Welcome! Log In Create A New Profile

Re: Transforming SSL server cert and private key in variables.

Forum List Message List New Topic Print View

Maxim Dounin

February 01, 2013 10:26AM

Hello!

On Fri, Feb 01, 2013 at 02:52:46PM +0100, António P. P. Almeida wrote:

> On 22 Jan 2013 14h34 CET, mdounin@mdounin.ru wrote:
>
> Hello Maxim,
>
> I made some tests and definitely we cannot use in our product, it
> takes too much time and resources.
>
> Tested on an EC m1.medium instance.
>
> HOSTS,DATE,COMMAND,CPU_PERCENTAGE,CPU_SYSTEM,CPU_USER,ELAPSED_TIME,IO_PG_FAULTS,ICONTEXT_SWITCHING,VCONTEXT_SWITCHING,MAX_MEMORY
> 5001,01.Feb.2013 00:18:33,/usr/sbin/nginx -s reload,92%,0.60,1.84,0:02.62,0,3296,1,138528
> 10001,01.Feb.2013 00:19:32,/usr/sbin/nginx -s reload,93%,1.67,5.80,0:08.00,0,11627,1,406804
> 20001,01.Feb.2013 00:20:23,/usr/sbin/nginx -s reload,93%,4.17,13.68,0:19.16,0,25221,1,945164
> 50001,01.Feb.2013 00:22:02,/usr/sbin/nginx -s reload,60%,13.24,36.37,1:22.46,14,68338,87121,2288668
>
> As you can see 50k hosts take more than one minute. That would be
> acceptable if it weren't for the fact that it uses up a lot of CPU and
> memory.

50k ssl hosts is a lot, actually, and loading 50k certificates
in 1 minute on a cheap virtual server looks reasonable for me.
Especially if you consider total cost of 50k ssl certs.

Please also make sure you are testing recent enough nginx. In
paticular, the following commit speeds up ssl loading
about 2x here (available in nginx 1.3.11):

http://trac.nginx.org/nginx/changeset/5004/nginx

The real limiting factor with many server blocks seems to be
memory used for each server{}. This probably needs some
optimization.

> Parsing the config seems to be the culprit here.
>
> These where simple server blocks with self-signed certs just for
> testing.
>
> It would be awesome if there was some sort of compilation process for
> the config parsing. It's too costly. Let's say you have a machine with
> 50k hosts, now you add another one and the machine gets a beating just
> for adding this one.

I don't think that parsing of the config is a culprit. More
likely it's SSL certificate reading/checking/various random
initialization/generation. (And may be server names hash
generation if there are many collisions on server names.)

Some profiling would be helpful.

--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Transforming SSL server cert and private key in variables.	António P. P. Almeida	1424	January 22, 2013 05:22AM
Re: Transforming SSL server cert and private key in variables.	Maxim Dounin	805	January 22, 2013 06:22AM
Re: Transforming SSL server cert and private key in variables.	António P. P. Almeida	1242	January 22, 2013 08:14AM
Re: Transforming SSL server cert and private key in variables.	Maxim Dounin	970	January 22, 2013 08:36AM
Re: Transforming SSL server cert and private key in variables.	António P. P. Almeida	961	January 23, 2013 06:28AM
Re: Transforming SSL server cert and private key in variables.	António P. P. Almeida	775	February 01, 2013 08:54AM
Re: Transforming SSL server cert and private key in variables.	splitice	954	February 01, 2013 09:12AM
Re: Transforming SSL server cert and private key in variables.	Maxim Dounin	767	February 01, 2013 10:26AM
Re: Transforming SSL server cert and private key in variables.	António P. P. Almeida	1188	February 01, 2013 10:44AM
Re: Transforming SSL server cert and private key in variables.	Maxim Dounin	918	February 01, 2013 11:38AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 237

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018