@Jb-boin wrote:
On 2.0.12 servers with around 18000 RSA SSL certificates (mainly LetsEncrypt certs) loaded with crt-list, each HAProxy worker threads uses around 10Gb or RAM (only 200Mb if the crt-list file is empty) and the reload time of HAProxy is of about 4 to 5 minutes on a server with a Xeon E3-1241 v3 with 32Gb of RAM and the certificates on a tmpfs partition.
Is there any way to optimize the memory usage and/or reload time?
The relevant configuration parts are (there are about 35 identical “bind” entries with different IPs)) :
global
tune.ssl.default-dh-param 2048
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
tune.ssl.ssl-ctx-cache-size 4000
nbproc 1
nbthread 7
cpu-map auto:1/all 0-frontend frontend-ssl
bind $IP:443 ssl crt /path/wildcard.defaultdomain.com.pem crt /path/wildcard.otherdomain.com.pem crt-list /path/ssl-tmpfs/crt.list alpn http/1.1
Posts: 3
Participants: 2