服务器 Gind.cn
  1. 服务器 Gind.cn
  3. HTTPS比HTTP慢50倍以上
Intereting Posts
如何将Joomla从旧主机移到bluehost MSMQ弹性 确定在给定SID下运行的exe文件 删除AD DS后,无法login到Windows Server 2012 mysqldump通过bash脚本失败,“没有这样的文件或目录” 这是RAID卡FakeRAID? 只有一半的磅/扭矩工作正在计划中 .HTACCESS子域,而不是.CONF子域 如何识别我的网站的DNS是A-Record还是CNAME? 从DMZ到内部的特定用户的SMB 如何设置TeamCity命令行亚军默认的shell? 更改群集中的JBOSS服务器的身份 在多个Web服务器上部署,从EC2上的负载均衡器中移除 Bacula守护进程无法停止或重新启动 将邮件从SBS 2008移至SBS 2011

HTTPS比HTTP慢50倍以上

我有一个网站,使用https传输一个JavaScript文件到客户端。 该网站是getsimpleapps.com 。

事实certificate,这个文件的加载速度比http(380ms)下的速度慢了52倍(20.08s – 29.08s)。

该网站的主页共享与javacript文件相同的缓慢。

  • http://getsimpleapps.com
  • https://getsimpleapps.com

我最近已经从dreamhost切换到了linode,并且破解了让SSL在新服务器上工作,直到它成功。 我没有做任何疯狂的configuration。

linode运行Ubuntu 12.04,该站点位于(LAMP)堆栈的顶部。

我对堆栈溢出社区的问题是:如何解决我的服务器上的SSL和HTTPS问题? 我知道堆栈溢出散布着有关HTTPS缓慢的问题,但没有给出真正的解决scheme。 Ubuntu的教程或configuration指南将是理想的。

文件:/etc/apache2/sites-enabled/getsimpleapps.com 

<VirtualHost *:80> ServerAdmin [email protected] ServerName getsimpleapps.com ServerAlias www.getsimpleapps.com DocumentRoot /srv/sites/getsimpleapps.com/public/ ErrorLog /srv/sites/getsimpleapps.com/logs/error.log CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined </VirtualHost> <VirtualHost 50.116.58.18:443> SSLEngine On #SSLCertificateFile /etc/apache2/ssl/www.getsimpleapps.com.crt #SSLCertificateKeyFile /etc/apache2/ssl/www.getsimpleapps.com.key #SSLCACertificateFile /etc/apache2/ssl/comodo.crt SSLCertificateFile /etc/apache2/ssl/dreamhost/dh.crt SSLCertificateKeyFile /etc/apache2/ssl/dreamhost/dh.key SSLCACertificateFile /etc/apache2/ssl/dreamhost/dh.cer ServerAdmin [email protected] ServerName getsimpleapps.com ServerAlias www.getsimpleapps.com DocumentRoot /srv/sites/getsimpleapps.com/public/ ErrorLog /srv/sites/getsimpleapps.com/logs/error.log CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined </VirtualHost>

curl从本地工作站 

 thomas@workstation:~$ time curl -Iv https://getsimpleapps.com/ * About to connect() to getsimpleapps.com port 443 (#0) * Trying 50.116.58.18... connected * Connected to getsimpleapps.com (50.116.58.18) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com * start date: 2012-02-23 00:00:00 GMT * expire date: 2013-02-22 23:59:59 GMT * subjectAltName: getsimpleapps.com matched * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA * SSL certificate verify ok. > HEAD / HTTP/1.1 > User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5 > Host: getsimpleapps.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 02 Aug 2012 20:31:39 GMT Date: Thu, 02 Aug 2012 20:31:39 GMT < Server: Apache/2.2.22 (Ubuntu) Server: Apache/2.2.22 (Ubuntu) < X-Powered-By: PHP/5.3.10-1ubuntu3.2 X-Powered-By: PHP/5.3.10-1ubuntu3.2 < Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/ Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/ < Vary: Accept-Encoding Vary: Accept-Encoding < Content-Type: text/html Content-Type: text/html < * Connection #0 to host getsimpleapps.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): real 0m29.078s user 0m0.018s sys 0m0.005s

