HTTPS比HTTP慢50倍以上

8

我有一个使用https将JavaScript文件传输到客户端的网站。该网站为getsimpleapps.com

事实证明,使用https(20.08s-29.08s)加载此文件的速度比使用http(380ms)慢52倍。

该网站的首页与javacript文件共享相同的慢度。

我最近从Dreamhost切换到了linode,并且骇入了让SSL在新服务器上运行直到实现的目的。我没有进行任何疯狂的配置。

linode运行Ubuntu 12.04,并且该站点位于(LAMP)堆栈的顶部。

我对堆栈溢出社区的问题是:如何在服务器上修复SSL和HTTPS?我知道栈溢出到处都是关于HTTPS速度慢的问题,但是没有给出真正的解决方案。ubuntu教程或配置指南将是理想的选择。

文件:/etc/apache2/sites-enabled/getsimpleapps.com

<VirtualHost *:80>
     ServerAdmin admin@getsimpleapps.com
     ServerName getsimpleapps.com
     ServerAlias www.getsimpleapps.com
     DocumentRoot /srv/sites/getsimpleapps.com/public/
     ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
     CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>

<VirtualHost 50.116.58.18:443>
     SSLEngine On
     #SSLCertificateFile /etc/apache2/ssl/www.getsimpleapps.com.crt
     #SSLCertificateKeyFile /etc/apache2/ssl/www.getsimpleapps.com.key
     #SSLCACertificateFile /etc/apache2/ssl/comodo.crt
     SSLCertificateFile /etc/apache2/ssl/dreamhost/dh.crt
     SSLCertificateKeyFile /etc/apache2/ssl/dreamhost/dh.key
     SSLCACertificateFile /etc/apache2/ssl/dreamhost/dh.cer

     ServerAdmin admin@getsimpleapps.com
     ServerName getsimpleapps.com
     ServerAlias www.getsimpleapps.com
     DocumentRoot /srv/sites/getsimpleapps.com/public/
     ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
     CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>

从本地工作站卷曲

thomas@workstation:~$ time curl -Iv https://getsimpleapps.com/
* About to connect() to getsimpleapps.com port 443 (#0)
*   Trying 50.116.58.18... connected
* Connected to getsimpleapps.com (50.116.58.18) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
*    start date: 2012-02-23 00:00:00 GMT
*    expire date: 2013-02-22 23:59:59 GMT
*    subjectAltName: getsimpleapps.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
*    SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: getsimpleapps.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:31:39 GMT
Date: Thu, 02 Aug 2012 20:31:39 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

< 
* Connection #0 to host getsimpleapps.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

real    0m29.078s
user    0m0.018s
sys 0m0.005s

从linode服务器卷曲(通过ssh)

thomas@vannevar:~$ time curl -Iv https://getsimpleapps.com/happy-ending/api/script.js?shop=holstee.myshopify.com
* About to connect() to getsimpleapps.com port 443 (#0)
*   Trying 50.116.58.18... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
*    start date: 2012-02-23 00:00:00 GMT
*    expire date: 2013-02-22 23:59:59 GMT
*    subjectAltName: getsimpleapps.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
*    SSL certificate verify ok.
> HEAD /happy-ending/api/script.js?shop=holstee.myshopify.com HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: getsimpleapps.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:43:30 GMT
Date: Thu, 02 Aug 2012 20:43:30 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
< Content-Type: text/javascript
Content-Type: text/javascript
* no chunk, no close, no size. Assume close to signal end

< 
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

real    0m25.991s
user    0m0.015s
sys 0m0.022s
apache-2.2  ubuntu  ssl  https 
托马斯·雷吉
source
1
"It turns out that this file is loading 52% slower with https (20.08s - 29.08s) that with http (380ms)."-嗯?请问您能在那里再次检查单元和语法吗?那没有多大意义。
MDMarra 2012年
1
我认为OP的速度要慢53 。HTTPS加载速度非常慢。
也许您只是将virtualmin放到它上面,并允许它为您配置所有内容。
安德鲁·史密斯
1
嗯 错了 Apache日志中是否有任何内容可以表明减速的位置?在我的服务器上,我看到HTTPS花费263毫秒,HTTP花费84毫秒。您看到的很大差异是由于其他原因。
cjc 2012年
1
请粘贴您的Apache配置。
迈克尔·汉普顿

