Transforming SSL server cert and private key in variables.

Maxim Dounin mdounin at
Fri Feb 1 15:25:19 UTC 2013


On Fri, Feb 01, 2013 at 02:52:46PM +0100, António P. P. Almeida wrote:

> On 22 Jan 2013 14h34 CET, mdounin at wrote:
> Hello Maxim,
> I made some tests and definitely we cannot use in our product, it
> takes too much time and resources. 
> Tested on an EC m1.medium instance.
> 5001,01.Feb.2013 00:18:33,/usr/sbin/nginx -s reload,92%,0.60,1.84,0:02.62,0,3296,1,138528
> 10001,01.Feb.2013 00:19:32,/usr/sbin/nginx -s reload,93%,1.67,5.80,0:08.00,0,11627,1,406804
> 20001,01.Feb.2013 00:20:23,/usr/sbin/nginx -s reload,93%,4.17,13.68,0:19.16,0,25221,1,945164
> 50001,01.Feb.2013 00:22:02,/usr/sbin/nginx -s reload,60%,13.24,36.37,1:22.46,14,68338,87121,2288668
> As you can see 50k hosts take more than one minute. That would be
> acceptable if it weren't for the fact that it uses up a lot of CPU and
> memory.

50k ssl hosts is a lot, actually, and loading 50k certificates 
in 1 minute on a cheap virtual server looks reasonable for me. 
Especially if you consider total cost of 50k ssl certs.

Please also make sure you are testing recent enough nginx.  In 
paticular, the following commit speeds up ssl loading 
about 2x here (available in nginx 1.3.11):

The real limiting factor with many server blocks seems to be 
memory used for each server{}.  This probably needs some 

> Parsing the config seems to be the culprit here.
> These where simple server blocks with self-signed certs just for
> testing.
> It would be awesome if there was some sort of compilation process for
> the config parsing. It's too costly. Let's say you have a machine with
> 50k hosts, now you add another one and the machine gets a beating just
> for adding this one.

I don't think that parsing of the config is a culprit.  More 
likely it's SSL certificate reading/checking/various random 
initialization/generation.  (And may be server names hash 
generation if there are many collisions on server names.)

Some profiling would be helpful.

Maxim Dounin

More information about the nginx-devel mailing list