You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ishita Kapadiya <is...@gmail.com> on 2011/04/01 06:16:35 UTC
Re: [users@httpd] Apache is too slow with SSL
Thanks Mark. It really helps. Once I have used keep alive in
benchmark response time reduced from 1900ms to 5 ms!
It should have come to my mind before. But thanks for your valuable
hints.. I can now breath :)
Next thing I am targetting is to use this server for stress test and
will let you know in case of any concern.
Once again thanks for your help
On Thu, Mar 31, 2011 at 7:56 AM, Mark Montague <ma...@catseye.org> wrote:
> On March 30, 2011 19:44 , Ishita Kapadiya <is...@gmail.com> wrote:
>>
>> Hi Mark,
>>
>> Thanks for your suggestion. I tried below settings in httpd.conf -
>>
>> <IfModule ssl_module>
>> #SSLRandomSeed startup builtin
>> #SSLRandomSeed connect builtin
>> SSLRandomSeed startup file:/dev/urandom 1024
>> SSLRandomSeed connect file:/dev/urandom 1024
>> </IfModule>
>>
>> the commented line was there when I initially posted my query and now
>> I changed it with mentioned lines. But still got the same result.
>> Even i tried with /dev/random option but that option didn't work at
>> all (may be not supported with my OS config)
>> Could you or anyone please help me to resolve this problem. I want to
>> resolve it. I tried to google it but couldn't find any solution.
>> Any help will be great.
>
> I had to scale things back a bit in the VM guest that I use for development,
> but here is what I'm seeing:
>
> ab -n 10000 -c 10 http://f14dev1.catseye.org/index.html
> Time taken for tests: 2.579 seconds
>
> ab -n 10000 -c 10 https://f14dev1.catseye.org/index.html
> Time taken for tests: 197.999 seconds
>
> This is a ratio ( time for HTTPS / time for HTTP ) of 76.77. In your
> original message, you had a ratio of 62.74.
>
>
> The following Q&A observes the same thing, and it includes a number of
> explanations:
>
> http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache
>
>
> In other words, there is likely not anything wrong with your configuration.
>
>
> A final note: the performance difference does seem to center around the TLS
> session negotiation rather than encryption. If I enable keepalive for my
> benchmark, the time for HTTP decreases from 2.575 seconds to 1.437 seconds;
> but the time for HTTPS drops from 197.999 seconds to 4.237 seconds (yes, 193
> seconds quicker simply by reusing connections!)
>
> I hope this helps.
>
> --
> Mark Montague
> mark@catseye.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache is too slow with SSL
Posted by Ishita Kapadiya <is...@gmail.com>.
Thanks Mark
> - Put an SSL-terminating appliance in front of your web server. This could
> help, especially if the appliance does much of its work in specialized
> hardware.
this is the only solution I can see as of now. I am really surprised
that Apache is not handling SSL requests efficiently!
On Wed, Apr 6, 2011 at 10:22 AM, Mark Montague <ma...@catseye.org> wrote:
> On April 6, 2011 0:12 , Ishita Kapadiya <is...@gmail.com> wrote:
>>
>> I tried to test apache with stress test using JMETER and
>> results are not really good compared to sun one web server 6.1 running
>> on the same machine.
>>
>> i guess worker mpm should work better than prefork..right? I didn't
>> try prefork yet but do you think it's worth to check with that mpm
>> once? I have tried so many things to tune config but all the time no
>> better result than shown above for apache. You can see sun one web
>> server had better numbers in each fields.
>
> Hopefully someone else will have better ideas than me. But my guess is that
> there is nothing wrong with your configuration: I get results similar to
> yours in terms of the time required for an HTTPS benchmark divided by the
> time for an HTTP benchmark (both using a fairly recent build of httpd
> 2.3.12-dev). Performance measurements that have been published on
> stackoverflow.com and other sites also show a similar ratio. So you may
> have found a situation where the code for Sun ONE Web Server is better than
> Apache HTTP Server.
>
> My suggestions include:
>
> - Is this a problem that is actually negatively affecting you in the real
> world, or is it just something that you feel "should be" faster? If it is
> not actually causing real-world problems, I recommend ignoring the
> performance difference. My situation is different from yours, but I have
> run many large, active sites that only use HTTPS (no HTTP) and this
> performance difference has never caused me actual problems.
>
> - Put an SSL-terminating appliance in front of your web server. This could
> help, especially if the appliance does much of its work in specialized
> hardware.
>
> - Investigate the mod_ssl and openssl code plus TLS protocol dumps and see
> if you can determine where the performance bottleneck is, then re-write the
> code to fix the problem. Or see if someone else (perhaps on the developers'
> list) has the time and interest to take this on as a project instead.
>
> Sorry I can't give you better answers.
>
> --
> Mark Montague
> mark@catseye.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache is too slow with SSL
Posted by Mark Montague <ma...@catseye.org>.
On April 6, 2011 0:12 , Ishita Kapadiya <is...@gmail.com> wrote:
> I tried to test apache with stress test using JMETER and
> results are not really good compared to sun one web server 6.1 running
> on the same machine.
