SSL_STAPLING when network is unreachable
Maxim Dounin
mdounin at mdounin.ru
Thu Feb 27 11:57:31 UTC 2014
Hello!
On Wed, Feb 26, 2014 at 02:32:48PM -0500, mastercan wrote:
> Hello Maxim,
>
> > On startup, nginx does name resolution of various names in a
> > configuration files, using system resolver. This includes initial
> > resolution of OCSP responders if stapling is used. If your system
> > resolver doesn't have internet access and blocks trying to resolve
> > names - so nginx will do.
>
> I see. But what is the parameter "resolver_timeout" for? I had 2 ssl_staple
> directives in my config, and I set a resolver_timeout of 5 secs. I thought
> the blocking should not exceed 10 seconds then, assuming the resolving is
> done sequentially? It took more than 40 seconds to start though.
It's to configure timeout used by nginx's own nonblocking resolver
(http://nginx.org/r/resolver) - that is, for name resolution done
by running nginx. To configure system resolver you should
use your system's settings, usually /etc/resolv.conf.
(Actually, sole purpose of nginx's own resolver is to be able to
resolve names when nginx is running, without blocking. It's not
something possible when using system resolver, as it has only
blocking interface.)
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list