Answers:

3

我遇到了同样的问题,HTTP和HTTPS之间的响应时间几乎相同。原来问题出在@htmltiger答案中:Apache2只是用尽了工作进程。

这将导致新的请求进行排队,直到某一工作成为自由状态,可以处理下一个[ 。我想为什么这只会影响HTTPS而不会影响HTTPS的原因是,几乎所有流量都通过HTTP,而Apache赋予HTTP和HTTPS请求相同的优先级,依次从每个队列中获取一个请求。因此,当HTTPS队列更长时,请求等待的时间会更长。确实有两个队列,因为该队列只是Linux TCP连接队列机制,而Linux每个端口提供一个队列。

诊断程序

如果这是您的问题,则将出现以下症状:

  • 最佳指示器:在您的服务器上,apachectl status显示所有允许的工作进程正在运行。这是.在过程记分牌行中没有圆点显示的情况,表示没有“没有当前过程的空槽”。该行可能看起来像这样:

    KKKKKKRKKKRRCWKKKCCKWKKKKCRCKKKKKKKCKCKKKKWRKKKKWRWKKKKKKCWKKWKKK

  • 您会在主要的Apache2错误日志(/var/log/apache2/error.log,而不是特定于域的错误日志)中看到以下消息:

    [mpm_prefork:error] [pid 4715] AH00161: server reached MaxRequestWorkers 
    setting, consider raising the MaxRequestWorkers setting

  • 您的Apache积压订单中有许多流程。根据这篇深入的文章,您可以从输出中的unacked:值中看到这一点ss -lti '( sport = :https )'。但是,根据的版本或配置ss,该值可能会丢失。

  • 大部分延迟(例如20秒中的17秒)在Firefox网络控制台的请求的初始URL的“时间”标签中显示为“阻止”。

假定您使用Apache中的prefork MPM服务器模块。不过,“事件”和“工作人员” MPM模块类似- 详细信息

  1. 编辑/etc/apache2/mods-enabled/mpm_prefork.conf并增加MaxRequestWorkers设置。

  2. 如果将其增加到默认值256以上,则还必须将ServerLimit设置为相同的值,以使更改生效。

  3. 应用更改: service apache2 reload

  4. 确保在记分板输出中apachectl statusMaxRequestWorkers设置有效。它必须等于记分牌行的长度(以字符为单位)。

  5. 如果设置尚未生效,请搜索/etc/apache2可能会覆盖您的更改的旧配置指令(及其更旧的不赞成使用的同义词):

    grep -R MaxRequestWorkers /etc/apache2/*
grep -R MaxClients /etc/apache2/*

鉴别诊断

如果您发现HTTPS比HTTP慢得多,但是在一系列页面重新加载中不是每次都(平均),那么您可能会遇到这种奇怪的问题,其中有两个Apache2服务器运行在SSL端口443上。

塔努斯
source
0

尝试将密码更改为RC4-MD5(在性能和安全性之间取得良好的平衡),即:

SSLCipherSuite RC4-MD5

干杯

HTTP500
source
2
所报告的HTTP与HTTPS之间的差异不是由密码选择引起的。这是其他一些错误配置。
cjc 2012年
@cjc我想看看它是否有所作为...尝试尝试不会有任何伤害。
HTTP500 2012年
@ HTTP500放在httpd.conf中?那SSLProtocol all
ThomasReggi 2012年
@ThomasReggi,只需将其放在您的SSLEngine之下。我建议:SSLProtocol所有-SSLv2
HTTP500
什么?!现在更快了。我没有重新启动apache2可以吗?
ThomasReggi
0

对于繁忙的服务器,我也遇到了类似的问题,但是在mpm_prefork.conf中将MaxRequestWorkers增加到400。

htmltiger
source
-1

原来我的问题是我的钥匙来自另一台服务器。我需要获取新证书并使用新密钥进行设置。

托马斯·雷吉
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.