nginx ssl slow

Maxim Dounin mdounin at mdounin.ru
Tue Jul 12 13:10:38 MSD 2011 

Hello!

On Tue, Jul 12, 2011 at 01:39:33AM -0400, davidkazuhiro wrote:

> Wait I'm confused... how do you know these tests were done with EDCHE
> ciphers?

This is just a guess based on ciphers OpenSSL 1.0.0d prefers by 
default when working with nginx and stunell.

> And if they were, how did he do them if nginx doesn't support
> EDCHE?

Forcing cipher to be what equally supported by all programs 
tested.  Good testing programs even have switches to specify that. 
:)

E.g. numbers are from virtual machine on my poor old P4 laptop, 
stunnel passing connections to nginx, using cipher as selected by 
my browser during real work:

$ http_load -cipher CAMELLIA256-SHA -parallel 10 -seconds 10 stunnel
540 fetches, 10 max parallel, 23220 bytes, in 10.008 seconds
43 mean bytes/connection
53.9568 fetches/sec, 2320.14 bytes/sec
msecs/connect: 2.12899 mean, 24.401 max, 0.196 min
msecs/first-response: 105.195 mean, 414.064 max, 23.386 min
HTTP response codes:
  code 200 -- 540

And here is nginx proxy_pass'ing to itself, same cipher:

$ http_load -cipher CAMELLIA256-SHA -parallel 10 -seconds 10 nginx
766 fetches, 10 max parallel, 32938 bytes, in 10.0081 seconds
43 mean bytes/connection
76.538 fetches/sec, 3291.13 bytes/sec
msecs/connect: 1.62532 mean, 22.692 max, 0.262 min
msecs/first-response: 79.0284 mean, 239.204 max, 21.643 min
HTTP response codes:
  code 200 -- 766

And as a reference point, direct requests to non-ssl nginx (used 
as backend in both tests above):

$ http_load -parallel 10 -seconds 10 nossl
7536 fetches, 10 max parallel, 324048 bytes, in 10.0008 seconds
43 mean bytes/connection
753.542 fetches/sec, 32402.3 bytes/sec
msecs/connect: 0.70163 mean, 30.059 max, 0.02 min
msecs/first-response: 6.044 mean, 48.126 max, 0.281 min
HTTP response codes:
  code 200 -- 7536

So you may see nginx is a bit faster than stunnel when 
CAMELLIA256-SHA cipher used.  On the other hand, using default 
ciphers would produce something like this:

$ http_load -parallel 10 -seconds 10 stunnel
243 fetches, 10 max parallel, 10449 bytes, in 10.0243 seconds
43 mean bytes/connection
24.2411 fetches/sec, 1042.37 bytes/sec
msecs/connect: 2.03381 mean, 18.384 max, 0.188 min
msecs/first-response: 239.767 mean, 628.098 max, 68.431 min
HTTP response codes:
  code 200 -- 243

(actually used cipher: ECDHE-RSA-AES256-SHA)

$ http_load -parallel 10 -seconds 10 nginx
144 fetches, 10 max parallel, 6192 bytes, in 10.0126 seconds
43 mean bytes/connection
14.3818 fetches/sec, 618.418 bytes/sec
msecs/connect: 1.44656 mean, 12.673 max, 0.427 min
msecs/first-response: 395.734 mean, 836.928 max, 124.105 min
HTTP response codes:
  code 200 -- 144

(actually used cipher: DHE-RSA-AES256-SHA)

Here you can see that ECDHE cipher is about 2x times faster 
compared to DHE.  I believe this is what actually was observed by 
author of test you've referenced.  Both are 3x times slower than 
CAMELLIA256-SHA as shown above though.

And again, disclaimer: all of the above tests ssl handshaking 
speeds, not real https workload.  Real workloads are expected 
to be much different.

Maxim Dounin

More information about the nginx mailing list