Slow Default SSL

MCPCN · January 14, 2022, 3:03pm

Hi - we're assessing Traefik v2 in Docker to see whether we can use it as a front end for various web services in different Compose stacks (using a shared external Docker network).

We've got a very simple setup, 1 https backend and 1 http backend with different host regex labels. Host regex labels work fine, but every first request is met with a ~2-3s delay while Traefik tries to serve the default certificate.

I enabled debug logging and you can see the delay between the request and response for HTTPS and HTTP:

HTTPS

revproxy | time="2022-01-14T14:37:34Z" level=debug msg="http: TLS handshake error from 11.22.33.44:22830: remote error: tls: bad certificate"
revproxy | time="2022-01-14T14:37:37Z" level=debug msg="Serving default certificate for request: \"test.test.local\""
revproxy | time="2022-01-14T14:37:38Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"

HTTP

revproxy         | time="2022-01-14T14:58:38Z" level=debug msg="http: TLS handshake error from 11.22.33.44:33014: remote error: tls: bad certificate"
revproxy         | time="2022-01-14T14:58:40Z" level=debug msg="Serving default certificate for request: \"test2.test.local\""

Longer term intention is to use our own SSL certificate for Traefik via dynamic config, but that would complicate the Traefik config and presumably slow things down (?).

Is there anything we can do to improve performance with this base config?

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.5
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - "--api.insecure=true"
      - "--providers.docker"
      - "--entrypoints.web-secure.address=:443"
      - "--serverstransport.insecureskipverify=true"
      - "--log.level=DEBUG"
    ports:
      # The HTTP port
      - "80:80"
      # HTTPS
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - revproxy
    labels:
      - "traefik.docker.network=revproxy"
    container_name: revproxy
    restart: unless-stopped
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "100m"

networks:
  revproxy:
    external: true

Topic		Replies	Views
Traefik 2.4.7. high TLS/SSL duration vs nginx Traefik v2 docker	2	1937	March 20, 2021
Docker, Traefik v2, SSL cannot set default cert Traefik v2 docker	2	707	October 15, 2019
Tls: unknown certificate Traefik v2 docker	1	7877	October 31, 2019
Custom SSL certificate results in runtime error Traefik v2 docker , file	2	1422	February 6, 2021
Remote error: tls: unknown certificate Traefik v2 docker	3	2802	November 9, 2023

Slow Default SSL

Related topics