Running Nexus 3 behind nginx with basic (LDAP) authentication)
444 views
Skip to first unread message
Dave H
Jun 21, 2017, 4:34:58 PM6/21/17
to Nexus Users
We have a setup that works like this:
Any help is appreciated!
Internet --> nginx configured with SSL and ldap basic authentication --> nexus (configured with ldap authentication)
We have noticed that download speeds are 6x slower when running this way than when hitting Nexus directly without SSL and without LDAP basic auth.
Is it wrong to have Nexus behind a reverse proxy that also requires authentication or is there some nginx configuration I am missing. Here is the existing config:
server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name foo.mycorp.com; include /etc/nginx/common-ssl.conf;
# Needed for large Vagrant boxes client_max_body_size 25g; proxy_request_buffering off; proxy_send_timeout 1200; proxy_read_timeout 1200;
location / { # Basic authentication via LDAP (see nginx.conf for definition of LDAP server) auth_ldap "Please enter your credentials"; auth_ldap_servers auth-srv;
proxy_pass http://OPS_NEXUS_SERVICE_HOST:OPS_NEXUS_SERVICE_PORT_WEB;
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto "https"; # NOTE: Do not enable caching because it interferes with manifest retrieval }}
Any help is appreciated!
Brian Fox
Jun 21, 2017, 4:45:20 PM6/21/17
to Dave H, Nexus Users
My instinct is that it could be something with SSL that is slowing things down. Unless you're talking a ton of really small files, the auth shouldn't have a meaningful impact on throughput, but some weirdness and inefficiency in the SSL implementation absolutely could. Nothing in the config jumps out at me as wrong or missing. What is the client?
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/917c5875-c18f-44bd-a4e5-65c2c74636d4%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
Rich Seddon
Jun 21, 2017, 4:48:11 PM6/21/17
to Nexus Users
So I just want to make sure I understand... it's 6x slower when nginx is doing the LDAP authentication?
If that is the case it is likely because Nexus does LDAP result caching by default, while nginx doesn't. It looks like there may be a way to have nginx cache LDAP query results though...
Brian Fox
Jun 21, 2017, 4:51:43 PM6/21/17
to Rich Seddon, Nexus Users
Good catch, I overlooked that nginx was also configured to do ldap. I think Rich is spot on.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CALX_hVz%2BViYLKeWrLSdYhQ%2B8%3DhCwsf0Ffo14OyXw_MMEv%3DadtA%40mail.gmail.com.
Dave H
Jun 21, 2017, 5:05:50 PM6/21/17
to Nexus Users, rse...@sonatype.com
Thank you -- looking into that right now.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/917c5875-c18f-44bd-a4e5-65c2c74636d4%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
Dave H
Jun 22, 2017, 4:19:24 PM6/22/17
to Nexus Users, rse...@sonatype.com
As it turns out, I've completely disabled LDAP within nginx and the 6X speed slowdown is still there.
I believe this proves that my problem is an nginx problem, not a Nexus problem. I'll take it up with them unless anyone here has any more ideas.
Dave
On Wednesday, June 21, 2017 at 4:51:43 PM UTC-4, brianf wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/917c5875-c18f-44bd-a4e5-65c2c74636d4%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
Reply all
Reply to author
Forward
0 new messages