Normal memory usage for SSL terminating, reverse proxy nginx?

onecrazymonkey nginx-forum at forum.nginx.org
Fri May 27 07:15:25 UTC 2016 

It has been a difficult topic to research. The nginx instance is doing
nothing more than what the subject stated. It reverse proxies to a backend,
load balanced set of web app instances and terminates SSL for a large number
of unique domains each with their own SSL cert. Here's a `ps aux` of nginx
running after a clean start and zero (out of rotation) traffic.

root      20   0  676052 598224   1848 S   0.0 16.5   0:00.06 nginx         
                                  
nginx     20   0  675552 597204   1228 S   0.0 16.5   0:00.44 nginx         
                                  
nginx     20   0  675552 596612    636 S   0.0 16.5   0:00.36 nginx

Looking at that process list, nginx is using about 676mb of RAM for ~400
vhosts each with their own unique SSL cert for a unique domain. Here's an
example of a vhost server config. They're all generated based on the same
base template:

server {
  listen              443 ssl proxy_protocol;
  server_name         <uniquehostname> www.<uniquehostname>;
  access_log          /var/log/nginx/access_vhost_443.log accesslog;
  error_log           /var/log/nginx/error_vhost_443.log warn;
  real_ip_header      proxy_protocol;

  ssl                 on;
  ssl_certificate     /etc/nginx/ssl/<uniquehostname>/<uniquehostname>.crt;
  ssl_certificate_key /etc/nginx/ssl/<uniquehostname>/<uniquehostname>.key;

  ssl_stapling        on;
  ssl_stapling_verify on;

  resolver        internal-dns.vpc  valid=60s;

  set             $internal "upstream-load-balancer.vpc";
  location / {
    if ($denied) {
      return 444;
    }
    proxy_pass          http://$internal;
  }
}

Now, this wouldn't be all that bad. 1.69mb of memory per vhost isn't
horrible, high, but not unsustainable. However, if I do `nginx -s reload` or
restart via systemd service... 

root      20   0 1370188 1.176g   3240 S   0.0 33.4   0:14.98 nginx         
                                  
nginx     20   0 1370192 1.175g   2584 S   0.3 33.4   2:39.95 nginx         
                                  
nginx     20   0 1370192 1.175g   2584 S   1.7 33.4   2:28.42 nginx

It doubles the memory consumption! It never goes up or down drastically
again. It's as if it duplicates and never frees or releases unless you do a
restart.

This was tested on a handful of AWS EC2 instance types using vanilla Centos7
and both nginx 1.6.3 (stable in centos repos) and nginx 1.10.0 (nginx.org
repo).

In summary, my questions are thus:
- Is it normal for nginx to use ~1.7mb per SSL vhost?
- Is there a way to reduce that memory usage?

- Am I the only one that experiences the doubling of nginx memory usage
after a nginx reload?
- Is that a bug?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,267189,267189#msg-267189

More information about the nginx mailing list