来自linode服务器的curl(通过ssh) 

 thomas@vannevar:~$ time curl -Iv https://getsimpleapps.com/happy-ending/api/script.js?shop=holstee.myshopify.com * About to connect() to getsimpleapps.com port 443 (#0) * Trying 50.116.58.18... connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com * start date: 2012-02-23 00:00:00 GMT * expire date: 2013-02-22 23:59:59 GMT * subjectAltName: getsimpleapps.com matched * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA * SSL certificate verify ok. > HEAD /happy-ending/api/script.js?shop=holstee.myshopify.com HTTP/1.1 > User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 > Host: getsimpleapps.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 02 Aug 2012 20:43:30 GMT Date: Thu, 02 Aug 2012 20:43:30 GMT < Server: Apache/2.2.22 (Ubuntu) Server: Apache/2.2.22 (Ubuntu) < X-Powered-By: PHP/5.3.10-1ubuntu3.2 X-Powered-By: PHP/5.3.10-1ubuntu3.2 < Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/ Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/ < Content-Type: text/javascript Content-Type: text/javascript * no chunk, no close, no size. Assume close to signal end < * Closing connection #0 * SSLv3, TLS alert, Client hello (1): real 0m25.991s user 0m0.015s sys 0m0.022s

尝试将密码更改为RC4-MD5(性能和安全性的良好平衡),即: 

 SSLCipherSuite RC4-MD5

干杯

原来我的问题是我的密钥来自另一台服务器。 我需要获得一个新的证书,并用新的密钥进行设置。

对于一个繁忙的服务器,我遇到了类似的问题,但是在mpm_prefork.conf中将MaxRequestWorkers增加到400,修复了这个问题。

我遇到了同样的问题,HTTP和HTTPS之间的响应时间差别几乎相同。 原来,问题出现在@htmltiger的答案中 :Apache2只是简单地用完了工作进程。

这会导致新的请求被排队,直到一个worker被释放并且可以处理下一个[ source ]。 我想这只会影响HTTPS,而不会影响HTTPS的原因是几乎所有的stream量都是通过HTTP进行传输的,而Apache会给HTTP和HTTPS请求提供相同的优先级,从每个队列中依次取一个请求。 所以当HTTPS队列长得多时,请求等待时间更长。 实际上有两个队列,因为队列就是Linux的TCP连接队列机制,而Linux为每个端口提供了一个队列。

诊断

如果这是您的问题,则会出现以下症状:

  • 最好的指标:在你的服务器上, apachectl status显示所有允许的工作进程正在运行。 这是没有点的情况下. 在进程记分板行中是shwon,表示没有“没有当前进程的开放槽”。 该行可能看起来像这样: 

     KKKKKKRKKKRRCWKKKCCKWKKKKCRCKKKKKKKCKCKKKKWRKKKKWRWKKKKKKCWKKWKKK

  • 在主Apache2错误日志( /var/log/apache2/error.log ,而不是特定于域的)中看到如下消息: 

     [mpm_prefork:error] [pid 4715] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

  • 你的Apache backlog中有很多进程。 根据这篇深入的文章 ,您可以从ss -lti '( sport = :https )'输出中的unacked:值中看到这一点。 根据ss的版本或configuration,该值可能会丢失。

  • 大多数延迟(比如20秒中的17次)显示在Firefoxnetworking控制台中,在请求的初始URL的“计时”选项卡中显示为“阻止”。

这假定你使用Apache中的prefork MPM服务器模块 。 尽pipe“ 细节 ”与“事件”和“工作者”MPM模块类似。

  1. 编辑/etc/apache2/mods-enabled/mpm_prefork.conf并增加MaxRequestWorkers设置。

  2. 如果将其增加超过默认值256,则还必须将ServerLimit设置为相同的值,以使更改生效。

  3. 应用更改: service apache2 reload

  4. 确保在apachectl status的记分牌输出中,新的MaxRequestWorkers设置是有效的。 它必须等于记分板上字符的长度。

  5. 如果该设置还没有生效,请在/etc/apache2search旧的configuration指令(以及旧的不赞同的同义词),这些指令可能会覆盖您的更改: 

     grep -R MaxRequestWorkers /etc/apache2/* grep -R MaxClients /etc/apache2/*