我有一个网站使用 https 将 javascript 文件传输到客户端。该网站是getsimpleapps.com。
事实证明,使用 https (20.08s - 29.08s) 时该文件的加载速度比使用 http (380ms) 时慢 52 倍。
该网站的主页与 javacript 文件一样缓慢。
我最近从 dreamhost 切换到 linode,并尝试让 SSL 在新服务器上运行,直到它运行正常。我没有进行任何疯狂的配置。
linode 运行的是 Ubuntu 12.04,并且站点位于 (LAMP) 堆栈之上。
我对 Stack Overflow 社区的问题是:如何修复服务器上的 SSL 和 HTTPS?我知道 Stack Overflow 上充斥着有关HTTPS 速度慢但没有给出真正的解决方案。ubuntu 教程或配置指南是理想的选择。
文件:/etc/apache2/sites-enabled/getsimpleapps.com
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName getsimpleapps.com
ServerAlias www.getsimpleapps.com
DocumentRoot /srv/sites/getsimpleapps.com/public/
ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>
<VirtualHost 50.116.58.18:443>
SSLEngine On
#SSLCertificateFile /etc/apache2/ssl/www.getsimpleapps.com.crt
#SSLCertificateKeyFile /etc/apache2/ssl/www.getsimpleapps.com.key
#SSLCACertificateFile /etc/apache2/ssl/comodo.crt
SSLCertificateFile /etc/apache2/ssl/dreamhost/dh.crt
SSLCertificateKeyFile /etc/apache2/ssl/dreamhost/dh.key
SSLCACertificateFile /etc/apache2/ssl/dreamhost/dh.cer
ServerAdmin [email protected]
ServerName getsimpleapps.com
ServerAlias www.getsimpleapps.com
DocumentRoot /srv/sites/getsimpleapps.com/public/
ErrorLog /srv/sites/getsimpleapps.com/logs/error.log
CustomLog /srv/sites/getsimpleapps.com/logs/access.log combined
</VirtualHost>
从本地工作站卷曲
thomas@workstation:~$ time curl -Iv https://getsimpleapps.com/
* About to connect() to getsimpleapps.com port 443 (#0)
* Trying 50.116.58.18... connected
* Connected to getsimpleapps.com (50.116.58.18) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
* start date: 2012-02-23 00:00:00 GMT
* expire date: 2013-02-22 23:59:59 GMT
* subjectAltName: getsimpleapps.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: getsimpleapps.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:31:39 GMT
Date: Thu, 02 Aug 2012 20:31:39 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2298c7e45da25e4aaf80f7a1e36ed4a006%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2250.75.209.154%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A81%3A%22curl%2F7.21.4+%28universal-apple-darwin11.0%29+libcurl%2F7.21.4+OpenSSL%2F0.9.8r+zlib%2F1.2.5%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343939499%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D80bf8ae5040fc47780ccd59f1fb8b267; expires=Thu, 02-Aug-2012 22:31:39 GMT; path=/
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html
<
* Connection #0 to host getsimpleapps.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
real 0m29.078s
user 0m0.018s
sys 0m0.005s
从 linode 服务器执行 Curl(通过 ssh)
thomas@vannevar:~$ time curl -Iv https://getsimpleapps.com/happy-ending/api/script.js?shop=holstee.myshopify.com
* About to connect() to getsimpleapps.com port 443 (#0)
* Trying 50.116.58.18... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: OU=Domain Control Validated; OU=Provided by New Dream Network, LLC; OU=DreamHost Basic SSL; CN=getsimpleapps.com
* start date: 2012-02-23 00:00:00 GMT
* expire date: 2013-02-22 23:59:59 GMT
* subjectAltName: getsimpleapps.com matched
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Comodo CA Limited; CN=PositiveSSL CA
* SSL certificate verify ok.
