why ssl reverse proxy performance is so bad?

[luo...@gmail.com]

Hi 

    i wrote a tls program which acts like a https reverse proxy, receiving  https requests  and transfer them to  http backend.

    but it's performance is so bad, benchmark is as follows:

Transactions:                     95 hits
Availability:                 100.00 %
Elapsed time:                   9.09 secs
Data transferred:               0.06 MB
Response time:                  6.60 secs
Transaction rate:              10.45 trans/sec   

    i configured nginx as a reverse proxy, and the benchmark is:

Transaction rate:              340.48 trans/sec

    both test ares under the same environment, length of public rsa key is 2048 bits, so the ssl handshake is very cpu intensive. but i can't believe go's  performance is so bad. what's the problem?

the code is as follows:

package main

import (

        "flag"

        "net/http"

        "net/http/httputil"

        "net/url"

        "time"

        "log"

)

func main() {

        var src, dst string

        flag.Parse()

        args := flag.Args()

        if len(args) >= 1 { 

                dst = args[0]

        } else {

                dst = "127.0.0.1:8080"

        }   

        if len(args) == 2 { 

                src = args[1]

        } else {

                src = ":80"

        }   

        u, e := url.Parse(dst)

        if e != nil {

                log.Fatal("Bad destination.")

        }   

        h := httputil.NewSingleHostReverseProxy(u)

        s := &http.Server{

                Addr:           src,

                Handler:        h,  

                ReadTimeout:    10 * time.Second,

                WriteTimeout:   10 * time.Second,

                MaxHeaderBytes: 1 << 20, 

        }   

        log.Fatal(s.ListenAndServeTLS("/home/work/nginx/conf/server.crt", "/home/work/nginx/conf/server.key.unsecure"))

}

[James Wendel]

Not sure it matters, but were both using the same cipher suite and SSL version when connecting?

[Cheng Luo]

YES ,same key and cipher suite as follows:

Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA

在 2014年3月27日星期四UTC+8下午1时08分11秒，James Wendel写道：

[James Wendel]

Unless someone else has a suggestion

1) Rerun your test without TLS to see how Go compares to Nginx without TLS in the picture.

2) Try using profiling (pprof) on your app to see where it's spending most of its time.

Another thing.. how many child processes do you have Nginx running?  That would allow Nginx to scale across multiple Cores.  For Go, try setting GOMAXPROCS to use more CPUs.

[Shane Hansen]

Without code I can only shoot in the dark, which is my favorite kind of shooting.

I'd pull up wireshark and look for things like session resumption, also 10 ssl terminations per second

even on a single core seems really wrong.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kyle Lemons]

both 10tx/s and 350tx/s seem awfully low, but my wild, wild guess would be that it's because Go's crypto library doesn't support TLS renegotiation.

--