>
> i guess worker mpm should work better than prefork..right? I didn't
> try prefork yet but do you think it's worth to check with that mpm
> once? I have tried so many things to tune config but all the time no
> better result than shown above for apache. You can see sun one web
> server had better numbers in each fields.
Hopefully someone else will have better ideas than me. But my guess is
that there is nothing wrong with your configuration: I get results
similar to yours in terms of the time required for an HTTPS benchmark
divided by the time for an HTTP benchmark (both using a fairly recent
build of httpd 2.3.12-dev). Performance measurements that have been
published on stackoverflow.com and other sites also show a similar
ratio. So you may have found a situation where the code for Sun ONE Web
Server is better than Apache HTTP Server.
My suggestions include:
- Is this a problem that is actually negatively affecting you in the
real world, or is it just something that you feel "should be" faster?
If it is not actually causing real-world problems, I recommend ignoring
the performance difference. My situation is different from yours, but I
have run many large, active sites that only use HTTPS (no HTTP) and this
performance difference has never caused me actual problems.
- Put an SSL-terminating appliance in front of your web server. This
could help, especially if the appliance does much of its work in
specialized hardware.
- Investigate the mod_ssl and openssl code plus TLS protocol dumps and
see if you can determine where the performance bottleneck is, then
re-write the code to fix the problem. Or see if someone else (perhaps
on the developers' list) has the time and interest to take this on as a
project instead.
Sorry I can't give you better answers.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache is too slow with SSL
Posted by Ishita Kapadiya <is...@gmail.com>.
Hi Mark - I tried to test apache with stress test using JMETER and
results are not really good compared to sun one web server 6.1 running
on the same machine. ab results is good now (after I have used -k
option a suggested by you)
Apache jmeter test output -
count average min max stddev error% rate bandwidth average_bytes
10000 253 32 2507 235.54 0 262.295082
4982.32582 19451
sun one jmeter test output -
count average min max stddev error% rate bandwidth average_bytes
10000 111 31 1897 106.08 0 383.5532372 6779.228555 18099
i guess worker mpm should work better than prefork..right? I didn't
try prefork yet but do you think it's worth to check with that mpm
once? I have tried so many things to tune config but all the time no
better result than shown above for apache. You can see sun one web
server had better numbers in each fields.
could you or anyone else please help me further?
On Fri, Apr 1, 2011 at 12:16 AM, Ishita Kapadiya <is...@gmail.com> wrote:
> Thanks Mark. It really helps. Once I have used keep alive in
> benchmark response time reduced from 1900ms to 5 ms!
> It should have come to my mind before. But thanks for your valuable
> hints.. I can now breath :)
> Next thing I am targetting is to use this server for stress test and
> will let you know in case of any concern.
>
> Once again thanks for your help
>
> On Thu, Mar 31, 2011 at 7:56 AM, Mark Montague <ma...@catseye.org> wrote:
>> On March 30, 2011 19:44 , Ishita Kapadiya <is...@gmail.com> wrote:
>>>
>>> Hi Mark,
>>>
>>> Thanks for your suggestion. I tried below settings in httpd.conf -
>>>
>>> <IfModule ssl_module>
>>> #SSLRandomSeed startup builtin
>>> #SSLRandomSeed connect builtin
>>> SSLRandomSeed startup file:/dev/urandom 1024
>>> SSLRandomSeed connect file:/dev/urandom 1024
>>> </IfModule>
>>>
>>> the commented line was there when I initially posted my query and now
>>> I changed it with mentioned lines. But still got the same result.
>>> Even i tried with /dev/random option but that option didn't work at
>>> all (may be not supported with my OS config)
>>> Could you or anyone please help me to resolve this problem. I want to
>>> resolve it. I tried to google it but couldn't find any solution.
>>> Any help will be great.
>>
>> I had to scale things back a bit in the VM guest that I use for development,
>> but here is what I'm seeing:
>>
>> ab -n 10000 -c 10 http://f14dev1.catseye.org/index.html
>> Time taken for tests: 2.579 seconds
>>
>> ab -n 10000 -c 10 https://f14dev1.catseye.org/index.html
>> Time taken for tests: 197.999 seconds
>>
>> This is a ratio ( time for HTTPS / time for HTTP ) of 76.77. In your
>> original message, you had a ratio of 62.74.
>>
>>
>> The following Q&A observes the same thing, and it includes a number of
>> explanations:
>>
>> http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache
>>
>>
>> In other words, there is likely not anything wrong with your configuration.
>>
>>
>> A final note: the performance difference does seem to center around the TLS
>> session negotiation rather than encryption. If I enable keepalive for my
>> benchmark, the time for HTTP decreases from 2.575 seconds to 1.437 seconds;
>> but the time for HTTPS drops from 197.999 seconds to 4.237 seconds (yes, 193
>> seconds quicker simply by reusing connections!)
>>
>> I hope this helps.
>>
>> --
>> Mark Montague
>> mark@catseye.org
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org