1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

nginx : SSLのセッション確立パフォーマンス測定

Posted at

nginxでSSLを終端する際に、クライアントの新規SSLセッションの確立スループットを知りたかった。

参考資料

NGINX SSL Performanceに、pdfの資料がありますが、
これを参照すると

Intel Xeon E5-2699 v3 CPUs @ 2.3 GHz の2コアマシンで、

1,500/4,700 RSA/ECC SSL TPS (OpenSSL 1.0.2)
850/2,400 RSA/ECC SSL TPS (OpenSSL 1.0.1)

のパフォーマンスが出るようです。
今回はRSAなcipher suiteでテストをしてみます。
RSAだと 1coreあたり、 OpenSSL1.0.2で750req/sec程度出るようですね。
ホントかな?

測定結果

先に測定結果を記載します。

nginx OpenSSL gcc req/sec 備考
1.10.2 1.0.1e 4.4.7 232.22 yumでいれたもの
1.10.3 1.0.2l 4.4.7 466.47
1.10.3 1.1.0f 4.4.7 467.06
1.12.0 1.1.0f 4.4.7 476.18
1.10.3 1.1.0f 6.2.1 485.24 gccが新しい場合を試したかった

大体誤差程度に見えますが、

  • OpenSSL
    • 1.0.1e < 1.0.2l = 1.1.0f
  • nginx
    • 1.10.3 < 1.12.0
  • gcc
    • 4.4.7 < 6.2.1

となりました。

新しいもののほうが早くなっている・・・といえるのかな?

とりあえず nginx の資料の750req/sec は達成できませんでした。
・・・CPUが違うのと、VPSだからかな。

試験環境

  • Server

    • CPU : Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz
  • Client

    • ab -n 10000 -c 100 -Z ECDHE-RSA-AES256-GCM-SHA384 -f TLS1.2 https://domain/
    • を、クライントのほうがサーバより弱かったために、サーバのCPUを100%使いきれなかったので、2プロセス実行
  • config

user nginx;
#worker_processes auto;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
    multi_accept on;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    server {
      ssl_certificate 証明書;
      ssl_certificate_key 鍵ファイル;

      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_session_tickets off;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers on;

      server_name _;
      listen 443 ssl http2 backlog=100000;

      root /var/www;

    }
}

結果一覧

■1

nginx version: nginx/1.10.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013

115.91 + 116.31 = 232.22 req/sec

■2

nginx version: nginx/1.10.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2l  25 May 2017

234.06 + 232.41 = 466.47 req/sec

■3

nginx version: nginx/1.10.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

233.44 + 233.62 = 467.06 req/sec

■4

nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

238.66 + 237.52 = 476.18 req/sec

■5

nginx version: nginx/1.10.3
built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

243.64 + 241.60 = 485.24 req/sec
1
1
2

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?