Hi,
I just noticed that enabling basic authentication adds between 100 and
150 ms to my otherwise 30-40 ms page load time. Is this known
behaviour? Is this somehow inherent or a design / implementation
mistake?
Á
Hello!
On Sat, Nov 28, 2015 at 06:18:54PM +0100, Joó Ádám wrote:
Hi,
I just noticed that enabling basic authentication adds between 100 and
150 ms to my otherwise 30-40 ms page load time. Is this known
behaviour? Is this somehow inherent or a design / implementation
mistake?
Basic authentication checks user password on each request.
Depending on a password hash used for a particular user in the
user file, it may take significant time - as password hashes
are designed to be CPU-intensive to prevent password recovery
attacks. Some additional information can be found here:
Depending on your particular setup and possible risks, you may
consider using something less CPU-intensive as your password hash
function if a hash calculation takes 100ms. All crypt(3) schemes
as supported by your system are understood by nginx, as well as
some additional schemes for portability and debugging. See here
for more details:
http://nginx.org/r/auth_basic_user_file
–
Maxim D.
http://nginx.org/
Wow, I just realized how stupid my question was. I wasn’t considering
the high iteration count I myself selected for hashing… Thanks, Maxim!
Á