On Sun, Mar 1, 2015 at 4:45 PM, Felipe Scarel <fbsca...@gmail.com> wrote:
> Hello all,
>
> I'm implementing a simple SSL forward proxy using relayd.
> Configuration has been fine, as was testing. There seems to be one
> issue with memory consumption, however.
>
> To better illustrate my issue, here follows an excerpt of /etc/relayd.conf :
>
> http protocol httpsfilter {
> tcp { nodelay, sack, socket buffer 65536, backlog 1024 }
> return error
>
> match header set "Keep-Alive" value "$TIMEOUT"
> match header set "Connecton" value "close"
>
> pass quick url file "/etc/relayd.d/custom_whitelist"
> block url file "/etc/relayd.d/custom_blacklist"
> include "/etc/relayd.d/auto_blacklist"
>
> ssl ca key "/etc/ssl/private/ca.key" password "password"
> ssl ca cert "/etc/ssl/ca.crt"
> }
>
> So basically it checks against a custom whitelist, then a custom
> blacklist, and finally an "auto" blacklist (which is the main source
> of the problem). Using a few URLs with both custom black/white lists
> poses no issue, but when attempting to load a somewhat bigger URL list
> downloaded from the internet (I'm using
> ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz)
> I run into memory problems.
>
> For example, here is relayd's memory usage when only the custom
> white/black lists are loaded (2 URLs total, no big deal):
>
> # ps aux | grep relayd
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> _relayd 17238 0.0 0.1 1528 3208 ?? I 3:27PM 0:00.01
> relayd: relay (relayd)
> _relayd 14280 0.0 0.1 1524 3176 ?? I 3:27PM 0:00.02
> relayd: relay (relayd)
> _relayd 30448 0.0 0.1 1396 2812 ?? I 3:27PM 0:00.01
> relayd: ca (relayd)
> _relayd 10020 0.0 0.1 1376 2768 ?? I 3:27PM 0:00.01
> relayd: ca (relayd)
> _relayd 25775 0.0 0.1 1400 2852 ?? I 3:27PM 0:00.01
> relayd: ca (relayd)
> root 346 0.0 0.1 1912 3672 ?? Is 3:27PM 0:00.02
> relayd: parent (relayd)
> _relayd 15883 0.0 0.1 1440 2828 ?? I 3:27PM 0:00.01
> relayd: pfe (relayd)
> _relayd 32000 0.0 0.1 1220 2560 ?? I 3:27PM 0:00.01
> relayd: hce (relayd)
> _relayd 2677 0.0 0.1 1516 3188 ?? I 3:27PM 0:00.01
> relayd: relay (relayd)
>
> Now loading the "phishing/domains" URL list, which has about ~63k
> entries. relayd's "parent" process ballons to over 2GB memory usage
> (I'm assuming it's reading the URL lists and building a data structure
> for the relays), and after that the relays stabilize with the
> following memory usage:
>
> # ps aux | grep relayd
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> _relayd 12982 0.0 12.9 516728 526288 ?? S 3:31PM 0:03.44
> relayd: relay (relayd)
> _relayd 1206 0.0 0.1 1368 2836 ?? I 3:31PM 0:00.01
> relayd: ca (relayd)
> root 25673 0.0 2.7 155616 111228 ?? Is 3:31PM 0:16.35
> relayd: parent (relayd)
> _relayd 15513 0.0 0.1 1416 2832 ?? S 3:31PM 0:00.01
> relayd: pfe (relayd)
> _relayd 15643 0.0 0.1 1200 2560 ?? I 3:31PM 0:00.01
> relayd: hce (relayd)
> _relayd 25822 0.0 12.9 516716 526296 ?? S 3:31PM 0:03.37
> relayd: relay (relayd)
> _relayd 17950 0.0 0.1 1380 2824 ?? I 3:31PM 0:00.01
> relayd: ca (relayd)
> _relayd 9068 0.0 0.1 1360 2784 ?? I 3:31PM 0:00.01
> relayd: ca (relayd)
> _relayd 19666 0.0 12.9 516712 526292 ?? S 3:31PM 0:03.46
> relayd: relay (relayd)
>
> So that's about ~520 MB of memory per relay process, out of 3 total.
> Next I load another URL list alongside the previous one, the
> "adult/urls" list, which contains roughtly ~55k entries. Adding up
> with the previous list, we have more or less ~118k URLs for relayd to
> process. The "parent" process takes a couple minutes to process
> everything, going over 4GB VSZ and 2.2GB RSS. After all's said and
> done, here's what's shown by ps:
>
> # ps aux | grep relayd
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> _relayd 6332 0.0 0.1 1428 2228 ?? I 3:35PM 0:00.01
> relayd: ca (relayd)
> _relayd 8736 0.0 23.9 967808 976768 ?? I 3:35PM 0:06.81
> relayd: relay (relayd)
> _relayd 22890 0.0 23.9 967812 976768 ?? I 3:35PM 0:06.77
> relayd: relay (relayd)
> _relayd 5871 0.0 23.9 967804 976760 ?? I 3:35PM 0:06.33
> relayd: relay (relayd)
> _relayd 8199 0.0 0.1 1440 2256 ?? I 3:35PM 0:00.01
> relayd: ca (relayd)
> root 5571 0.0 5.3 315032 214796 ?? Is 3:35PM 1:28.45
> relayd: parent (relayd)
> _relayd 30781 0.0 0.1 1488 2136 ?? S 3:35PM 0:00.01
> relayd: pfe (relayd)
> _relayd 1502 0.0 0.0 1272 2040 ?? I 3:35PM 0:00.01
> relayd: hce (relayd)
> _relayd 29135 0.0 0.1 1432 2236 ?? I 3:35PM 0:00.01
> relayd: ca (relayd)
>
> Nearly 1GB of RAM per relay process, and ~214 MB to the parent
> process. This server I'm working with has 4GB of RAM, so it can't go
> much further. If I attempt to load the biggest URL list from the set,
> "adult/domains" (slightly above 1 million entries), the server hangs
> up after a while and demands a hard reset.
>
> Is there any configuration parameter I'm missing here? I've reviewed
> the manpage a few times, and aside from lowering the number of relays
> with "prefork", I can't think of much else. I can, of course, provide
> additional information if necessary.
>
> Thanks for your input,
> fbscarel
I forgot to add that I'm running OpenBSD 5.6-release over here. If
needed, I can test with 5.6-stable or -current.
Regards,
fbscarel
