On Fri, Oct 15, 2010 at 1:31 PM, Atkins, Dwane P <[email protected]> wrote: > We are experiencing some extremely slow captive portal pages. Are there any > tweaks we might make that will speed this up? If we take the same test > machine and put it on another network, all web pages come up quickly. This > is just the initial redirect page. >
In this case, that's caused by using HTTPS with a trusted cert, the browser is doing an OCSP request to validate the cert, which is also getting redirected to the captive portal. It then waits about 10 seconds for that to timeout, then loads the page. (Dwane is a support customer and sent me a pcap offlist) Common problem with all CP systems if you search on it. The work around is to add a bypass entry for the IP(s) of the OCSP server(s) used by the certificate provider. In this case, it's going to ocsp.godaddy.com, which goes to Akamai. That could get redirected to any number of IPs, which is somewhat problematic. It seems to always resolve to the same IP right now at least, from numerous different locations I tried it, and from the capture as well. The easiest work around is to hard code ocsp.godaddy.com as an override in the DNS forwarder or further upstream on your network to point to 72.167.239.239 and add an IP passthrough entry for 72.167.239.239. Then it'll be able to make that request to OCSP, which will eliminate the delay. The only risk in that is if the IP changes and that IP stops answering OCSP requests. That probably doesn't happen much or at all though, so that's an adequate work around (and seems to be what everyone else does including on many commercial CP systems). May just have to be updated to a new IP once every few years if the delay returns. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
