Opened 3 years ago

Closed 3 years ago

#837 closed defect (invalid)

SSL has poor/inconsistent performance

Reported by: clarkk@… Owned by:
Priority: blocker Milestone:
Component: nginx-module Version: 1.8.x
Keywords: Cc:
uname -a: Linux dynaccount-intel-i7-2600-16gb 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1k 8 Jan 2015 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

I have just made some benchmarking Apache vs Nginx and of course Nginx outperformed Apache both in static content and with php-fpm

But then I tried to benchmark HTTPS requests and I got a bit surprised. Apache outperformed Nginx

The benchmark tests were made with ApacheBench?

An when Nginx hit 200 concurrent requests 50% of all requests fails

user www-data;
worker_processes 8;
pid /run/nginx.pid;

events {

worker_connections 4096;
multi_accept on;
use epoll;

}

http {

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;

server_tokens off;
autoindex off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;

index index.php index.html index.htm;

gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json text/xml text/javascript application/javascript application/xml;

fastcgi_buffers 256 16k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;

server {

listen 80;
listen 443 ssl;
server_name api.dyndev.dk;


access_log /var/log/nginx/access_api.dyndev.dk.log;


ssl_certificate /var/ini/ssl/dyndev.dk/public.crt;
ssl_certificate_key /var/ini/ssl/dyndev.dk/private.key;


# Add trailing slash
rewrite ([.\?]*[/])$ $1/ permanent;


location / {

include /var/ini/nginx/fastcgi.conf;
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /var/www/dyndev.dk/public/api/index.php;

}

}

}

Attachments (1)

nginx-ssl.png (9.3 KB) - added by clarkk@… 3 years ago.

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by clarkk@…

comment:1 Changed 3 years ago by clarkk@…

I forgot to say I use the same SSL chipers on both Apache and Nginx

comment:2 Changed 3 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

Proper microbenchmarking requires a bit of tuning. In particular, using multi_accept (as explicitly switched on in your config) known to cause uneven request distribution between workers, resulting in sub-optimal performance on multi-CPU servers in SSL benchmarks. The same applies to accept_mutex (which is on by default, as it usually results in better performance in real life, but not with SSL microbenchmarks). In contrast, something like listen ... reuseport may help a lot, as connections will be distributed evenly between worker processes.

Note well that saying "nginx outpeforms Apache" is a wrong approach. It's not expected to outperform Apache, and in many cases it will behave worse. The main difference is how nginx scales - in contrast to Apache, it's event-based, and can handle thousands of connections in a single process. In the particular case of SSL handshakes microbenchmarking, nginx and Apache are expected to perform equally if properly configured, as both will be limited by SSL handshakes performance and available CPU resources.

Note: See TracTickets for help on using tickets.