nginx ssl slow
Maxim Dounin
mdounin at mdounin.ru
Tue Jul 12 17:11:06 MSD 2011
Hello!
On Tue, Jul 12, 2011 at 01:10:38PM +0400, Maxim Dounin wrote:
> Hello!
>
> On Tue, Jul 12, 2011 at 01:39:33AM -0400, davidkazuhiro wrote:
>
> > Wait I'm confused... how do you know these tests were done with EDCHE
> > ciphers?
>
> This is just a guess based on ciphers OpenSSL 1.0.0d prefers by
> default when working with nginx and stunell.
>
> > And if they were, how did he do them if nginx doesn't support
> > EDCHE?
>
> Forcing cipher to be what equally supported by all programs
> tested. Good testing programs even have switches to specify that.
> :)
>
> E.g. numbers are from virtual machine on my poor old P4 laptop,
> stunnel passing connections to nginx, using cipher as selected by
> my browser during real work:
>
> $ http_load -cipher CAMELLIA256-SHA -parallel 10 -seconds 10 stunnel
> 540 fetches, 10 max parallel, 23220 bytes, in 10.008 seconds
> 43 mean bytes/connection
> 53.9568 fetches/sec, 2320.14 bytes/sec
> msecs/connect: 2.12899 mean, 24.401 max, 0.196 min
> msecs/first-response: 105.195 mean, 414.064 max, 23.386 min
> HTTP response codes:
> code 200 -- 540
>
> And here is nginx proxy_pass'ing to itself, same cipher:
>
> $ http_load -cipher CAMELLIA256-SHA -parallel 10 -seconds 10 nginx
> 766 fetches, 10 max parallel, 32938 bytes, in 10.0081 seconds
> 43 mean bytes/connection
> 76.538 fetches/sec, 3291.13 bytes/sec
> msecs/connect: 1.62532 mean, 22.692 max, 0.262 min
> msecs/first-response: 79.0284 mean, 239.204 max, 21.643 min
> HTTP response codes:
> code 200 -- 766
>
> And as a reference point, direct requests to non-ssl nginx (used
> as backend in both tests above):
>
> $ http_load -parallel 10 -seconds 10 nossl
> 7536 fetches, 10 max parallel, 324048 bytes, in 10.0008 seconds
> 43 mean bytes/connection
> 753.542 fetches/sec, 32402.3 bytes/sec
> msecs/connect: 0.70163 mean, 30.059 max, 0.02 min
> msecs/first-response: 6.044 mean, 48.126 max, 0.281 min
> HTTP response codes:
> code 200 -- 7536
>
> So you may see nginx is a bit faster than stunnel when
> CAMELLIA256-SHA cipher used. On the other hand, using default
> ciphers would produce something like this:
>
> $ http_load -parallel 10 -seconds 10 stunnel
> 243 fetches, 10 max parallel, 10449 bytes, in 10.0243 seconds
> 43 mean bytes/connection
> 24.2411 fetches/sec, 1042.37 bytes/sec
> msecs/connect: 2.03381 mean, 18.384 max, 0.188 min
> msecs/first-response: 239.767 mean, 628.098 max, 68.431 min
> HTTP response codes:
> code 200 -- 243
>
> (actually used cipher: ECDHE-RSA-AES256-SHA)
>
> $ http_load -parallel 10 -seconds 10 nginx
> 144 fetches, 10 max parallel, 6192 bytes, in 10.0126 seconds
> 43 mean bytes/connection
> 14.3818 fetches/sec, 618.418 bytes/sec
> msecs/connect: 1.44656 mean, 12.673 max, 0.427 min
> msecs/first-response: 395.734 mean, 836.928 max, 124.105 min
> HTTP response codes:
> code 200 -- 144
>
> (actually used cipher: DHE-RSA-AES256-SHA)
>
> Here you can see that ECDHE cipher is about 2x times faster
> compared to DHE. I believe this is what actually was observed by
> author of test you've referenced. Both are 3x times slower than
> CAMELLIA256-SHA as shown above though.
>
> And again, disclaimer: all of the above tests ssl handshaking
> speeds, not real https workload. Real workloads are expected
> to be much different.
Just for completenes, results with the ECDH patch[1] using the
same ECDHE-RSA-AES256-SHA cipher as in stunnel case above:
$ http_load -parallel 10 -seconds 10 nginx
279 fetches, 10 max parallel, 11997 bytes, in 10.018 seconds
43 mean bytes/connection
27.8498 fetches/sec, 1197.54 bytes/sec
msecs/connect: 1.63012 mean, 37.961 max, 0.272 min
msecs/first-response: 206.536 mean, 604.134 max, 62.889 min
HTTP response codes:
code 200 -- 279
(the above disclaimer still applies)
[1] http://nginx.org/pipermail/nginx-devel/2011-January/000645.html
Maxim Dounin
More information about the nginx
mailing list