stream module on 100% cpu load

A. Schulze sca at
Tue Jan 3 13:20:38 UTC 2017


last days I setup a server to encapsulate DNS over TLS.

    - DNS-Server @localhost, Port 53 TCP
    - NGINX Stream module on public IP, Port 853 TCP, SSL enabled.

That work so far.
Now I thought to scan this setup using

I shutdown my HTTPS webserver an let nginx stream module listen on port 443.
To make it easier I switched also the stream proxy target to ::1, Port 80
Now I could again access my website but not via nginx ssl but nginx  
stream module.
Work also so far...

Now I pointed SSLlasbs to the server and ... surprise!

The scan terminate with "Assessment failed: Unexpected failure"
last loglines nginx wrote was:

2017/01/03 13:26:49 [info] 19253#0: *25 client  
[2600:c02:1020:4202::ac10:8267]:50918 connected to [2001:db8::53]:443
2017/01/03 13:26:49 [info] 19253#0: *25 proxy [2001:db8::53]:42534  
connected to [::1]:80
2017/01/03 13:26:50 [notice] 19253#0: *25 SSL renegotiation disabled  
while proxying connection, client: 2600:c02:1020:4202::ac10:8267,  
server: [2001:db8::53]:443, upstream: "[::1]:80", bytes from/to  
client:138/0, bytes from/to upstream:0/138

The nginx process stop responding and eat up 100% cpu time.

After reading again
I added "worker_processes auto;" to nginx.conf.

That changed the picture a little bit.
The ssllabs scan do no longer terminate but finish with a usual result.
Still one nginx process consume 100% cpu time.

I guess there is something broken with my setup or nginx. What further  
information are needed to nail down the problem?


nginx-1.11.8 with this (simplified) /etc/nginx/nginx.conf:

error_log                    /path/to/nginx-error.log info;
daemon                       off;

events {
      worker_connections      1024;

http {
      server {
          listen              [::1]:80;
          location / {
              root            /path/to/htdocs/;

worker_processes             auto;
stream {
      upstream dns {
          server              [::1]:80;
      server {
          listen              [2001:db8::53]:443 ssl;
          proxy_pass          dns;
          ssl_certificate     /path/to/cert+intermediate.pem;
          ssl_certificate_key /path/to/key.pem;

More information about the nginx mailing list