unreachable

Maxim Dounin mdounin at
Thu Feb 27 11:57:31 UTC 2014


On Wed, Feb 26, 2014 at 02:32:48PM -0500, mastercan wrote:

> Hello Maxim,
> > On startup, nginx does name resolution of various names in a 
> > configuration files, using system resolver.  This includes initial 
> > resolution of OCSP responders if stapling is used.  If your system 
> > resolver doesn't have internet access and blocks trying to resolve 
> > names - so nginx will do.
> I see. But what is the parameter "resolver_timeout" for? I had 2 ssl_staple
> directives in my config, and I set a resolver_timeout of 5 secs. I thought
> the blocking should not exceed 10 seconds then, assuming the resolving is
> done sequentially? It took more than 40 seconds to start though.

It's to configure timeout used by nginx's own nonblocking resolver 
( - that is, for name resolution done 
by running nginx.  To configure system resolver you should 
use your system's settings, usually /etc/resolv.conf.

(Actually, sole purpose of nginx's own resolver is to be able to 
resolve names when nginx is running, without blocking.  It's not 
something possible when using system resolver, as it has only 
blocking interface.)

Maxim Dounin

More information about the nginx mailing list