Slow Default SSL

MCPCN · January 14, 2022, 3:03pm

Hi - we're assessing Traefik v2 in Docker to see whether we can use it as a front end for various web services in different Compose stacks (using a shared external Docker network).

We've got a very simple setup, 1 https backend and 1 http backend with different host regex labels. Host regex labels work fine, but every first request is met with a ~2-3s delay while Traefik tries to serve the default certificate.

I enabled debug logging and you can see the delay between the request and response for HTTPS and HTTP:

HTTPS

revproxy | time="2022-01-14T14:37:34Z" level=debug msg="http: TLS handshake error from 11.22.33.44:22830: remote error: tls: bad certificate"
revproxy | time="2022-01-14T14:37:37Z" level=debug msg="Serving default certificate for request: \"test.test.local\""
revproxy | time="2022-01-14T14:37:38Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"

HTTP

revproxy         | time="2022-01-14T14:58:38Z" level=debug msg="http: TLS handshake error from 11.22.33.44:33014: remote error: tls: bad certificate"
revproxy         | time="2022-01-14T14:58:40Z" level=debug msg="Serving default certificate for request: \"test2.test.local\""

Longer term intention is to use our own SSL certificate for Traefik via dynamic config, but that would complicate the Traefik config and presumably slow things down (?).

Is there anything we can do to improve performance with this base config?

version: '3'

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.5
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - "--api.insecure=true"
      - "--providers.docker"
      - "--entrypoints.web-secure.address=:443"
      - "--serverstransport.insecureskipverify=true"
      - "--log.level=DEBUG"
    ports:
      # The HTTP port
      - "80:80"
      # HTTPS
      - "443:443"
      # The Web UI (enabled by --api.insecure=true)
      #- "8080:8080"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - revproxy
    labels:
      - "traefik.docker.network=revproxy"
    container_name: revproxy
    restart: unless-stopped
    logging:
      driver: "json-file"
      options:
        max-file: "5"
        max-size: "100m"

networks:
  revproxy:
    external: true

Topic		Replies	Views
Traefik 2.4.7. high TLS/SSL duration vs nginx Traefik v2 docker	2	1792	March 20, 2021
Docker, Traefik v2, SSL cannot set default cert Traefik v2 docker	2	604	October 15, 2019
Tls: unknown certificate Traefik v2 docker	1	7489	October 31, 2019
Long response time from Traefik (10 seconds too long - 2x 5 second freezes) Traefik v2 docker	6	1385	March 9, 2023
Custom SSL certificate results in runtime error Traefik v2 docker , file	2	1360	February 6, 2021

Slow Default SSL

Related Topics