Hello,<br><br><div class="gmail_quote">On Thu, Jul 14, 2011 at 8:19 AM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hello!<br>
<div class="im"><br>
On Tue, Jul 12, 2011 at 01:58:38AM -0600, Mark Maunder wrote:<br>
<br>
> Igor I did SSL benchmarks with 10 worker processes on a very fast<br>
> multicore machine with multiple ssl_session_cache configs to try and<br>
> disprove this post. My results were also slow:<br>
><br></div></blockquote><div>Update from the author:<br> <a href="http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl/ur">http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl/ur</a>.<br>
<br>Also of interest:<br> <a href="http://news.ycombinator.com/item?id=2759781">http://news.ycombinator.com/item?id=2759781</a>.<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">
> On a 4 core Xeon E5410 using:<br>
><br>
> ab -c 50 -n 5000<br>
><br>
> with 64 bit ubuntu 10.10 and kernel 2.6.35 I get:<br>
><br>
> For a 43 byte transparent gif image on regular HTTP:<br>
><br>
> Requests per second: 11703.19 [#/sec] (mean)<br>
><br>
> Same file via HTTPS with various ssl_session_cache params set:<br>
><br>
> ssl_session_cache shared:SSL:10m;<br>
> Requests per second: 180.13 [#/sec] (mean)<br>
><br>
> ssl_session_cache builtin:1000 shared:SSL:10m;<br>
> Requests per second: 183.53 [#/sec] (mean)<br>
><br>
> ssl_session_cache builtin:1000;<br>
> Requests per second: 182.63 [#/sec] (mean)<br>
><br>
> No ssl_session_cache:<br>
> Requests per second: 184.67 [#/sec] (mean)<br>
><br>
><br>
> I'm assuming the session cache has no effect since each 'ab' request<br>
> is a new session. But I thought I'd try it anyway.<br>
<br>
</div>Yes, ab won't reuse sessions.<br>
<div class="im"><br>
> 180 per second for a machine this fast compared to 11,703 per second<br>
> on regular HTTP seems like a big difference. 'ab' was run on the<br>
> local machine (it takes very little CPU) so there was zero network<br>
> latency.<br>
<br>
</div>I've did some tests on 2 x X5355 (4 cores each, 8 cores total)<br>
server, it should be comparable to yours E5410. I've used<br>
empty_gif to test as well.<br>
<br>
First of all, ab wasn't even able to saturate *regular* http while<br>
eating 100% cpu (i.e. the whole cpu core, it just can't eat more<br>
as it's single thread/single process). That is, it only shows<br>
something about 13k r/s, while with 5 ab processes nginx is<br>
actually able to handle 50k r/s over loopback.<br>
<br>
So about "ab takes very little CPU": no it doesn't, it's awfully<br>
CPU bound. If you see low numbers in top - make sure top shows<br>
%CPU for a core, not for all cores in system, or you'll see small<br>
number like 12.5% (100%/8) for a "whole core loaded, can't eat<br>
more" case. Under linux it should be switchable by pressing 'I'<br>
(Irix mode vs. Solaris mode).<br>
<div class="im"><br>
> Let me know if there's anything I should try to speed it up.<br>
<br>
</div>The same as the above applies to https as well. While using 1024<br>
bit RSA key and DHE-RSA-AES256-SHA cipher, with 8 ab processes<br>
from another host I see 1800 r/s while system being 100% busy.<br>
<br>
Other results include:<br>
<br>
1024 bit key, DHE-RSA-AES256-SHA - 1800 r/s<br>
2048 bit key, DHE-RSA-AES256-SHA - 1050 r/s<br>
4096 bit key, DHE-RSA-AES256-SHA - 270 r/s<br>
<br>
With ECDHE ciphers (and patch already mentioned in this thread):<br>
<br>
1024 bit key, ECDHE-RSA-AES256-SHA - 2740 r/s<br>
2048 bit key, ECDHE-RSA-AES256-SHA - 1340 r/s<br>
4096 bit key, ECDHE-RSA-AES256-SHA - 285 r/s<br>
<br>
This is with fairy trivial nginx config:<br>
<br>
worker_processes 8;<br>
<br>
error_log /path/to/error_log;<br>
<br>
events {<br>
worker_connections 10240;<br>
}<br>
<br>
http {<br>
include mime.types;<br>
default_type application/octet-stream;<br>
<br>
access_log /path/to/access_log;<br>
<br>
server {<br>
listen 8443;<br>
server_name localhost;<br>
<br>
ssl on;<br>
ssl_certificate cert.pem;<br>
ssl_certificate_key cert.key;<br>
<br>
location / {<br>
empty_gif;<br>
}<br>
}<br>
}<br>
<br>
Obviously using other cipher suites will produce much different<br>
results.<br>
<br>
Just to compare, here are results from stunnel on the same<br>
machine:<br>
<br>
1024 bit key, DHE-RSA-AES256-SHA - 1990 r/s<br>
2048 bit key, DHE-RSA-AES256-SHA - 1220 r/s<br>
4096 bit key, DHE-RSA-AES256-SHA - 280 r/s<br>
<br>
1024 bit key, ECDHE-RSA-AES256-SHA - 2285 r/s<br>
2048 bit key, ECDHE-RSA-AES256-SHA - 1223 r/s<br>
4096 bit key, ECDHE-RSA-AES256-SHA - 285 r/s<br>
<br>
It looks a bit faster with DHE ciphers, and the reason is not<br>
using SSL_OP_SINGLE_DH_USE option by default. Setting "options<br>
SINGLE_DH_USE" in config results in the following DHE performance<br>
of stunnel:<br>
<br>
1024 bit key, DHE-RSA-AES256-SHA - 1480 r/s<br>
2048 bit key, DHE-RSA-AES256-SHA - 953 r/s<br>
4096 bit key, DHE-RSA-AES256-SHA - 260 r/s<br>
<font color="#888888"><br>
Maxim Dounin<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://nginx.org/mailman/listinfo/nginx" target="_blank">http://nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Adam<br><a href="mailto:zellster@gmail.com">zellster@gmail.com</a><br>