<div dir="ltr">Hello.<div><br></div><div>I am using nginx reverse proxy for s3 presigned urls. </div><div>I am running nginx as a container using nginx:1.25.2 debian image. My host has 16 Core and 32GB.</div><div><br></div><div>Below is the nginx configuration.<br></div><div><br></div><div>user  nginx;<br>worker_processes 14;<br>pid /run/nginx.pid;<br>worker_rlimit_nofile 40000;<br>events {<br>  worker_connections 1024;<br>}<br>http {<br> upstream s3_backend {<br>        server <mybucket>.<a href="http://s3.amazonaws.com:443">s3.amazonaws.com:443</a>;<br>         keepalive 10;<br>    }<br><br> log_format combined_ssl '$remote_addr - $remote_user [$time_local] '<br>            '"$request" $status $body_bytes_sent '<br>            '"$http_referer" "$http_user_agent" '<br>            '$ssl_protocol/$ssl_cipher '<br>            '$ssl_session_reused';<br>  proxy_ssl_session_reuse on;<br>  proxy_ssl_server_name on;</div><div><br>    # HTTPS server block with SSL certificate and S3 reverse proxy<br>    server {<br>        listen 443 ssl;<br>        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;<br>        ssl_ciphers           HIGH:!aNULL:!MD5;<br>        ssl_session_cache    shared:SSL:10m;<br>        ssl_session_timeout  10m;</div><div>        ssl_session_tickets off;<br>        server_name <mydomain>.<a href="http://company.com">company.com</a>;<br><br>        # Path to your SSL certificate and private key<br>        ssl_certificate  /etc/nginx/domain.crt;<br>        ssl_certificate_key /etc/nginx/domain.key;</div><div><br>       location /s3proxy/<mybucket> {<br>            rewrite /s3proxy/<mybucket>/(.*) /$1  break;<br>            proxy_pass <a href="https://s3_backend">https://s3_backend</a>;<br>            proxy_redirect     off;<br>            proxy_http_version 1.1;<br>            proxy_set_header   "Connection" '';<br>            proxy_set_header Host <mybucket>.<a href="http://s3.amazonaws.com">s3.amazonaws.com</a>;<br>            proxy_set_header X-Real-IP $remote_addr;<br>            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>            proxy_set_header X-Forwarded-Proto $scheme;<br>            error_log /var/log/nginx/ssl_debug.log debug;<br>    }<br>  }<br>}<br><br><br>But in the log /var/log/nginx/ssl_debug.log, I see SSL Handshake every time when I request an S3 object via proxy using S3presigned URLs.<br><br></div><div>Below is the log I see every time for every request.</div><div><br></div><div>2023/09/30 18:07:19 [debug] 36#36: *9 event timer add: 22: 60000:721858477<br>2023/09/30 18:07:19 [debug] 36#36: *9 http finalize request: -4, "/blob/zte3odk1ymnl@CIBC-2mb/singleurl0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASQOYQRM4CTRY6I54%2F20230930><br>2023/09/30 18:07:19 [debug] 36#36: *9 http request count:2 blk:0<br>2023/09/30 18:07:19 [debug] 36#36: *9 http run request: "/blob/zte3odk1ymnl@CIBC-2mb/singleurl0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASQOYQRM4CTRY6I54%2F20230930%2Fus-eas><br>2023/09/30 18:07:19 [debug] 36#36: *9 http upstream check client, write event:1, "/blob/zte3odk1ymnl@CIBC-2mb/singleurl0"<br>2023/09/30 18:07:19 [debug] 36#36: *9 http upstream request: "/blob/zte3odk1ymnl@CIBC-2mb/singleurl0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASQOYQRM4CTRY6I54%2F20230930%2Fu><br>2023/09/30 18:07:19 [debug] 36#36: *9 http upstream send request handler<br>2023/09/30 18:07:19 [debug] 36#36: *9 malloc: 000055ED330A1DD0:96<br>2023/09/30 18:07:19 [debug] 36#36: *9 upstream SSL server name: "s3_backend"<br>2023/09/30 18:07:19 [debug] 36#36: *9 set session: 0000000000000000<br>2023/09/30 18:07:19 [debug] 36#36: *9 tcp_nodelay<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 0<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 0<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: -1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_get_error: 2<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL handshake handler: 0<br>2023/09/30 18:07:19 [debug] 36#36: *9 save session: 000055ED330FBAC0<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL_do_handshake: 1<br>2023/09/30 18:07:19 [debug] 36#36: *9 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"<br>2023/09/30 18:07:19 [debug] 36#36: *9 <b>http upstream ssl handshake</b>: "/blob/zte3odk1ymnl@CIBC-2mb/singleurl0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASQOYQRM4CTRY6I54%2F202309><br>2023/09/30 18:07:19 [debug] 36#36: *9 http upstream send request<br>2023/09/30 18:07:19 [debug] 36#36: *9 http upstream send request body<br></div><div><br></div><div>If I run 4K clients using a simulator,I will see 100% CPU in the nginx container.I believe if we cache SSL sessions then SSL handshake for every request will be avoided hence we may not have high CPU at nginx container.</div><div><br></div><div>Can you please help how to achieve SSL Cache? how to make sure the CPU is not high? Is there any reason why the CPU is high other than SSL Handshake.</div><div>Thanks,</div><div>Vijay<br> </div></div>