Normal memory usage for SSL terminating, reverse proxy nginx?
Maxim Dounin
mdounin at mdounin.ru
Fri May 27 13:58:18 UTC 2016
Hello!
On Fri, May 27, 2016 at 03:15:25AM -0400, onecrazymonkey wrote:
> It has been a difficult topic to research. The nginx instance is doing
> nothing more than what the subject stated. It reverse proxies to a backend,
> load balanced set of web app instances and terminates SSL for a large number
> of unique domains each with their own SSL cert. Here's a `ps aux` of nginx
> running after a clean start and zero (out of rotation) traffic.
>
> root 20 0 676052 598224 1848 S 0.0 16.5 0:00.06 nginx
>
> nginx 20 0 675552 597204 1228 S 0.0 16.5 0:00.44 nginx
>
> nginx 20 0 675552 596612 636 S 0.0 16.5 0:00.36 nginx
>
> Looking at that process list, nginx is using about 676mb of RAM for ~400
> vhosts each with their own unique SSL cert for a unique domain. Here's an
> example of a vhost server config. They're all generated based on the same
> base template:
>
> server {
> listen 443 ssl proxy_protocol;
> server_name <uniquehostname> www.<uniquehostname>;
> access_log /var/log/nginx/access_vhost_443.log accesslog;
> error_log /var/log/nginx/error_vhost_443.log warn;
> real_ip_header proxy_protocol;
>
> ssl on;
> ssl_certificate /etc/nginx/ssl/<uniquehostname>/<uniquehostname>.crt;
> ssl_certificate_key /etc/nginx/ssl/<uniquehostname>/<uniquehostname>.key;
>
> ssl_stapling on;
> ssl_stapling_verify on;
>
> resolver internal-dns.vpc valid=60s;
Note: by using using own resolver in each server{} you add more
flexibility, but waste memory and other resources. Consider using
single resolver defined at http{} level instead.
> set $internal "upstream-load-balancer.vpc";
> location / {
> if ($denied) {
> return 444;
> }
> proxy_pass http://$internal;
> }
> }
>
> Now, this wouldn't be all that bad. 1.69mb of memory per vhost isn't
> horrible, high, but not unsustainable. However, if I do `nginx -s reload` or
> restart via systemd service...
>
> root 20 0 1370188 1.176g 3240 S 0.0 33.4 0:14.98 nginx
>
> nginx 20 0 1370192 1.175g 2584 S 0.3 33.4 2:39.95 nginx
>
> nginx 20 0 1370192 1.175g 2584 S 1.7 33.4 2:28.42 nginx
>
> It doubles the memory consumption! It never goes up or down drastically
> again. It's as if it duplicates and never frees or releases unless you do a
> restart.
As nginx allocates a new configuration before releasing the old
one, and this doubles memory consumption of the master process for a
while. The old configuration is then freed, but in many cases
this memory isn't really returned to kernel by the allocator, and
hence seen in various stats.
> This was tested on a handful of AWS EC2 instance types using vanilla Centos7
> and both nginx 1.6.3 (stable in centos repos) and nginx 1.10.0 (nginx.org
> repo).
>
> In summary, my questions are thus:
> - Is it normal for nginx to use ~1.7mb per SSL vhost?
Not really. This is likely due to a particular configuration you
are using: own resolver in each vhost, own logs, etc. Consider
moving common settings to the http{} level, it should somewhat reduce
memory consumption.
Just for the reference: a simple test with 10k SSL vhosts like:
server { listen 8443; ssl on; server_name 1.foo; ssl_certificate test.crt; ssl_certificate_key test.key; }
server { listen 8443; ssl on; server_name 2.foo; ssl_certificate test.crt; ssl_certificate_key test.key; }
...
server { listen 8443; ssl on; server_name 10000.foo; ssl_certificate test.crt; ssl_certificate_key test.key; }
takes about 200mb of memory (on a 32-bit host). That is, about
20k of memory per vhost.
With more options it will take more memory, but 1.7mb is a bit too
many - you are doing something wrong.
Just a guess: if you use ssl_trusted_certificate at http{} level,
make sure you are loading only needed certificates, not a full
OS-provided bundle.
> - Is there a way to reduce that memory usage?
Yes, see various hints above. In summary: configure things at
http{} level where possible, avoid memory-hungry things you don't
need.
> - Am I the only one that experiences the doubling of nginx memory usage
> after a nginx reload?
> - Is that a bug?
No and no, see above.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list