Moin, > So you didn't mention http_sub_module before, which precludes > directly using packages from 7.4, but can you try building from the > port so that the only change compared to what anyone else is running > is enabling the additional module? (You can use 'FLAVOR="no_passenger > no_lua no_njs" make package' to reduce the number of build > dependencies). > > [...] > > AFAIK a couple of people have tried to reproduce this and not been > able to. > > I really think you are going to need to isolate _what_ triggers the > issue and provide some config so that others can replicate it... Ah, thanks; I have been an idiot/missed the forest for all the trees. Your mail actually helped me get a clearer idea how i can provide something more useful (and determine _what_ actually leaks; see below).
> > AFAIK you can disable 1.3 on the proxy side with proxy_ssl_protocols > so that is probably worth a try. Yes; This makes a lot of sense. Again, forest, trees. > There was never an answer to my last email there, Missed that one; Found it just now. Sorry for that. > [...] though it doesn't really increase until a while after the > process started. Is there any more context to those graphs? Config > changes? Different access patterns? Again me being stupid; The change in rate bteween 03-11-2023 and 04-11- 2023 actually corresponds to a higher query rate (see the accompanying nginx graph). Same for the steeper curve between 08-11-2023 and 09-11- 2023. The 'lows' on 08-11-2023 and 09-11-2023 correspond to the traces; I created ktraces with MALLOC_OPTS=D/2/3 by running nginx for 2h with each setting and then restarting it; Did it twice because i forgot -i on 08-11-2023. I should not write emails while on conferences. -.-' What I will do now: setup some test boxes: - 7.4 + 1.24.0 pkg with a reverse proxy - 7.4 + 1.24.0 pkg with a reverse proxy (-TLS1.3 for proxy) - 7.4 + 1.24.0 pkg with a reverse proxy (-TLS1.3 for inbd.) - 7.4 + 1.24.0 ports+http_sub with a reverse proxy - 7.4 + 1.24.0 ports+http_sub with a reverse proxy (-TLS1.3 for proxy) - 7.4 + 1.24.0 ports+http_sub with a reverse proxy (-TLS1.3 for inbd.) - 7.4 + 1.24.0 manual+http_sub with a reverse proxy - 7.4 + 1.24.0 manual+http_sub with a reverse proxy (-TLS1.3 for proxy) - 7.4 + 1.24.0 manual+http_sub with a reverse proxy (-TLS1.3 for inbd.) Push the following traffic over the boxes: - 2h 10 connections avg. - 2h 50 connections avg. - 2h 100 connections avg. This should then allow me to provide: - A clear pointer as to where the leak is (inbound/outbound, nginx or libressl, my self-build stuff vs. ports/pkg) - Indication whether this is related to requests/s - A clearly reproducible case (or next steps if this wasn't reproducible) Will come back as soon as that had some results. With best regards, Tobias
