Multiple SSL enabled hosts causes nginx to reload slowly
Maxim Dounin
mdounin at mdounin.ru
Thu May 19 14:42:39 MSD 2011
Hello!
On Wed, May 18, 2011 at 08:40:15PM -0400, runesoerensen wrote:
> Hi,
>
> I've set up a ssl_certificate and ssl_certificate_key directives on the
> http level of my nginx configuration. The problem I'm facing is that
> starting/reloading nginx is getting slower and slower as more hosts
> (server directives) are added. The server has roughly 1000 SSL-enabled
> hosts that inherits the ssl certificate directives.
>
> I know nginx verifies the certificate when loading it, so I'm wondering
> if nginx checks the certificate each time an SSL enabled host inherits
> the shared certificate? If so, shouldn't it only check the certificate
> once? According to
> http://nginx.org/en/docs/http/configuring_https_servers.html it should
> cause all hosts to inherit a single memory footprint, but this doesn't
> seem to be the case.
>
> If this is a bug in nginx it may be an idea to completely disable
> certificate verification if possible?
>
> Any advice is highly appreciated.
Quick look suggests that time is taken mostly here in
ngx_http_ssl_module.c:
/* a temporary 512-bit RSA key is required for export versions of MSIE */
if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
As export versions of MSIE are rare and hardly supported nowadays
anyway, you may want to just nuke this code as a workaround.
I'll take a look at this further as time permits.
Maxim Dounin
More information about the nginx
mailing list