SSO kerberos + nginx + tomcat xwiki

Hi. I’ve setup authorization with kerberos ticket through nginx. When I did some measurements I find out the connections through nginx is very slow. For example:

~$ curl -I --negotiate -w “@/home/slava/curl-format.txt” ‘http://xwiki.domain.ru/xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU
HTTP/1.1 401 Unauthorized
Server: nginx/1.16.1
Date: Thu, 14 Jan 2021 10:04:04 GMT
Content-Type: text/html
Content-Length: 179
WWW-Authenticate: Negotiate
Proxy-support: Session-Based-Authentication
Connection: Proxy-support
X-Cache: MISS from squid.domain.ru
X-Cache-Lookup: MISS from squid.domain.ru:3128
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 14 Jan 2021 10:04:04 GMT
Content-Type: text/javascript;charset=UTF-8
Content-Length: 72636
Vary: Accept-Encoding
WWW-Authenticate: Negotiate la-la-la
Content-Script-Type: text/javascript
Set-Cookie: JSESSIONID=847B14F94A8EB6B6E27848D0BEEE1ADF; Path=/xwiki; HttpOnly
Last-Modified: Thu, 14 Jan 2021 10:04:04 GMT
Cache-Control: public
Expires: Sat, 13 Feb 2021 10:04:04 GMT
Content-Language: ru-RU
Proxy-support: Session-Based-Authentication
Connection: Proxy-support
X-Cache: MISS from squid.domain.ru
X-Cache-Lookup: MISS from squid.domain.ru:3128
Connection: keep-alive

time_namelookup: 0,000s
time_connect: 0,000s
time_appconnect: 0,000s
time_pretransfer: 0,001s
time_redirect: 0,021s
time_starttransfer: 0,280s

time_total: 0,303s

:~$ curl -I --negotiate -w “@/home/slava/curl-format.txt” ‘http://xwiki.domain.ru:8080/xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU
HTTP/1.1 200 OK
Content-Script-Type: text/javascript
Set-Cookie: JSESSIONID=240CF2DB36ED9D5CCF029EC76CF5270E; Path=/xwiki; HttpOnly
Last-Modified: Thu, 14 Jan 2021 10:04:14 GMT
Cache-Control: public
Expires: Sat, 13 Feb 2021 10:04:14 GMT
Content-Type: text/javascript;charset=UTF-8
Content-Language: ru-RU
Content-Length: 72636
Date: Thu, 14 Jan 2021 10:04:14 GMT
X-Cache: MISS from squid.domain.ru
X-Cache-Lookup: MISS from squid.domain.ru:3128
Connection: keep-alive

time_namelookup: 0,004s
time_connect: 0,005s
time_appconnect: 0,000s
time_pretransfer: 0,005s
time_redirect: 0,000s
time_starttransfer: 0,035s

time_total: 0,035s

The difference is 0,035s (straight to tomcat) vs 0,280s (over nginx with spnego-http-auth-nginx-module)
My nginx config:

user root;
worker_processes 4;
worker_rlimit_nofile 20000;
error_log /var/log/nginx/error.log;
pid /run/nginx/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format upstream '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’
‘rt=$request_time uct=“$upstream_connect_time” uht=“$upstream_header_time” urt=“$upstream_response_time”’;
keepalive_timeout 65;
gzip on;
gzip_comp_level 4; # increase for better compression (values 1 to 9, 1 = fastest, 9 = slowest/best compression)
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; # compress multiple mime types
gzip_disable “msie6”; # disable gzip for IE<=6
gzip_vary on; # send Vary: Accept-Encoding header
gzip_proxied any; # enable compression for proxied requests
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server {
listen 80;
server_name xwiki.domain.ru;
client_max_body_size 250M;
access_log /var/log/nginx/xwiki.access.log;
location /schema {
root /opt/htdocs/;
index index.html index.htm;
}
location / {
access_log /var/log/nginx/xwiki.access.log upstream;
proxy_pass http://xwiki.domain.ru:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Xwiki-User $remote_user;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
keepalive_requests 1000;
auth_gss on;
auth_gss_realm DOMAIN.RU;
auth_gss_keytab /opt/tomcat/conf/xwiki.keytab;
auth_gss_service_name HTTP/xwiki.domain.ru;
auth_gss_allow_basic_fallback off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}

I’ve added timers to log nginx. $request_time $upstream_connect_time $upstream_header_time $upstream_response_time

 192.168.0.51 - - [14/Jan/2021:13:24:39 +0300] "HEAD /xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU HTTP/1.1" 401 0 "-" "curl/7.47.0" "unknown"rt=0.000 uct="-" uht="-" urt="-"
192.168.0.51 - SuperUser [14/Jan/2021:13:24:40 +0300] "HEAD /xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU HTTP/1.1" 200 0 "-" "curl/7.47.0" "unknown"rt=0.268 uct="0.005" uht="0.269" urt="0.269"

0.268 it is very slow upstream connection. But when I swith off the auth_gss it works fine:

192.168.0.51 - - [14/Jan/2021:13:38:08 +0300] “HEAD /xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU HTTP/1.1” 200 0 “-” “curl/7.47.0” "unknown"rt=0.034 uct=“0.000” uht=“0.034” urt=“0.034”

curl -I --negotiate -w “@/home/slava/curl-format.txt” ‘http://xwiki.domain.ru/xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1577704018000&defer=false&language=ru_RU
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 14 Jan 2021 10:38:08 GMT
Content-Type: text/javascript;charset=UTF-8
Content-Length: 72636
Vary: Accept-Encoding
Content-Script-Type: text/javascript
Set-Cookie: JSESSIONID=24C9744C9CD04DAB73A34685E03ADE18; Path=/xwiki; HttpOnly
Last-Modified: Thu, 14 Jan 2021 10:38:08 GMT
Cache-Control: public
Expires: Sat, 13 Feb 2021 10:38:08 GMT
Content-Language: ru-RU
X-Cache: MISS from squid.domain.ru
X-Cache-Lookup: MISS from squid.domain.ru:3128
Connection: keep-alive

time_namelookup: 0,004s
time_connect: 0,005s
time_appconnect: 0,000s
time_pretransfer: 0,005s
time_redirect: 0,000s
time_starttransfer: 0,047s

time_total: 0,047s

Is there any idea what happens? Thanks.

It sends queries to ldap for each request because X-Xwiki-User is set.