My server, running Ubuntu 14/Apache2.4.7, has an htaccess redirect to force all requests to use HTTPS:

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Generally, it responds quickly. However, I recently altered my ssl config to restrict the ciphers used to more modern settings to prevent heartbleed, beast, and other exploits and ensure the use of modern encryption methods.

I've gotten some complaints since these changes -- which I am not sure are even related to the changes -- that my machine can be sluggish at times. These complaints suggest it might be related to handshaking or making a connection:

I've been getting intermittent slow loading of pages with various browser status messages depending on the browser used; all to the effect of waiting to establish a secure connection.

I wrote a PHP script that uses cURL to connect a thousand times. I ran it late last night and the slowness didn't seem to be an issue. I tried connecting to https and also to http and following the redirect above. All requests completed in 3.5 seconds or less, with the vast majority (96-98%) completing in less than 1.5 seconds.

I ran the same script at 10:30 this morning cali time and about 10% of the requests took longer than 1.5 seconds with many taking much more. The longest times were around 17 seconds.

My research and intuition tell me that, while https handshaking is more complex than http connections, this problem can probably be remedied by tweaking my apache configuration (e.g., MaxRequestWorker) settings. The server almost never exceeds a load average of 1.5 or so and it looks like there's plenty of memory available.

Can anyone suggest how I might narrow down the bottleneck here and what steps I might take to fix it? Any help would be much appreciated.

    sneakyimp;11065675 wrote:

    My server, running Ubuntu 14/Apache2.4.7, has an htaccess redirect to force all requests to use HTTPS:

        RewriteCond %{HTTPS} !=on
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

    Generally, it responds quickly. However, I recently altered my ssl config to restrict the ciphers used to more modern settings to prevent heartbleed, beast, and other exploits and ensure the use of modern encryption methods.

    I've gotten some complaints since these changes -- which I am not sure are even related to the changes -- that my machine can be sluggish at times. These complaints suggest it might be related to handshaking or making a connection:

    I wrote a PHP script that uses cURL to connect a thousand times. I ran it late last night and the slowness didn't seem to be an issue. I tried connecting to https and also to http and following the redirect above. All requests completed in 3.5 seconds or less, with the vast majority (96-98%) completing in less than 1.5 seconds.

    I ran the same script at 10:30 this morning cali time and about 10% of the requests took longer than 1.5 seconds with many taking much more. The longest times were around 17 seconds.

    My research and intuition tell me that, while https handshaking is more complex than http connections, this problem can probably be remedied by tweaking my apache configuration (e.g., MaxRequestWorker) settings. The server almost never exceeds a load average of 1.5 or so and it looks like there's plenty of memory available.

    Can anyone suggest how I might narrow down the bottleneck here and what steps I might take to fix it? Any help would be much appreciated.

    FreeBSD.

    I'm only kidding a little ... I'm sure you're aware of my penchant for advocating their systems.

    We have CentOS and FreeBSD for various sites. I've never seen FreeBSD load avg > 4. I've seen CentOS > 200.

    All that said, I don't have any practical advice. The chief bottleneck on our CentOS site has ALWAYS been MySQL.

      Write a Reply...