On 2.0.12 servers with around 18000 RSA SSL certificates (mainly LetsEncrypt certs) loaded with crt-list, each HAProxy worker threads uses around 10Gb or RAM (only 200Mb if the crt-list file is empty) and the reload time of HAProxy is of about 4 to 5 minutes on a server with a Xeon E3-1241 v3 with 32Gb of RAM and the certificates on a tmpfs partition.
Is there any way to optimize the memory usage and/or reload time?
The relevant configuration parts are (there are about 35 identical “bind” entries with different IPs)) :
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
cpu-map auto:1/all 0-
bind $IP:443 ssl crt /path/wildcard.defaultdomain.com.pem crt /path/wildcard.otherdomain.com.pem crt-list /path/ssl-tmpfs/crt.list alpn http/1.1