> HEAD /happy-ending/api/script.js?shop=holstee.myshopify.com HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: getsimpleapps.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 02 Aug 2012 20:43:30 GMT
Date: Thu, 02 Aug 2012 20:43:30 GMT
< Server: Apache/2.2.22 (Ubuntu)
Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.2
X-Powered-By: PHP/5.3.10-1ubuntu3.2
< Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2204a54136cab08f9fdc5f082ebb8e739a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2250.116.58.18%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A97%3A%22curl%2F7.22.0+%28i686-pc-linux-gnu%29+libcurl%2F7.22.0+OpenSSL%2F1.0.1+zlib%2F1.2.3.4+libidn%2F1.23+librtmp%2F2.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1343940210%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De7d7b8e2ca69b34c531ba7472b4b21b7; expires=Thu, 02-Aug-2012 22:43:30 GMT; path=/
< Content-Type: text/javascript
Content-Type: text/javascript
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
real 0m25.991s
user 0m0.015s
sys 0m0.022s
答案1
我遇到了同样的问题,HTTP 和 HTTPS 之间的响应时间差异几乎相同。结果发现问题出在@htmltiger 的回答:Apache2 的工作进程已经耗尽。
这样一来,新的请求就会被排队,直到有空闲的 worker 可以处理下一个请求为止。来源]。我认为这只影响 HTTPS 而不影响 HTTPS 的原因是,几乎所有流量都是通过 HTTP 进行的,而 Apache 为 HTTP 和 HTTPS 请求赋予了相同的优先级,依次从每个队列中获取一个请求。因此,当 HTTPS 队列更长时,请求等待的时间更长。实际上有两个队列,因为队列只是 Linux TCP 连接队列机制,Linux 每个端口提供一个队列。
诊断
如果这是您的问题,则会出现以下症状:
最佳指示器:在您的服务器上,
apachectl status
显示所有允许的工作进程都在运行。如果.
进程记分板行中没有显示点,则表示没有剩余“没有当前进程的开放槽”。例如,该行可能如下所示:KKKKKKRKKKRRCWKKKCCKWKKKKCRCKKKKKKKCKCKKKKWRKKKKWRWKKKKKKCWKKWKKK
您会在主 Apache2 错误日志中看到如下消息(
/var/log/apache2/error.log
不是特定于域的消息):[mpm_prefork:error] [pid 4715] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
您的 Apache 积压工作中有许多进程。根据这篇深入的文章
unacked:
,您可以从输出的值中看到这一点ss -lti '( sport = :https )'
。但是,根据 的版本或配置ss
,该值可能会缺失。大部分延迟(例如,20 秒中的 17 秒)在 Firefox 网络控制台中,在请求的初始 URL 的“计时”选项卡中显示为“阻塞”。
解决方案
假设您使用prefork MPM 服务器模块在 Apache 中。不过,“event”和“worker”MPM 模块也类似 –细节。
编辑
/etc/apache2/mods-enabled/mpm_prefork.conf
并增加MaxRequestWorkers
设置。如果将其增加到超过默认值 256,则还必须设置服务器限制为相同的值以使您的更改生效。
应用更改:
service apache2 reload
确保在记分牌输出中
apachectl status
新MaxRequestWorkers
设置有效。它必须等于记分牌行的字符长度。如果设置尚未生效,请搜索
/etc/apache2
可能覆盖您的更改的旧配置指令(以及它们的更旧的已弃用的同义词):grep -R MaxRequestWorkers /etc/apache2/* grep -R MaxClients /etc/apache2/*
鉴别诊断
如果你发现 HTTPS 比 HTTP 慢很多,但在一系列页面重新加载中并非每次都慢(只是平均而言),那么你可能遇到了这个奇怪的问题,两个 Apache2 服务器在 SSL 端口 443 上运行。
答案2
事实证明,问题出在我的密钥来自另一台服务器。我需要获取新证书并使用新密钥进行设置。
答案3
对于繁忙的服务器,我遇到了类似的问题,但在 mpm_prefork.conf 中将 MaxRequestWorkers 增加到 400 解决了该问题。
答案4
尝试将密码更改为 RC4-MD5(性能和安全性的良好平衡),即:
SSLCipherSuite RC4-MD5
干杯