Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problems wih SSL performance?

3 views
Skip to first unread message

Stan McFarland

unread,
Dec 24, 2009, 9:03:01 AM12/24/09
to
Hi,

I have a Plone CMS instance accessible directly over http and also
accessible via Apache (2.2.8 on RedHat Enterprise Linux 5.2) reverse
proxy with SSL enabled. If I try to download a page with lots of
images, JS, CSS, etc (approximately 50 requests) everything works
fine over http, but over https, I'll always have 3 or 4 JS or CSS
files that take almost exactly 30 seconds or 60 seconds to download.
Firebug reports that nearly all of the time is spent waiting on a
connection. I've tweaked as many SSL settings as I can find
(including using /dev/urandom as the SSLRandomSeed) based on various
posts, but nothing so far has seemed to work.

The fact that the "slow" objects always take a multiple of 30 seconds
to connect/download must be a hint as to what's wrong, but I can't
figure it out.

I can "fix" the problem my reducing the number of requests per page,
but I'd like to know what's causing this behavior.


Any suggestions would be greatly appreciated.


Thanks very much,


Stan McFarland


HansH

unread,
Dec 24, 2009, 1:23:22 PM12/24/09
to

"Stan McFarland" <sfm...@gmail.com> schreef in bericht
news:3310fefc-d654-4f1d...@g26g2000yqe.googlegroups.com...

> Hi,
>
> I have a Plone CMS instance accessible directly over http and also
> accessible via Apache (2.2.8 on RedHat Enterprise Linux 5.2) reverse
> proxy with SSL enabled. If I try to download a page with lots of
> images, JS, CSS, etc (approximately 50 requests) everything works
> fine over http, but over https, I'll always have 3 or 4 JS or CSS
> files that take almost exactly 30 seconds or 60 seconds to download.
> Firebug reports that nearly all of the time is spent waiting on a
> connection. I've tweaked as many SSL settings as I can find
> (including using /dev/urandom as the SSLRandomSeed) based on various
> posts, but nothing so far has seemed to work.
Asuming proxy is offloading SSL.
Problem might not be SSL related.
Try reverse proxied http too.

> The fact that the "slow" objects always take a multiple of 30 seconds
> to connect/download must be a hint as to what's wrong, but I can't
> figure it out.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
retry defaults to 60
>
Check both servers -not vhost- error log for
server reached MaxClients setting, consider raising the MaxClients setting

HansH


Stan McFarland

unread,
Dec 24, 2009, 2:33:25 PM12/24/09
to
Hi,

I turned SSL off (SSLEngine off), kept everything else the same
(including the proxy), and the problem went away,. which makes me
think the problem is SSL related, but I certainly could be wrong -
maybe it's some combination of proxy and SSL that causes the
behavior. I don't remember seeing any MaxClients error messages in
the log, but I'll look when I return to the office after the
holidays. In the meantime, if you have any other suggestions, that
would be great.

Thanks very much,

Stan


On Dec 24, 1:23 pm, "HansH" <ha...@invalid.invalid> wrote:
> "Stan McFarland" <sfmc...@gmail.com> schreef in berichtnews:3310fefc-d654-4f1d...@g26g2000yqe.googlegroups.com...> Hi,

Stan McFarland

unread,
Dec 24, 2009, 2:55:59 PM12/24/09
to
Hans, one more question - I have

SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600

in my httpd.conf file, but the file /usr/local/apache2/logs/
ssl_cache_shm ever gets created. Any ideas?

Thanks,

Stan


On Dec 24, 1:23 pm, "HansH" <ha...@invalid.invalid> wrote:

> "Stan McFarland" <sfmc...@gmail.com> schreef in berichtnews:3310fefc-d654-4f1d...@g26g2000yqe.googlegroups.com...> Hi,

HansH

unread,
Dec 24, 2009, 5:53:16 PM12/24/09
to
"Stan McFarland" <sfm...@gmail.com> schreef in bericht
news:7d8ad1af-d668-44e9...@b2g2000yqi.googlegroups.com...

>SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm
>SSLSessionCacheTimeout 600
>
>in my httpd.conf file, but the file /usr/local/apache2/logs/
>ssl_cache_shm ever gets created. Any ideas?

It ain't a file ...

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslsessioncache
* shm:/path/to/datafile[(size)]
This makes use of a high-performance cyclic buffer (approx. size bytes in
size) inside a shared memory segment in RAM (established via
/path/to/datafile) to synchronize the local OpenSSL memory caches of the
server processes. This is the recommended session cache.

Cann't find a default for size documented, you might try 512000


HansH
--
Richt Text Formatted manual not found


0 new messages