search

ZoeyVid / NPMplus

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://hub.docker.com/r/zoeyvid/npmplus
MIT License
491 stars 22 forks source link

high RAM and CPU usage #738

Open captainabloc opened 6 months ago

captainabloc commented 6 months ago

Hello, all works fine, but RAm consumption is constantly growing and is now up to 2 Gb alone, what seems high on a linux system. Also any edition of advanced settings brings CPU consumption to 100% for a minute or more.

Docker runs on a dedicated debian 12 VM on Proxmox, with

would anyone know how to limit that?

many thanks

Zoey2936 commented 6 months ago

Is it the index.js process or nginx?

Zoey2936 commented 6 months ago

Also do you use crowdsec or have you enabled modsec on any host?

captainabloc commented 6 months ago

hi, it's nginx process - up to 100% CPU when editing advances I use crowdsec

Zoey2936 commented 6 months ago

Can you disable crowdsec and try again?

captainabloc commented 6 months ago

got some modsecurity enabled in other proxies, all removed and now much faster....

Zoey2936 commented 6 months ago

Yes, modsecurity often memory leak or uses a lot cpu when reloading, same for crowdsec sometimes. There is nothing I can do to prevent this. Either you accept this high usage or don't use modsec... I know not a good solution, but there is nothing I can do

Zoey2936 commented 6 months ago

I've pinned this

LePresidente commented 5 months ago

Hi,

So this was probably caused by crowdsec, lua has a bad memory leak if you have use lua_ssl_trusted_certificate since this gets included into each and every location block.

https://github.com/crowdsecurity/cs-openresty-bouncer/blob/3ae4af0f0a672138a905f1d256501e18d0b2c563/openresty/crowdsec_openresty.conf#L3C1-L3C28

I fixed this in my npm fork by forcing just googles cert instead of the system keyring.

lua_ssl_trusted_certificate /etc/ssl/certs/GTS_Root_R1.pem

https://github.com/NginxProxyManager/docker-nginx-full

Zoey2936 commented 5 months ago

it should only be loaded once: https://github.com/ZoeyVid/NPMplus/blob/e789ccfa722ca35e60264b724a394c10252ca6b9/rootfs/usr/local/bin/start.sh#L867 and: https://github.com/ZoeyVid/NPMplus/blob/e789ccfa722ca35e60264b724a394c10252ca6b9/rootfs/usr/local/nginx/conf/nginx.conf#L130

parasiteoflife commented 3 weeks ago

I've been having this problem too, but the problem is ModSecurity or CoreRuleSet? I think I'm not using crowdsec (I don't even know how to enable or disable it).

Asking because I remember that when I went on to disable ModSecurity and CoreRuleSet for all the proxy hosts, when the only ones that were left were the ones that only had ModSecurity enabled the high CPU consumption stopped, I still disabled ModSecurity in everything just in case because the problem made the entire system halt but I think ModSecurity is not triggering this issue.

Zoey2936 commented 3 weeks ago

coreruleset has a lot of rules, this can cause hugh memory usage if enabled on many hosts, sorry, but that is "normal" behavior

p0se commented 2 weeks ago

Hi,

So this was probably caused by crowdsec, lua has a bad memory leak if you have use lua_ssl_trusted_certificate since this gets included into each and every location block.

https://github.com/crowdsecurity/cs-openresty-bouncer/blob/3ae4af0f0a672138a905f1d256501e18d0b2c563/openresty/crowdsec_openresty.conf#L3C1-L3C28

I fixed this in my npm fork by forcing just googles cert instead of the system keyring.

lua_ssl_trusted_certificate /etc/ssl/certs/GTS_Root_R1.pem

https://github.com/NginxProxyManager/docker-nginx-full

I have the same problem, I only use crowdsec, modesecurity is not used.

Docker with NPMplus runs on a Proxmox container. Even with 8 GB ram, the workload is 100% after a few days. The proxy then no longer works.

I would like to try your solution, can you tell me where I have to make the adjustment?