Apache-2.2

HTTPS 比 HTTP 慢 50 倍以上

  • January 7, 2019

我有一個使用 https 將 javascript 文件傳輸到客戶端的網站。該網站是getsimpleapps.com

事實證明,使用 https (20.08s - 29.08s) 載入該文件的速度比使用 http (380ms) 慢 52 倍。

該站點的首頁與 javacript 文件一樣慢。

我最近從 Dreamhost 切換到 linode,並試圖讓 SSL 在新伺服器上工作,直到它完成。我沒有做任何瘋狂的配置。

linode 正在執行 Ubuntu 12.04,並且該站點位於(LAMP)堆棧之上。

我對堆棧溢出社區的問題是:如何在我的伺服器上修復 SSL 和 HTTPS?我知道堆棧溢出充滿了關於HTTPS 緩慢的問題,但沒有給出真正的解決方案。ubuntu 教程或配置指南將是理想的。


文件:/etc/apache2/sites-enabled/getsimpleapps.com

<VirtualHost *:80>
    ServerAdmin admin@getsimpleapps.com
    ServerName getsimpleapps.com
    ServerAlias www.getsimpleapps.com
    DocumentRoot /srv/sites/getsimpleapps.com/public/
    ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
    CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>

<VirtualHost 50.116.58.18:443>
    SSLEngine On
    #SSLCertificateFile /etc/apache2/ssl/www.getsimpleapps.com.crt
    #SSLCertificateKeyFile /etc/apache2/ssl/www.getsimpleapps.com.key
    #SSLCACertificateFile /etc/apache2/ssl/comodo.crt
    SSLCertificateFile /etc/apache2/ssl/dreamhost/dh.crt
    SSLCertificateKeyFile /etc/apache2/ssl/dreamhost/dh.key
    SSLCACertificateFile /etc/apache2/ssl/dreamhost/dh.cer

    ServerAdmin admin@getsimpleapps.com
    ServerName getsimpleapps.com
    ServerAlias www.getsimpleapps.com
    DocumentRoot /srv/sites/getsimpleapps.com/public/
    ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
    CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>

從本地工作站捲曲

thomas@workstation:~$ time curl -Iv https://getsimpleapps.com/
* About to connect() to getsimpleapps.com port 443 (#0)
*   Trying 50.116.58.18... connected
* Connected to getsimpleapps.com (50.116.58.18) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
*    start date: 2012-02-23 00:00:00 GMT
*    expire date: 2013-02-22 23:59:59 GMT
*    subjectAltName: getsimpleapps.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
*    SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: getsimpleapps.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:31:39 GMT
Date: Thu, 02 Aug 2012 20:31:39 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

< 
* Connection #0 to host getsimpleapps.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

real    0m29.078s
user    0m0.018s
sys 0m0.005s

從 linode 伺服器捲曲(通過 ssh)

thomas@vannevar:~$ time curl -Iv https://getsimpleapps.com/happy-ending/api/script.js?shop=holstee.myshopify.com
* About to connect() to getsimpleapps.com port 443 (#0)
*   Trying 50.116.58.18... connected
* successfully set certificate verify locations:
*   CAfile: none
 CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
*    start date: 2012-02-23 00:00:00 GMT
*    expire date: 2013-02-22 23:59:59 GMT
*    subjectAltName: getsimpleapps.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
*    SSL certificate verify ok.
> HEAD /happy-ending/api/script.js?shop=holstee.myshopify.com HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: getsimpleapps.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:43:30 GMT
Date: Thu, 02 Aug 2012 20:43:30 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
< Content-Type: text/javascript
Content-Type: text/javascript
* no chunk, no close, no size. Assume close to signal end

< 
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

real    0m25.991s
user    0m0.015s
sys 0m0.022s

原來我的問題是我的密鑰來自另一台伺服器。我需要獲得一個新證書並使用新密鑰進行設置。

我遇到了同樣的問題,HTTP 和 HTTPS 之間的響應時間差異幾乎相同。原來問題與@htmltiger 的回答一樣:Apache2 只是用完了工作程序。

這會導致新請求排隊,直到一個工作人員空閒並可以處理下一個 [來源]。我想這只會影響 HTTPS 而不會影響 HTTPS 的原因是幾乎所有流量都通過 HTTP 和 Apache 為 HTTP 和 HTTPS 請求提供相同的優先級,依次從每個隊列中獲取一個請求。因此,當 HTTPS 隊列更長時,請求等待的時間會更長。確實有兩個隊列,因為隊列只是 Linux TCP 連接隊列機制,Linux 為每個埠提供一個隊列。

診斷

如果這是您的問題,則會出現以下症狀:

  • 最好的指標:在您的伺服器上,apachectl status顯示所有允許的工作程序都在執行。這是.在程序記分牌行中沒有顯示點的情況,表示沒有“Open slot with no current process”剩餘。例如,該行可能如下所示:
KKKKKKRKKKRRCWKKKCCKWKKKKCRCKKKKKKKCKCKKKKWRKKKKWRWKKKKKKCWKKWKKK
  • 您會在主 Apache2 錯誤日誌中看到這樣的消息(/var/log/apache2/error.log不是特定於域的):
[mpm_prefork:error] [pid 4715] AH00161: server reached MaxRequestWorkers 
   setting, consider raising the MaxRequestWorkers setting
  • 您的 Apache backlog 中有許多程序。根據這篇深入的文章unacked:,您可以從輸出中的值看到這一點ss -lti '( sport = :https )'。根據 的版本或配置ss,該值可能會失去。
  • 大多數延遲(例如,20 秒中的 17 秒)顯示在 Firefox 網路控制台中,在請求的初始 URL 的“時間”選項卡中,作為“阻止”。

解決方案

這假設您在 Apache 中使用prefork MPM 伺服器模組。不過,“事件”和“工作人員” MPM 模組也是類似的——詳細資訊

  1. 編輯/etc/apache2/mods-enabled/mpm_prefork.conf並增加MaxRequestWorkers設置。
  2. 如果您將其增加到超過預設值 256,您還必須將ServerLimit設置為相同的值以使您的更改生效。
  3. 應用更改:service apache2 reload
  4. 確保在記分牌輸出中apachectl statusMaxRequestWorkers設置有效。它必須等於記分牌行的長度(以字元為單位)。
  5. 如果設置尚未生效,請搜尋/etc/apache2可能覆蓋您的更改的舊配置指令(以及它們更舊的已棄用同義詞):
grep -R MaxRequestWorkers /etc/apache2/*
grep -R MaxClients /etc/apache2/*

鑑別診斷

如果您發現 HTTPS 比 HTTP 慢得多,但不是每次都在一系列頁面重新載入(只是平均而言),那麼您可能會遇到這個奇特問題的變體,兩個 Apache2 伺服器在 SSL 埠 443 上執行。

引用自:https://serverfault.com/questions/413743