Transforming SSL server cert and private key in variables.
Maxim Dounin
mdounin at mdounin.ru
Fri Feb 1 15:25:19 UTC 2013
Hello!
On Fri, Feb 01, 2013 at 02:52:46PM +0100, António P. P. Almeida wrote:
> On 22 Jan 2013 14h34 CET, mdounin at mdounin.ru wrote:
>
> Hello Maxim,
>
> I made some tests and definitely we cannot use in our product, it
> takes too much time and resources.
>
> Tested on an EC m1.medium instance.
>
> HOSTS,DATE,COMMAND,CPU_PERCENTAGE,CPU_SYSTEM,CPU_USER,ELAPSED_TIME,IO_PG_FAULTS,ICONTEXT_SWITCHING,VCONTEXT_SWITCHING,MAX_MEMORY
> 5001,01.Feb.2013 00:18:33,/usr/sbin/nginx -s reload,92%,0.60,1.84,0:02.62,0,3296,1,138528
> 10001,01.Feb.2013 00:19:32,/usr/sbin/nginx -s reload,93%,1.67,5.80,0:08.00,0,11627,1,406804
> 20001,01.Feb.2013 00:20:23,/usr/sbin/nginx -s reload,93%,4.17,13.68,0:19.16,0,25221,1,945164
> 50001,01.Feb.2013 00:22:02,/usr/sbin/nginx -s reload,60%,13.24,36.37,1:22.46,14,68338,87121,2288668
>
> As you can see 50k hosts take more than one minute. That would be
> acceptable if it weren't for the fact that it uses up a lot of CPU and
> memory.
50k ssl hosts is a lot, actually, and loading 50k certificates
in 1 minute on a cheap virtual server looks reasonable for me.
Especially if you consider total cost of 50k ssl certs.
Please also make sure you are testing recent enough nginx. In
paticular, the following commit speeds up ssl loading
about 2x here (available in nginx 1.3.11):
http://trac.nginx.org/nginx/changeset/5004/nginx
The real limiting factor with many server blocks seems to be
memory used for each server{}. This probably needs some
optimization.
> Parsing the config seems to be the culprit here.
>
> These where simple server blocks with self-signed certs just for
> testing.
>
> It would be awesome if there was some sort of compilation process for
> the config parsing. It's too costly. Let's say you have a machine with
> 50k hosts, now you add another one and the machine gets a beating just
> for adding this one.
I don't think that parsing of the config is a culprit. More
likely it's SSL certificate reading/checking/various random
initialization/generation. (And may be server names hash
generation if there are many collisions on server names.)
Some profiling would be helpful.
--
Maxim Dounin
http://nginx.com/support.html
More information about the nginx-devel
mailing list