Opened 9 years ago
Closed 9 years ago
#837 closed defect (invalid)
SSL has poor/inconsistent performance
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | blocker | Milestone: | |
Component: | nginx-module | Version: | 1.8.x |
Keywords: | Cc: | ||
uname -a: | Linux dynaccount-intel-i7-2600-16gb 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.8.0
built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1k 8 Jan 2015 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
Description
I have just made some benchmarking Apache vs Nginx and of course Nginx outperformed Apache both in static content and with php-fpm
But then I tried to benchmark HTTPS requests and I got a bit surprised. Apache outperformed Nginx
The benchmark tests were made with ApacheBench
An when Nginx hit 200 concurrent requests 50% of all requests fails
user www-data;
worker_processes 8;
pid /run/nginx.pid;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
autoindex off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
index index.php index.html index.htm;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json text/xml text/javascript application/javascript application/xml;
fastcgi_buffers 256 16k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
server {
listen 80;
listen 443 ssl;
server_name api.dyndev.dk;
access_log /var/log/nginx/access_api.dyndev.dk.log;
ssl_certificate /var/ini/ssl/dyndev.dk/public.crt;
ssl_certificate_key /var/ini/ssl/dyndev.dk/private.key;
# Add trailing slash
rewrite ([.\?]*[/])$ $1/ permanent;
location / {
include /var/ini/nginx/fastcgi.conf;
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /var/www/dyndev.dk/public/api/index.php;
}
}
}
Attachments (1)
Change History (3)
by , 9 years ago
Attachment: | nginx-ssl.png added |
---|
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Proper microbenchmarking requires a bit of tuning. In particular, using multi_accept
(as explicitly switched on in your config) known to cause uneven request distribution between workers, resulting in sub-optimal performance on multi-CPU servers in SSL benchmarks. The same applies to accept_mutex
(which is on by default, as it usually results in better performance in real life, but not with SSL microbenchmarks). In contrast, something like listen ... reuseport
may help a lot, as connections will be distributed evenly between worker processes.
Note well that saying "nginx outpeforms Apache" is a wrong approach. It's not expected to outperform Apache, and in many cases it will behave worse. The main difference is how nginx scales - in contrast to Apache, it's event-based, and can handle thousands of connections in a single process. In the particular case of SSL handshakes microbenchmarking, nginx and Apache are expected to perform equally if properly configured, as both will be limited by SSL handshakes performance and available CPU resources.
I forgot to say I use the same SSL chipers on both Apache and Nginx