Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
1
Help us understand the problem. What is going on with this article?
@r-ytakada

nginx : SSLのセッション確立パフォーマンス測定

More than 3 years have passed since last update.

nginxでSSLを終端する際に、クライアントの新規SSLセッションの確立スループットを知りたかった。

参考資料

NGINX SSL Performanceに、pdfの資料がありますが、
これを参照すると

Intel Xeon E5-2699 v3 CPUs @ 2.3 GHz の2コアマシンで、

1,500/4,700 RSA/ECC SSL TPS (OpenSSL 1.0.2)
850/2,400 RSA/ECC SSL TPS (OpenSSL 1.0.1)

のパフォーマンスが出るようです。
今回はRSAなcipher suiteでテストをしてみます。
RSAだと 1coreあたり、 OpenSSL1.0.2で750req/sec程度出るようですね。
ホントかな?

測定結果

先に測定結果を記載します。

nginx OpenSSL gcc req/sec 備考
1.10.2 1.0.1e 4.4.7 232.22 yumでいれたもの
1.10.3 1.0.2l 4.4.7 466.47
1.10.3 1.1.0f 4.4.7 467.06
1.12.0 1.1.0f 4.4.7 476.18
1.10.3 1.1.0f 6.2.1 485.24 gccが新しい場合を試したかった

大体誤差程度に見えますが、

  • OpenSSL
    • 1.0.1e < 1.0.2l = 1.1.0f
  • nginx
    • 1.10.3 < 1.12.0
  • gcc
    • 4.4.7 < 6.2.1

となりました。

新しいもののほうが早くなっている・・・といえるのかな?

とりあえず nginx の資料の750req/sec は達成できませんでした。
・・・CPUが違うのと、VPSだからかな。

試験環境

  • Server
    • CPU : Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz
  • Client

    • ab -n 10000 -c 100 -Z ECDHE-RSA-AES256-GCM-SHA384 -f TLS1.2 https://domain/
    • を、クライントのほうがサーバより弱かったために、サーバのCPUを100%使いきれなかったので、2プロセス実行
  • config

user nginx;
#worker_processes auto;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
    multi_accept on;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    server {
      ssl_certificate 証明書;
      ssl_certificate_key 鍵ファイル;

      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_session_tickets off;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers on;

      server_name _;
      listen 443 ssl http2 backlog=100000;

      root /var/www;

    }
}

結果一覧

■1

nginx version: nginx/1.10.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013

115.91 + 116.31 = 232.22 req/sec

■2

nginx version: nginx/1.10.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2l  25 May 2017

234.06 + 232.41 = 466.47 req/sec

■3

nginx version: nginx/1.10.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

233.44 + 233.62 = 467.06 req/sec

■4

nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

238.66 + 237.52 = 476.18 req/sec

■5

nginx version: nginx/1.10.3
built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
built with OpenSSL 1.1.0f  25 May 2017

243.64 + 241.60 = 485.24 req/sec
1
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
radiko
スマホやPC、スマートスピーカーでラジオ放送が聴けるネットサービス『radiko』の企画・開発・運営を手がけています。

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
1
Help us understand the problem. What is going on with this article?